Bug 23365 - libmspack new security issues CVE-2018-14679, CVE-2018-1468[0-2], CVE-2018-1858[4-6]
Summary: libmspack new security issues CVE-2018-14679, CVE-2018-1468[0-2], CVE-2018-18...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-29 19:34 CEST by David Walser
Modified: 2018-11-17 23:24 CET (History)
8 users (show)

See Also:
Source RPM: libmspack-0.6-0.alpha.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-29 19:34:00 CEST
libmspack 0.7alpha has been released and fixes a few security issues for which CVEs have been assigned:
http://openwall.com/lists/oss-security/2018/07/28/1

Mageia 5 and Mageia 6 are also affected.

Also, a reminder that libmspack is still bundled in calibre (Bug 15218), so it is probably separately affected.
David Walser 2018-07-29 19:34:34 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-31 15:16:54 CEST
Assigning to all packagers collectively, since the registered maintainer for this package is likely (still) unavailable.

@ Oden

If I'm wrong and you are available: if your identity.mageia.org password wasn't reset since the end of February, then you'll need to ask a sysadmin (e.g. tmb) to reset it, to be able to login to our Bugzilla.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, oe

Comment 2 David Walser 2018-08-02 15:51:22 CEST
Ubuntu has issued an advisory for this on August 1:
https://usn.ubuntu.com/3728-1/

Severity: normal => major

Comment 3 David Walser 2018-10-22 17:25:21 CEST
libmspack 0.8alpha has been released, fixing more minor issues:
https://www.openwall.com/lists/oss-security/2018/10/22/1

cabextract 1.8 is also available to go along with it.
Comment 4 David Walser 2018-10-23 16:39:17 CEST
Looks like David is working on this.  libmspack update built, cabextract build failed, so still in progress.

libmspack-0.8-0.alpha.1.mga6
libmspack0-0.8-0.alpha.1.mga6
libmspack-devel-0.8-0.alpha.1.mga6

from libmspack-0.8-0.alpha.1.mga6.src.rpm
Comment 5 David GEIGER 2018-10-23 16:44:55 CEST
Yes I'm on it and now I should discuss with upstream because cabextract fails to build due to wrong headers and wrong packaging from libmspack.
Comment 6 David GEIGER 2018-10-24 05:55:57 CEST
So cabextract 1.8 now fixed for Cauldron and mga6!
Comment 7 David Walser 2018-10-24 17:31:47 CEST
Advisory:
========================

Updated libmspack and cabextract packages fix security vulnerabilities:

Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2018-14679, CVE-2018-14680).

Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2018-14681).

Dmitry Glavatskikh discovered that libmspack incorrectly certain CHM files. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2018-14682).

If a CAB file has a Quantum-compressed datablock with exactly 38912 compressed
bytes, cabextract would write exactly one byte beyond its input buffer.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682
https://usn.ubuntu.com/3728-1/
https://www.openwall.com/lists/oss-security/2018/10/22/1
========================

Updated packages in core/updates_testing:
========================
libmspack-0.8-0.alpha.1.mga6
libmspack0-0.8-0.alpha.1.mga6
libmspack-devel-0.8-0.alpha.1.mga6
cabextract-1.8-1.mga6

from SRPMS:
libmspack-0.8-0.alpha.1.mga6.src.rpm
cabextract-1.8-1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 8 David Walser 2018-10-24 18:08:00 CEST
CVEs have been assigned for the new issues, so that'll need to be added to the advisory:
https://www.openwall.com/lists/oss-security/2018/10/23/11

Summary: libmspack new security issues CVE-2018-14679 and CVE-2018-1468[0-2] => libmspack new security issues CVE-2018-14679, CVE-2018-1468[0-2], CVE-2018-1858[4-6]

Comment 9 David Walser 2018-10-26 01:21:12 CEST
Advisory:
========================

Updated libmspack and cabextract packages fix security vulnerabilities:

Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An
attacker could possibly use this issue to cause a denial of service
(CVE-2018-14679, CVE-2018-14680).

Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2018-14681).

Dmitry Glavatskikh discovered that libmspack incorrectly certain CHM files. An
attacker could possibly use this issue to execute arbitrary code
(CVE-2018-14682).

If a CAB file has a Quantum-compressed datablock with exactly 38912 compressed
bytes, cabextract would write exactly one byte beyond its input buffer
(CVE-2018-18584).

libmspack didn't reject blank CHM filenames that are blank because they have
embedded null bytes, not just because they are zero-length (CVE-2018-18585).

chmextract didn't protect from absolute/relative pathnames in CHM files
(CVE-2018-18586).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18586
https://usn.ubuntu.com/3728-1/
https://www.openwall.com/lists/oss-security/2018/10/22/1
https://www.openwall.com/lists/oss-security/2018/10/23/11
Comment 10 Herman Viaene 2018-10-30 13:26:45 CET
MGA6-32 MATE on IBM Thinkpad R50e
At installation:
An error occured:
file /usr/bin/msexpand from install of libmspack-0.8-0.alpha.1.mga6.i586 conflicts with file from package mscompress-0.4-5.mga6.i586

CC: (none) => herman.viaene

Comment 11 Len Lawrence 2018-11-14 01:21:56 CET
Mageia 6, x86_64
Installed the core packages and played with cabextract.
Updated the packages and fell foul of the same installation error as Herman, comment 10.  Since the files mentioned are for i586 I chose to ignore them.
$ msexpand -V
msexpand version 0.4 Feb  2 2016
Not worth testing msexpand because it has not been updated.

Ran some simple tests, using some cab files prepared earlier.

$ cabextract -d ex qa.cab 
Extracting cabinet: qa.cab
  extracting ex/python-pillow/identify
  extracting ex/python-pillow/kappaCrucis.thumbnail
  extracting ex/python-pillow/hello2.png
[...]
extracting ex/python-pillow/thumbnail3
  extracting ex/python-pillow/kappaCrucis.thumb
  extracting ex/python-pillow/hello2.jpg
  extracting ex/wireless_script_2.1.sh

All done, no errors.
Testing cabinet: odt.cab
  xyz.odt  OK                                  a63bdf66a070493d7ce15d2ff09877dc
All done, no errors.
$ strace cabextract -t odt.cab 2> trace

$ grep mspack trace
open("/lib64/tls/x86_64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/x86_64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libmspack.so.0", O_RDONLY|O_CLOEXEC) = 3

$ cabextract -l data1.cab
data1.cab: WARNING; found InstallShield header. This is probably an InstallShield file. Use UNSHIELD from www.synce.org to unpack it.
data1.cab: no valid cabinets found
All done, errors in processing 1 file(s)

$ cabextract -l odt.cab
Viewing cabinet: odt.cab
 File size | Date       Time     | Name
-----------+---------------------+-------------
     14670 | 02.10.2015 18:51:54 | xyz.odt
All done, no errors

Installed lcab which is used to create cabinet files.  Note that lcab and gcab have no association with libmspack.

$ lcab /data/ruby/* ruby.cab
$ cabextract -l ruby.cab
Viewing cabinet: ruby.cab
 File size | Date       Time     | Name
-----------+---------------------+-------------
         2 | 15.04.2012 10:14:26 | data/ruby/ascii_chart
         0 | 30.06.2014 22:49:06 | data/ruby/backup
         0 | 24.05.2015 11:04:46 | data/ruby/books
[...]
$ cabextract -d test ruby.cab
Extracting cabinet: ruby.cab
  extracting test/data/ruby/ascii_chart
  extracting test/data/ruby/backup
  extracting test/data/ruby/books
[...]
$ ls test/data/ruby
ascii_chart   gemlist         paddb                 snippets
backup        gist_stack      paddb.tar             stock_stats.rb
books         gl              pastie_1              strace2urpmi
calco         gnuplot         plugins               sys
cardlist      gregorian       png                   taiji.rb
[...]

