Fedora has issued an advisory today (August 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/ The issue is fixed upstream in 0.7.6 (already in Cauldron): https://bugzilla.redhat.com/show_bug.cgi?id=1593011 Mageia 5 is also affected.
Done for mga6 too!
Thanks David! Advisory: ======================== Updated quazip packages fix security vulnerability: A vulnerability has been found in the way developers have implemented the archive extraction of files. An arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Of course if an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. This affects multiple libraries that lacks of a high level APIs that provide the archive extraction functionality (CVE-2018-1002209). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002209 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMQZPZKZJRQ6ESHXO5LCLIBYWOJX4HAX/ ======================== Updated packages in core/updates_testing: ======================== libquazip5_1-0.7.6-1.mga6 libquazip-devel-0.7.6-1.mga6 libquazip1-0.7.6-1.mga6 libquazip-qt4-devel-0.7.6-1.mga6 from quazip-0.7.6-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
Mageia 6, x86_64 Ran qcad under strace and examined the output file. $ cat trace | grep libquazip [...] open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3 open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15 So quazip is opened for potential use - that is about all we can say for this without actually using qcad and saving files. The same is true of fritzing, a printed circuit board application which lists libquazip5 as a dependency and which opens it when the application is launched. Updated the four packages. Checked that the qcad and fritzing applications launched properly. Installed latex and texstudio. $ strace -o trace texstudio Experimented with the interface and attempted to save a document. $ cat trace | grep quazip open("/lib64/libquazip5.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 3 open("/usr/lib64/libquazip5.so.1.0.0", O_RDONLY) = 15 So, nothing here either to show the libraries being used but one of them is opened. Giving this the 64-bit OK on the strength of a clean update and availability for packages which need the libraries.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Nothing else we can do with this so validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0362.html
Status: NEW => RESOLVEDResolution: (none) => FIXED