Fedora has issued an advisory today (January 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/47HBO2Q74PF7DLV4UP5ORRWGQ3EY5XHM/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fixed on Cauldron by upgrade to 1.3.2. Fixed in mga6 by patch. Our version of efl is not compatible with a terminology upgrade without affecting too many packages. To test, please start "terminology" in the console, of with a menu, and play with it :) Note to QA-TEAM. Please guys, fill a bug to bugzilla, or fix the wiki, to make the address "qa-bugs@ml.mageia.org" easily findable. We are supposed to re-assign fixed security update to this address, which is currently almost impossible to find on the wiki. It took me almost an equal time to fill the "assignee" field in this form as fixing the bug itself :) Suggested advisory: ======================== Updated Terminology package to fix security vulnerability CVE-2018-20167 Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME types (/usr/share/applications). The control sequence defers unknown file types to the handle_unknown_media() function, which executes xdg-open against the filename specified in the sequence. The use of xdg-open for all unknown file types allows executable file formats with a registered shared MIME type to be executed. An attacker can achieve remote code execution by introducing an executable file and a plain text file containing the control sequence through a fake software project (e.g., in Git or a tarball). When the control sequence is rendered (such as with cat), the executable file will be run. References: ======================== https://bugs.mageia.org/show_bug.cgi?id=24110 https://cve.circl.lu/cve/CVE-2018-20167 https://phab.enlightenment.org/rTRM1ac204da9148e7bccb1b5f34b523e2094dfc39e2 Updated packages in core/updates_testing: ======================== terminology-1.1.0-1.1.mga6 Source RPMs: terminology-1.1.0-1.1.mga6.src
Assignee: eatdirt => qa-bugsCC: (none) => eatdirt
Version: Cauldron => 6CC: (none) => tmbWhiteboard: MGA6TOO => (none)
Mageia 6, x86_64 CVE-2018-20167 https://phab.enlightenment.org/T7504 README.md ------------------------------- # This is a simple README file ^[}pnexploit.jar^@ ------------------------------- $ cat README.md exploit.jar actually contained "ruby /home/lcl/calco" which if I understand it correctly should have been executed by "cat README.md". In fact the contents are shown; nothing else happens. All actions except the update carried out in a terminology window. Clean update. Launched terminology and ran the PoC again. No change, so perhaps the package had already been fixed. Used Right-Click to bring up the Controls display and tried various buttons which split the window into panes vertically and horizontally. The Copy button is greyed out. Tried highlighting text, transferring focus to another pane, right-click, Paste. Nothing much happened. The middle mouse button works for pasting text elsewhere, in another pane or an editor for instance. The 'Set title' button works. Typed "Enlightenment" into the popup and clicked OK - the new title appeared in the window header. "exit" closes a pane. Focus is always remembered when raising the Controls panel. Up-arrow brings back the previous command. Miniview opend a columnar window on the right of the initial pane and if that pane is closed the miniview disappears. About pops up an image of an old Atari type terminal with the credits rolling upwards in luminous green - click to close. Crossing boundaries with the mouse causes a blue highlight to flash. If you back-delete on the command line part of the pane flashes red. A pale glow at the top of a pane signifies that it has focus and the text cursor flashes blue and white. Close terminal in the Controls panel removes the current pane. Closed down the terminology window to try out some of the command-line invocations. Saw this message: $ ERR<15487>:eo lib/elementary/elm_pan.eo.c:22 elm_obj_pan_pos_max_get() Unable to resolve op for api func 0x7f7fcac911f0 for obj=(nil) ((null)) ERR<15487>:efreet_cache lib/efreet/efreet_cache.c:379 efreet_cache_shutdown() This application has not properly closed all its desktop references! $ terminology -e "/home/lcl/bin/french" brought up terminology and a wrapper for the translate-shell program which pasted its output into terminology. Closing the gui closed the terminal. $ terminology -S vh--h brought up a four-paned terminology window. $ terminology -S vh raises a terminology window with three panes with a horizontal split on the left. $ terminology -S v-h Three panes with the split on the right. The title command does not work. $ terminology --font="Andale Mono/18" worked fine, increased the font size and scaled up the window. Same for $ terminology --font="Larabiefont/21" cli options can be combined safely. $ terminology --font="Larabiefont/21" --geometry="80x43" The window also responds to corner dragging for resizing. Set an image as background. $ terminology -b="/home/lcl/Pictures/Vanuata.jpg" --geometry="80x43" The image scales with corner dragging. Contrast can be a problem. That should be enough. The cli options which do not work are hardly a problem. This deserves an OK unless somebody disagrees because the PoC test told us nothing significant.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Spotted a typo in comment 2: exploit.jar actually contained "ruby /home/lcl/calco" should have been exploit.jar actually contained "ruby /home/lcl/bin/calco"
Thanks Len for the intrusive testing, much welcome, as usual. Indeed, the -T command does nothing, not really problematic but I guess that should be reported upstream. Cheers.
@Chris > Note to QA-TEAM. Please guys, fill a bug to bugzilla, or fix the wiki, to make > the address "qa-bugs@ml.mageia.org" easily findable. We are supposed to > re-assign fixed security update to this address, which is currently almost > impossible to find on the wiki. Excuse my innocence - but which wiki? I will then do as you ask. @Len: reiterate Chris's thanks. Advisory from comment 1. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
@Lewis, for instance, this page is easily findable when searching for "update advisory" https://wiki.mageia.org/en/Update_Advisory_Announcement_Example I am keeping on taking this one as example, I think it is well written. But we may have others that I have missed.
(In reply to Chris Denice from comment #6) > @Lewis, for instance, this page is easily findable when searching for > "update advisory" > https://wiki.mageia.org/en/Update_Advisory_Announcement_Example Done. > I am keeping on taking this one as example, I think it is well written. But > we may have others that I have missed. I looked for 'assigning' wikis, but found nothing else.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0031.html
Status: NEW => RESOLVEDResolution: (none) => FIXED