Debian has issued an advisory on September 10: https://www.debian.org/security/2018/dsa-4290 The issues are fixed upstream in 1.7. Mageia 5 is also affected.
Fixed for mga6!
CC: (none) => geiger.david68210
(In reply to David GEIGER from comment #1) > Fixed for mga6! Thanks, can you please take care of the Advisory, too? Council decided last night to stop the extended support for Mga5, so this cannot be fixed for Mga5.
CC: (none) => marja11Assignee: bugsquad => geiger.david68210
Advisory: ======================== Updated libextractor packages fix security vulnerabilities: Several vulnerabilities were discovered in libextractor which may lead to denial of service or the execution of arbitrary code if a specially crafted file is opened (CVE-2018-14346, CVE-2018-14347, CVE-2018-16430). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14346 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14347 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16430 https://www.debian.org/security/2018/dsa-4290 ======================== Updated packages in core/updates_testing: ======================== extract-1.7-1.mga6 libextractor-common-1.7-1.mga6 libextractor3-1.7-1.mga6 libextractor_common1-1.7-1.mga6 libextractor-devel-1.7-1.mga6 from libextractor-1.7-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Tried some file types $ extract 34815267.ps Trefwoorden voor bestand 34815267.ps: MIME-type - application/postscript door software gemaakt - GIMP PostScript file plugin V 1,17 by Peter Kirchgessner titel - 34815267.ps aanmaakdatum - Sat Sep 15 09:19:36 2018 indelingsversie - 2 aantal bladzijden - 1 MIME-type - application/postscript $ extract 180130-Overleg\ computervrijwilligers.doc Trefwoorden voor bestand 180130-Overleg computervrijwilligers.doc: MIME-type - application/CDFV2-unknown taal - Vlaams maker - Ludo Den Tip onbekende datum - 2018-02-01T12:20:00Z aantal tekens - 5770 laatst opgeslagen door - Ludo Den Tip aantal bladzijden - 4 aantal woorden - 1049 aanmaakdatum - 2018-02-01T12:20:00Z bewerkingscycli - 2 MIME-type - application/vnd.ms-files door software gemaakt - Microsoft Office Word sjabloon - Normal aantal regels - 48 aantal alinea's - 13 MIME-type - application/zip ingebedde bestandsnaam - [Content_Types].xml ingebedde bestandsnaam - _rels/.rels ingebedde bestandsnaam - theme/theme/themeManager.xml ingebedde bestandsnaam - theme/theme/theme1.xml ingebedde bestandsnaam - theme/theme/_rels/themeManager.xml.rels $ extract Adressen\ Viaene.xls Trefwoorden voor bestand Adressen Viaene.xls: MIME-type - application/vnd.ms-office maker - djl575 onbekende datum - 2006-01-12T14:40:40Z laatst opgeslagen door - djl575 aanmaakdatum - 2006-01-12T14:39:21Z bewerkingscycli - 1 $ extract sample-link_1.pdf Trefwoorden voor bestand sample-link_1.pdf: MIME-type - application/pdf $ extract twopage.odt Trefwoorden voor bestand twopage.odt: MIME-type - application/vnd.oasis.opendocument.text ingebedde bestandsnaam - mimetype ingebedde bestandsnaam - Thumbnails/thumbnail.png ingebedde bestandsnaam - layout-cache ingebedde bestandsnaam - content.xml ingebedde bestandsnaam - styles.xml ingebedde bestandsnaam - meta.xml ingebedde bestandsnaam - settings.xml ingebedde bestandsnaam - Configurations2/images/Bitmaps/ ingebedde bestandsnaam - Configurations2/popupmenu/ ingebedde bestandsnaam - Configurations2/toolpanel/ ingebedde bestandsnaam - Configurations2/accelerator/ ingebedde bestandsnaam - Configurations2/statusbar/ ingebedde bestandsnaam - Configurations2/floater/ ingebedde bestandsnaam - Configurations2/menubar/ ingebedde bestandsnaam - Configurations2/progressbar/ ingebedde bestandsnaam - Configurations2/toolbar/ ingebedde bestandsnaam - manifest.rdf ingebedde bestandsnaam - META-INF/manifest.xml indeling - ZIP 2.0 (uncompressed) MIME-type - application/vnd.oasis.opendocument.text door software gemaakt - LibreOffice/5.3.7.2.0$Linux_X86_64 LibreOffice_project/30$Build-2 aantal bladzijden - 2 aanmaakdatum - 2018-08-21T21:32:46.149383287 onbekende datum - 2018-08-22T08:53:48.023237411 $ extract 01WellingtonSieg.mp3 Trefwoorden voor bestand 01WellingtonSieg.mp3: MIME-type - audio/mpeg MIME-type - application/x-id3 MIME-type - audio/mpeg onbekend - mpegversion=1 onbekend - mpegaudioversion=1 onbekend - layer=3 onbekend - parsed=true titel - Wellington's Sieg artiest - Beethoven containersoort - ID3-tag track-gain - -0.65000000000000002 track-piek - 1.0015890000000001 album-gain - -1.4299999999999999 albumpiek - 1.0015890000000001 onbekend - has-crc=false onbekend - channel-mode=joint-stereo audio-codec - MPEG-1 Layer 3 (MP3) kanalen - 2 sample rate - 44100 audiodiepte - 32 All looks OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Mageia 6, x86_64 Before update: extract-1.6-1.1 CVE-2018-13346 http://lists.gnu.org/archive/html/bug-libextractor/2018-07/msg00001.html $ extract binhsQxywt6QK.bin Keywords for file binhsQxywt6QK.bin: mimetype - audio/ogg duration - 0:00:01.348299320 mimetype - audio/ogg mimetype - audio/x-vorbis created by software - REAPER comment - index=0 encoder - Xiph.Org libVorbis I 20101101 (Schaufenugget) encoder version - 0 audio codec - Vorbis container format - Ogg channels - 2 sample rate - 44100 audio depth - 32 audio bitrate - 112000 *** stack smashing detected ***: extract terminated Looks like this fault had already been repaired. CVE-2018-13347 https://gnunet.org/bugs/view.php?id=5399 $ extract timeout-0d2eb1d040e384e7004cf036eac03152a4472d14 [...] format version - MPEG1 mimetype - video/mpeg image dimensions - 320x240 [...] Infinite loop. A .bin test was available for 13347 as well but the PoC file was identical to the earlier file. Also, the .bin tests are intended to be run within the asan framework. CVE-2018-16430 https://gnunet.org/bugs/view.php?id=5405 $ extract crash-b7e795730cd3a204501c1c4bd79dec7468f9e6e1 Keywords for file crash-b7e795730cd3a204501c1c4bd79dec7468f9e6e1: mimetype - application/octet-stream mimetype - application/zip [...] embedded filename - ppt/slideLayouts/_rels/slideLayout5.xml.rels comment - �����6-Z�ػY��}�K���������|V�i���g�`��_�el��������!B:��F�8������'�ΰE������Y��5�#�#���f�:����f=� �����i�渄*��~��s1�����7���NQ��S�����m����guA�Vn�������g�I`ngR^���}H6���2N� ��C�����Uz�ߛ�e�Y�Z����}��A��� Out-of-bounds read - maybe. No crash. After update: extract-1.7-1 CVE-2018-13346 $ extract binhsQxywt6QK.bin Keywords for file binhsQxywt6QK.bin: mimetype - audio/ogg duration - 0:00:01.348299320 mimetype - audio/ogg mimetype - audio/x-vorbis created by software - REAPER comment - index=0 encoder - Xiph.Org libVorbis I 20101101 (Schaufenugget) encoder version - 0 audio codec - Vorbis container format - Ogg channels - 2 sample rate - 44100 audio depth - 32 audio bitrate - 112000 No error - extracted the metadata without stack smashing. Hmm! CVE-2018-13347 $ extract timeout-0d2eb1d040e384e7004cf036eac03152a4472d14 Keywords for file timeout-0d2eb1d040e384e7004cf036eac03152a4472d14: