libmspack 0.7alpha has been released and fixes a few security issues for which CVEs have been assigned: http://openwall.com/lists/oss-security/2018/07/28/1 Mageia 5 and Mageia 6 are also affected. Also, a reminder that libmspack is still bundled in calibre (Bug 15218), so it is probably separately affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since the registered maintainer for this package is likely (still) unavailable. @ Oden If I'm wrong and you are available: if your identity.mageia.org password wasn't reset since the end of February, then you'll need to ask a sysadmin (e.g. tmb) to reset it, to be able to login to our Bugzilla.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, oe
Ubuntu has issued an advisory for this on August 1: https://usn.ubuntu.com/3728-1/
Severity: normal => major
libmspack 0.8alpha has been released, fixing more minor issues: https://www.openwall.com/lists/oss-security/2018/10/22/1 cabextract 1.8 is also available to go along with it.
Looks like David is working on this. libmspack update built, cabextract build failed, so still in progress. libmspack-0.8-0.alpha.1.mga6 libmspack0-0.8-0.alpha.1.mga6 libmspack-devel-0.8-0.alpha.1.mga6 from libmspack-0.8-0.alpha.1.mga6.src.rpm
Yes I'm on it and now I should discuss with upstream because cabextract fails to build due to wrong headers and wrong packaging from libmspack.
So cabextract 1.8 now fixed for Cauldron and mga6!
Advisory: ======================== Updated libmspack and cabextract packages fix security vulnerabilities: Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service (CVE-2018-14679, CVE-2018-14680). Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An attacker could possibly use this issue to execute arbitrary code (CVE-2018-14681). Dmitry Glavatskikh discovered that libmspack incorrectly certain CHM files. An attacker could possibly use this issue to execute arbitrary code (CVE-2018-14682). If a CAB file has a Quantum-compressed datablock with exactly 38912 compressed bytes, cabextract would write exactly one byte beyond its input buffer. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682 https://usn.ubuntu.com/3728-1/ https://www.openwall.com/lists/oss-security/2018/10/22/1 ======================== Updated packages in core/updates_testing: ======================== libmspack-0.8-0.alpha.1.mga6 libmspack0-0.8-0.alpha.1.mga6 libmspack-devel-0.8-0.alpha.1.mga6 cabextract-1.8-1.mga6 from SRPMS: libmspack-0.8-0.alpha.1.mga6.src.rpm cabextract-1.8-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6
CVEs have been assigned for the new issues, so that'll need to be added to the advisory: https://www.openwall.com/lists/oss-security/2018/10/23/11
Summary: libmspack new security issues CVE-2018-14679 and CVE-2018-1468[0-2] => libmspack new security issues CVE-2018-14679, CVE-2018-1468[0-2], CVE-2018-1858[4-6]
Advisory: ======================== Updated libmspack and cabextract packages fix security vulnerabilities: Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service (CVE-2018-14679, CVE-2018-14680). Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An attacker could possibly use this issue to execute arbitrary code (CVE-2018-14681). Dmitry Glavatskikh discovered that libmspack incorrectly certain CHM files. An attacker could possibly use this issue to execute arbitrary code (CVE-2018-14682). If a CAB file has a Quantum-compressed datablock with exactly 38912 compressed bytes, cabextract would write exactly one byte beyond its input buffer (CVE-2018-18584). libmspack didn't reject blank CHM filenames that are blank because they have embedded null bytes, not just because they are zero-length (CVE-2018-18585). chmextract didn't protect from absolute/relative pathnames in CHM files (CVE-2018-18586). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18585 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18586 https://usn.ubuntu.com/3728-1/ https://www.openwall.com/lists/oss-security/2018/10/22/1 https://www.openwall.com/lists/oss-security/2018/10/23/11
MGA6-32 MATE on IBM Thinkpad R50e At installation: An error occured: file /usr/bin/msexpand from install of libmspack-0.8-0.alpha.1.mga6.i586 conflicts with file from package mscompress-0.4-5.mga6.i586
CC: (none) => herman.viaene