At this simple level the utility works which implies that libmspack is OK.
Witholding the 64-bit OK in case something needs to be done about the missing libmspack.
$ sudo urpmi lib64mspack
No package named lib64mspack

CC: (none) => tarazed25

Comment 12 David Walser 2018-11-14 02:21:14 CET
The package name is libmspack.  Only libraries have a 64 in their name (and their names always end with a number, like libmspack0).
Comment 13 David Walser 2018-11-14 02:22:30 CET
The conflict with mscompress should be addressed.

Keywords: (none) => feedback

Comment 14 Len Lawrence 2018-11-14 09:24:55 CET
Re comment #12.  Got it, but libmspack is in the list and does not appear to exist.
$ sudo urpmi libmspack
No package named libmspack
Comment 15 David Walser 2018-11-14 15:00:37 CET
Then you did something wrong Len.  It's on the mirror.
Comment 16 Len Lawrence 2018-11-14 19:01:47 CET
@David, comment 15
Yes.  Tried again after going through the usual motions and found it and encountered the conflict already reported.  Awaiting developments.  Thanks.
Comment 17 David Walser 2018-11-15 00:17:52 CET
(In reply to David Walser from comment #8)
> CVEs have been assigned for the new issues, so that'll need to be added to
> the advisory:
> https://www.openwall.com/lists/oss-security/2018/10/23/11

Ubuntu has issued an advisory for this on November 12:
https://usn.ubuntu.com/3814-1/
Comment 18 David GEIGER 2018-11-15 07:00:17 CET
I can fix this conflict issue with latest libmspack 0.9.1alpha, upstream removed all binaries!

WDYT?
Comment 19 David Walser 2018-11-15 14:39:09 CET
Sounds reasonable.
Comment 20 David GEIGER 2018-11-15 17:57:22 CET
So ok! done for mga6 updating libmspack to 0.9.1alpha and cabextract to 1.9
Len Lawrence 2018-11-15 21:41:21 CET

Keywords: feedback => (none)

Comment 21 David Walser 2018-11-15 23:08:31 CET
libmspack0-0.9.1-0.alpha.1.mga6
libmspack-devel-0.9.1-0.alpha.1.mga6
cabextract-1.9-1.mga6

from SRPMS:
libmspack-0.9.1-0.alpha.1.mga6.src.rpm
cabextract-1.9-1.mga6.src.rpm

Note to QA, if you tested the previous build, you'll have to remove the "libmspack" package manually.  It only existed in that build and didn't previously exist, which is why we didn't obsolete it.
Comment 22 Len Lawrence 2018-11-16 00:13:51 CET
Updated to the latest version.

Ran similar tests to those in comment #11 using cabextract.
Tested non-standard cab file.
$ cabextract -t data1.cab
data1.cab: WARNING; found InstallShield header. Use unshield (https://github.com/twogood/unshield) to unpack this file
data1.cab: no valid cabinets found
All done, errors in processing 1 file(s)

$ cabextract -t ruby.cab
Viewing cabinet: ruby.cab
 File size | Date       Time     | Name
-----------+---------------------+-------------
         2 | 15.04.2012 10:14:26 | data/ruby/ascii_chart
[...]
      6059 | 10.07.2014 23:51:02 | data/ruby/xmlviewer.rb
         0 | 23.08.2010 11:16:54 | data/ruby/xosd
All done, no errors.

$ cabextract -d /data qa.cab
Extracting cabinet: qa.cab
  extracting /data/python-pillow/identify
  extracting /data/python-pillow/kappaCrucis.thumbnail
[...]
  extracting /data/python-pillow/hello2.jpg
  extracting /data/wireless_script_2.1.sh
All done, no errors.

This is good for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 23 Thomas Andrews 2018-11-16 15:45:48 CET
Reads like it's good now. Validating. Advisory in Comment 9. Updated package list in Comment 21.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 24 Lewis Smith 2018-11-17 20:53:38 CET
As per TJ: advisory done from c9, SRPMs from c21.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 25 Mageia Robot 2018-11-17 23:24:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0455.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.