25281 – flightcrew new security issues CVE-2019-13032 and CVE-2019-13241

Bug 25281 - flightcrew new security issues CVE-2019-13032 and CVE-2019-13241

Summary: flightcrew new security issues CVE-2019-13032 and CVE-2019-13241

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-08-12 00:56 CEST by David Walser
Modified:	2019-12-19 14:45 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	flightcrew-0.9.0-10.mga7.src.rpm
CVE:	CVE-2019-13032, CVE-2019-13241
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-08-12 00:56:24 CEST

Ubuntu has issued an advisory on July 15:
https://usn.ubuntu.com/4055-1/

Mageia 6 and Mageia 7 are also affected.

David Walser 2019-08-12 00:56:36 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:17:13 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing the de facto maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11

Comment 2 Nicolas Salguero 2019-12-17 10:44:01 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() or GetRelativePathsToXhtmlDocuments() when a NULL pointer is passed to xc::XMLUri::isValidURI(). This affects third-party software (not Sigil) that uses FlightCrew as a library. (CVE-2019-13032)

FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. (CVE-2019-13241)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13241
https://usn.ubuntu.com/4055-1/
========================

Updated packages in core/updates_testing:
========================
flightcrew-common-0.9.0-10.1.mga7
flightcrew-cli-0.9.0-10.1.mga7
flightcrew-gui-0.9.0-10.1.mga7
flightcrew-plugin-0.9.0-10.1.mga7
lib(64)flightcrew0.7.2-0.9.0-10.1.mga7
lib(64)flightcrew-devel-0.9.0-10.1.mga7

from SRPMS:
flightcrew-0.9.0-10.1.mga7.src.rpm

Version: Cauldron => 7
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-13032, CVE-2019-13241
Whiteboard: MGA7TOO, MGA6TOO => (none)

Comment 3 Thomas Andrews 2019-12-18 21:56:58 CET

Flightcrew sounds like a good name for a game,but is actually an epub analyser, used in conjunction with epub editors. 

I installed flightcrew, and ran flightcrew-gui to analyze a couple of epub-format ebooks. I them got the updates, and ran it again on the same ebooks. The results were the same.

Looks like it's doing what it's supposed to do. Giving it a 64-bit OK, and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-19 13:07:48 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-12-19 14:45:49 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0396.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.