Debian has issued an advisory on December 28: https://www.debian.org/security/2018/dsa-4361 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fixed in libextractor-1.8-2.mga7 in Cauldron by David Geiger.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: bugsquad => geiger.david68210
Patched package uploaded for Mageia 6 by David. Advisory: ======================== Updated libextractor packages fix security vulnerabilities: Several vulnerabilities were discovered in libextractor which may lead to denial of service or memory disclosure if a malformed OLE file is processed (CVE-2018-20430, CVE-2018-20431). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431 https://www.debian.org/security/2018/dsa-4361 ======================== Updated packages in core/updates_testing: ======================== extract-1.7-1.1.mga6 libextractor-common-1.7-1.1.mga6 libextractor3-1.7-1.1.mga6 libextractor_common1-1.7-1.1.mga6 libextractor-devel-1.7-1.1.mga6 from libextractor-1.7-1.1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
Mageia 6, x86_64 CVE-2018-20430 https://gnunet.org/bugs/view.php?id=5493 ole2-crash-ole2_extractor.c_576 ole2-crash-ole2_extractor.c_588 CVE-2018-20431 https://gnunet.org/bugs/view.php?id=5494 ole2-crash-ole2_extractor.c_216 Before update: CVE-2018-2043 $ extract ole2-crash-ole2_extractor.c_576 Keywords for file ole2-crash-ole2_extractor.c_576: mimetype - application/CDFV2-unknown language - U.S. English The Al-Amn al-Khas is nebulous and highly secretive and operates on a functionalQusay Hussein supervises the Special Bureau, the Political Bureau and the Administration Bureau, the agency�s own military brigade, and the Special Republican GIts own military brigade serves as a rapid response unit independent of the military establishment or Special Republican Guard. In the event of a coup attempt from within the regular military or Republican Guard, Special Security can easily call up the Special Republican Guard for rein' worked on `映灲敳楤敮瑩慬慣楬楴楥猻獵灥牶楳楮朠慮搠捨散歩湧⁴桥潹慬瑹映潴桥爠獥捵物瑹敲癩捥猻浯湩瑯物湧潶敲湭敮琠浩湩獴物敳㬠൳異敲癩獩湧灥牡瑩潮猠慧慩湳琠䥲慱椠䭵牤猠慮搠卨楡猻†慮搠൳散畲楮朠䥲慱鉳潳琠業灯牴慮琠浩' revision history - Revision #1: Author `瑡特湤畳瑲楥猬湣汵摩湧⁗䵄⸠周攠䅬ⵁ浮氭䭨慳猠湥扵汯畳湤楧桬礠獥捲整楶攠慮搠潰敲慴敳渠愠晵湣瑩潮慬Ⱐ牡瑨敲⁴桡渠愠来潧牡灨楣慬慳楳⸠兵獡礠䡵獳敩渠獵灥牶楳敳⁴桥⁓灥捩慬⁂畲敡甬⁴桥⁐潬楴楣慬' worked on `畲敡甠慮搠瑨攠䅤浩湩獴牡瑩潮⁂畲敡甬⁴桥来湣禒猠潷渠浩汩瑡特物条摥Ⱐ慮搠瑨攠印散楡氠剥灵扬楣慮⁇畡牤⸍瑳睮楬楴慲礠扲楧慤攠' $ extract ole2-crash-ole2_extractor.c_588 Keywords for file ole2-crash-ole2_extractor.c_588: mimetype - application/CDFV2-unknown language - U.S. English CVE-2018-20431 $ extract ole2-crash-ole2_extractor.c_216 Keywords for file ole2-crash-ole2_extractor.c_216: mimetype - application/msword ** (process:16210): WARNING **: error: Invalid byte sequence in conversion input creator - Nils Durner unknown date - 2005-03-21T06:11:12Z description - This is a small document to test meta data extraction by GNU libextractor. keywords - ole ole2 eole2extractor subject - GNU libextractor ** (gst-plugin-scanner:16219): CRITICAL **: Couldn't g_module_open libpython. Reason: /usr/lib64/libpython3.5m.so: cannot open shared object file: No such file or directory Updated the packages. After update: $ extract ole2-crash-ole2_extractor.c_576 Keywords for file ole2-crash-ole2_extractor.c_576: mimetype - application/CDFV2-unknown language - U.S. English the security ' worked on `映灲敳楤敮瑩慬慣楬楴楥猻獵灥牶楳楮朠慮搠捨散歩湧⁴桥潹慬瑹映潴桥爠獥捵物瑹敲癩捥猻浯湩瑯物湧潶敲湭敮琠浩湩獴物敳㬠൳異敲癩獩湧灥牡瑩潮猠慧慩湳琠䥲慱椠䭵牤猠慮搠卨楡猻†慮搠൳散畲楮朠䥲慱鉳潳琠業灯牴慮琠浩' revision history - Revision #1: Author `瑡特湤畳瑲楥猬湣汵摩湧⁗䵄⸠周攠䅬ⵁ浮氭䭨慳猠湥扵汯畳湤楧桬礠獥捲整楶攠慮搠潰敲慴敳渠愠晵湣瑩潮慬Ⱐ牡瑨敲⁴桡渠愠来潧牡灨楣慬慳楳⸠兵獡礠䡵獳敩渠獵灥牶楳敳⁴桥⁓灥捩慬⁂畲敡甬⁴桥⁐潬楴楣慬' worked on `畲敡甠慮搠瑨攠䅤浩湩獴牡瑩潮⁂畲敡甬⁴桥来湣禒猠潷渠浩汩瑡特物条摥Ⱐ慮搠瑨攠印散楡氠剥灵扬楣慮⁇畡牤⸍瑳睮楬楴慲礠扲楧慤攠' $ extract ole2-crash-ole2_extractor.c_588 Keywords for file ole2-crash-ole2_extractor.c_588: mimetype - application/CDFV2-unknown language - U.S. English CVE-2018-20431 $ extract ole2-crash-ole2_extractor.c_216 Keywords for file ole2-crash-ole2_extractor.c_216: mimetype - application/msword :30738): WARNING **: error: Invalid byte sequence in conversion input creator - Nils Durner unknown date - 2005-03-21T06:11:12Z description - This is a small document to test meta data extraction by GNU libextractor. keywords - ole ole2 eole2extractor subject - GNU libextractor last saved by - Nils Durner creation date - 2005-03-21T06:10:19Z editing cycles - 2 Summary: There are differences in the results for the c_576 and c_216 files but not for the c_588 file. However it does look like the issues have been addressed. In view of the lack of knowledge about using libextractor at this testing station and in the light of a clean install this can be pushed on.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Thanks Len. Pushing it on.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0013.html
Status: NEW => RESOLVEDResolution: (none) => FIXED