mimetype - application/octet-stream mimetype - video/mpeg image dimensions - 320x240 format version - MPEG1 duration - 00:00:09 (28 frames) mimetype - audio/x-amr-nb-sh mimetype - audio/AMR audio codec - Adaptive Multi Rate (AMR) channels - 1 sample rate - 8000 audio depth - 16 This avoided the infinite loop. CVE-2018-16430 $ extract crash-b7e795730cd3a204501c1c4bd79dec7468f9e6e1 Keywords for file crash-b7e795730cd3a204501c1c4bd79dec7468f9e6e1: mimetype - application/octet-stream [...] embedded filename - ppt/slideLayouts/_rels/slideLayout5.xml.rels comment - �����6-Z�ػY��}�K���������|V�i���g�`��_�el��������!B:��F�8������'�ΰE������Y��5�#�#���f�:����f=� �����i�渄*��~��s1�����7���NQ��S�����m����guA�Vn�������g�I`ngR^���}H6���2N� ��C�����Uz�ߛ�e�Y�Z����}��AJ�� which is substantially the same as before the update but differs in the last few bytes, which are close to the 256 byte boundary. The comment seems to be mostly garbage but does match the earlier string until the last few bytes. As far as the fix is concerned it is difficult to say looking at this output, which may well terminate on the 256th byte, in which case the unterminated string has been detected. No friendly message to that effect.
CC: (none) => tarazed25
Continuing from comment #5... $ extract Restless.m2t Keywords for file Restless.m2t: mimetype - application/octet-stream mimetype - video/mpeg image dimensions - 720x576 format version - MPEG2 $ extract Humans_disc_1.iso Keywords for file Humans_disc_1.iso: mimetype - application/octet-stream embedded filename - . embedded filename - AUDIO_TS embedded filename - VIDEO_TS embedded filename - VIDEO_TS/VIDEO_TS.IFO [...] format - ISO9660 $ extract DawnVirtualFlightOverVesta.mov Keywords for file DawnVirtualFlightOverVesta.mov: mimetype - video/quicktime $ extract asteroids.tar Keywords for file asteroids.tar: embedded filename - asteroids/ mimetype - application/x-tar embedded filename - asteroids/Vesta_178_Severina.jpg embedded filename - asteroids/Vesta_PIA14714_06.jpg embedded filename - asteroids/Ceres_PIA19889.jpg [...] $ extract SophieMarceau_1.jpg Keywords for file SophieMarceau_1.jpg: mimetype - image/jpeg mimetype - image/jpeg image dimensions - 1280x800 comment - CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), default quality image dimensions - 1280x800 thumbnail - (binary, 20005 bytes) $ extract /usr/bin/xdpyinfo Keywords for file /usr/bin/xdpyinfo: mimetype - application/x-executable $ file /bin/mgarepo /bin/mgarepo: Python script, ASCII text executable $ extract HarpConcerto_inBflatmajor.wav Keywords for file HarpConcerto_inBflatmajor.wav: resource type - 837000 ms, 44100 Hz, stereo mimetype - audio/x-wav mimetype - audio/x-wav Good for 64-bits.
This is what Claire's procedure for checking for application of patches produced, after a long wait: Differences with libextractor-1.3-7.mga6.src.rpm (from media core-release) *** rpmdiff output between libextractor-1.3-7.mga6.src.rpm and libextractor-1.7-1.mga6.src.rpm *** *** unified diff between RPM contents ***
extractor works fine and the PoCs, although a bit vague, give the impression that at least two of the issues have been addressed. Giving this an OK. If anybody objects please override this.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Validating this. Could some kind sysadmin please push the advisory?
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0388.html
Status: NEW => RESOLVEDResolution: (none) => FIXED