25282 – zipios++ new security issue CVE-2019-13453

Bug 25282 - zipios++ new security issue CVE-2019-13453

Summary: zipios++ new security issue CVE-2019-13453

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-08-12 00:56 CEST by David Walser
Modified:	2019-11-30 14:07 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	zipios++-0.1.5.9-6.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-08-12 00:56:27 CEST

Ubuntu has issued an advisory on July 15:
https://usn.ubuntu.com/4057-1/

Mageia 6 and Mageia 7 are also affected.

David Walser 2019-08-12 00:56:39 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:19:04 CEST

Assigning to the registered maintainer, but CC'ing cjw, who was the only one to touch this package after it was imported.

Assignee: bugsquad => shlomif
CC: (none) => cjw, marja11

Comment 2 David Walser 2019-08-12 15:40:17 CEST

Shlomi updated Cauldron to 2.2.1.0.  Will need to make sure it includes:
https://sourceforge.net/p/zipios/code-git/ci/96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch

Comment 3 Lewis Smith 2019-11-28 15:13:49 CET

Re-assigning globally due to change to no specific maintainer.

Assignee: shlomif => pkg-bugs

Comment 4 David GEIGER 2019-11-28 16:39:24 CET

(In reply to David Walser from comment #2)
> Shlomi updated Cauldron to 2.2.1.0.  Will need to make sure it includes:
> https://sourceforge.net/p/zipios/code-git/ci/
> 96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch

zipios 2.2.1.0 is no more zipios++ so this patch is unneeded as the zipios++/zipheadio.h file doesn't exist anymore in source.

CC: (none) => geiger.david68210

David Walser 2019-11-28 16:42:57 CET

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7

Comment 5 David GEIGER 2019-11-28 17:04:18 CET

Fixed for mga7!

Comment 6 David Walser 2019-11-28 17:06:59 CET

Advisory:
========================

Updated zipios++ packages fix security vulnerability:

Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files.
An attacker could use this vulnerability to cause a denial of service or
consume system resources (CVE-2019-13453).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13453
https://usn.ubuntu.com/4057-1/
========================

Updated packages in core/updates_testing:
========================
libzipios++0-0.1.5.9-6.1.mga7
libzipios++-devel-0.1.5.9-6.1.mga7

from zipios++-0.1.5.9-6.1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2019-11-29 12:10:45 CET

MGA7-64 Plasma on Lenovo B50
No installation issues.
At CLI:
# urpmq --whatrequires lib64zipios++0
enigma
freecad
lib64zipios++-devel
lib64zipios++0
Decided for enigma, played a bit but had some trouble trying to exit this thing, but
$ strace -o zipios.txt enigma 
showed a call to 
openat(AT_FDCWD, "/lib64/libzipios.so.0", O_RDONLY|O_CLOEXEC) = 3
in the early part of the trace.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2019-11-29 22:15:58 CET

Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:00:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-11-30 14:07:42 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0341.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.