Mageia 6, x86_64 Installed the core packages and played with cabextract. Updated the packages and fell foul of the same installation error as Herman, comment 10. Since the files mentioned are for i586 I chose to ignore them. $ msexpand -V msexpand version 0.4 Feb 2 2016 Not worth testing msexpand because it has not been updated. Ran some simple tests, using some cab files prepared earlier. $ cabextract -d ex qa.cab Extracting cabinet: qa.cab extracting ex/python-pillow/identify extracting ex/python-pillow/kappaCrucis.thumbnail extracting ex/python-pillow/hello2.png [...] extracting ex/python-pillow/thumbnail3 extracting ex/python-pillow/kappaCrucis.thumb extracting ex/python-pillow/hello2.jpg extracting ex/wireless_script_2.1.sh All done, no errors. Testing cabinet: odt.cab xyz.odt OK a63bdf66a070493d7ce15d2ff09877dc All done, no errors. $ strace cabextract -t odt.cab 2> trace $ grep mspack trace open("/lib64/tls/x86_64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/tls/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/x86_64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = 3 $ cabextract -l data1.cab data1.cab: WARNING; found InstallShield header. This is probably an InstallShield file. Use UNSHIELD from www.synce.org to unpack it. data1.cab: no valid cabinets found All done, errors in processing 1 file(s) $ cabextract -l odt.cab Viewing cabinet: odt.cab File size | Date Time | Name -----------+---------------------+------------- 14670 | 02.10.2015 18:51:54 | xyz.odt All done, no errors Installed lcab which is used to create cabinet files. Note that lcab and gcab have no association with libmspack. $ lcab /data/ruby/* ruby.cab $ cabextract -l ruby.cab Viewing cabinet: ruby.cab File size | Date Time | Name -----------+---------------------+------------- 2 | 15.04.2012 10:14:26 | data/ruby/ascii_chart 0 | 30.06.2014 22:49:06 | data/ruby/backup 0 | 24.05.2015 11:04:46 | data/ruby/books [...] $ cabextract -d test ruby.cab Extracting cabinet: ruby.cab extracting test/data/ruby/ascii_chart extracting test/data/ruby/backup extracting test/data/ruby/books [...] $ ls test/data/ruby ascii_chart gemlist paddb snippets backup gist_stack paddb.tar stock_stats.rb books gl pastie_1 strace2urpmi calco gnuplot plugins sys cardlist gregorian png taiji.rb [...] At this simple level the utility works which implies that libmspack is OK. Witholding the 64-bit OK in case something needs to be done about the missing libmspack. $ sudo urpmi lib64mspack No package named lib64mspack
CC: (none) => tarazed25
The package name is libmspack. Only libraries have a 64 in their name (and their names always end with a number, like libmspack0).
The conflict with mscompress should be addressed.
Keywords: (none) => feedback
Re comment #12. Got it, but libmspack is in the list and does not appear to exist. $ sudo urpmi libmspack No package named libmspack
Then you did something wrong Len. It's on the mirror.
@David, comment 15 Yes. Tried again after going through the usual motions and found it and encountered the conflict already reported. Awaiting developments. Thanks.
(In reply to David Walser from comment #8) > CVEs have been assigned for the new issues, so that'll need to be added to > the advisory: > https://www.openwall.com/lists/oss-security/2018/10/23/11 Ubuntu has issued an advisory for this on November 12: https://usn.ubuntu.com/3814-1/
I can fix this conflict issue with latest libmspack 0.9.1alpha, upstream removed all binaries! WDYT?
Sounds reasonable.
So ok! done for mga6 updating libmspack to 0.9.1alpha and cabextract to 1.9
Keywords: feedback => (none)
libmspack0-0.9.1-0.alpha.1.mga6 libmspack-devel-0.9.1-0.alpha.1.mga6 cabextract-1.9-1.mga6 from SRPMS: libmspack-0.9.1-0.alpha.1.mga6.src.rpm cabextract-1.9-1.mga6.src.rpm Note to QA, if you tested the previous build, you'll have to remove the "libmspack" package manually. It only existed in that build and didn't previously exist, which is why we didn't obsolete it.
Updated to the latest version. Ran similar tests to those in comment #11 using cabextract. Tested non-standard cab file. $ cabextract -t data1.cab data1.cab: WARNING; found InstallShield header. Use unshield (https://github.com/twogood/unshield) to unpack this file data1.cab: no valid cabinets found All done, errors in processing 1 file(s) $ cabextract -t ruby.cab Viewing cabinet: ruby.cab File size | Date Time | Name -----------+---------------------+------------- 2 | 15.04.2012 10:14:26 | data/ruby/ascii_chart [...] 6059 | 10.07.2014 23:51:02 | data/ruby/xmlviewer.rb 0 | 23.08.2010 11:16:54 | data/ruby/xosd All done, no errors. $ cabextract -d /data qa.cab Extracting cabinet: qa.cab extracting /data/python-pillow/identify extracting /data/python-pillow/kappaCrucis.thumbnail [...] extracting /data/python-pillow/hello2.jpg extracting /data/wireless_script_2.1.sh All done, no errors. This is good for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Reads like it's good now. Validating. Advisory in Comment 9. Updated package list in Comment 21.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
As per TJ: advisory done from c9, SRPMs from c21.
Keywords: (none) => advisoryCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0455.html
Status: NEW => RESOLVEDResolution: (none) => FIXED