Bug 23446 - quazip new security issue CVE-2018-1002209
Summary: quazip new security issue CVE-2018-1002209
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-14 23:42 CEST by David Walser
Modified: 2018-08-31 23:13 CEST (History)
4 users (show)

See Also:
Source RPM: quazip-0.7.2-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-14 23:42:33 CEST
Fedora has issued an advisory today (August 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/

The issue is fixed upstream in 0.7.6 (already in Cauldron):
https://bugzilla.redhat.com/show_bug.cgi?id=1593011

Mageia 5 is also affected.
Comment 1 David GEIGER 2018-08-15 06:30:59 CEST
Done for mga6 too!
Comment 2 David Walser 2018-08-15 12:08:25 CEST
Thanks David!

Advisory:
========================

Updated quazip packages fix security vulnerability:

A vulnerability has been found in the way developers have implemented the
archive extraction of files. An arbitrary file write vulnerability, that can be
achieved using a specially crafted zip archive (affects other archives as well,
bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the
filename gets concatenated to the target extraction directory, the final path
ends up outside of the target folder. Of course if an executable or a
configuration file is overwritten with a file containing malicious code, the
problem can turn into an arbitrary code execution issue quite easily. This
affects multiple libraries that lacks of a high level APIs that provide the
archive extraction functionality (CVE-2018-1002209).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002209
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/
========================

Updated packages in core/updates_testing:
========================
libquazip5_1-0.7.6-1.mga6
libquazip-devel-0.7.6-1.mga6
libquazip1-0.7.6-1.mga6
libquazip-qt4-devel-0.7.6-1.mga6

from quazip-0.7.6-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2018-08-15 23:45:31 CEST
Mageia 6, x86_64

Ran qcad under strace and examined the output file.
$ cat trace | grep libquazip
[...]
open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15

So quazip is opened for potential use - that is about all we can say for this without actually using qcad and saving files.

The same is true of fritzing, a printed circuit board application which lists libquazip5 as a dependency and which opens it when the application is launched.

Updated the four packages.

Checked that the qcad and fritzing applications launched properly.  Installed latex and texstudio.
$ strace -o trace texstudio
Experimented with the interface and attempted to save a document.
$ cat trace | grep quazip
open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3
open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15
So, nothing here either to show the libraries being used but one of them is opened.

Giving this the 64-bit OK on the strength of a clean update and availability for packages which need the libraries.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-08-23 10:53:27 CEST
Nothing else we can do with this so validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-24 00:21:41 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-08-31 23:13:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0362.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.