Bug 25283 - libmspack new security issue CVE-2019-1010305
Summary: libmspack new security issue CVE-2019-1010305
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-12 01:11 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
6 users (show)

See Also:
Source RPM: libmspack-0.10.1-0.alpha.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-12 01:11:53 CEST
Ubuntu has issued an advisory on July 18:
https://usn.ubuntu.com/4066-1/

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 01:12:01 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:19:40 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2019-08-19 09:09:03 CEST
Here https://nvd.nist.gov/vuln/detail/CVE-2019-1010305 it is write:

"The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d"

So this fixes is already included in latest 0.10.1alpha release that we have on mga7 and Cauldron.
David Walser 2019-08-19 13:24:35 CEST

Version: Cauldron => 6
Whiteboard: MGA7TOO, MGA6TOO => (none)

Comment 3 David GEIGER 2019-08-19 13:58:14 CEST
Done for mga6 updating to latest 0.10.1alpha upstream release!
Comment 4 David Walser 2019-08-19 19:46:32 CEST
Advisory:
========================

Updated libmspack packages fix security vulnerability:

It was discovered that libmspack incorrectly handled certain CHM files. A
remote attacker could possibly use this issue to access sensitive information
(CVE-2019-1010305).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010305
https://usn.ubuntu.com/4066-1/
========================

Updated packages in core/updates_testing:
========================
libmspack0-0.10.1-0.alpha.1.mga6
libmspack-devel-0.10.1-0.alpha.1.mga6

from libmspack-0.10.1-0.alpha.1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Len Lawrence 2019-09-02 11:28:48 CEST
mga6, x86_64

$ rpm -qa | grep mspack
lib64mspack0-0.9.1-0.alpha.1.mga6
lib64mspack-devel-0.9.1-0.alpha.1.mga6

Installed cabextract.
$ urpmq --requires cabextract
cabextract: libmspack.so.0()(64bit)

CVE-2019-1010305
https://github.com/JsHuang/pocs/blob/master/libmspack/chmextract-overflow-chmd-486
$ chmextract chmextract-overflow-chmd-486
This POC requires chmextract which is an example program shipped with versions before
0.8.  Presumably that has been supplanted by cabextract.  It is not known if this
utility can be used effectively with the POC but it handles the malformed file cleanly.
It would be risky to draw any conclusions from this.
$ cabextract chmextract-overflow-chmd-486
chmextract-overflow-chmd-486: no valid cabinets found
All done, errors in processing 1 file(s)

One can predict that the same message will appear after the update.
Ran the update and tested the POC file with cabextract - same message.

Utility tests using https://bugs.mageia.org/show_bug.cgi?id=23365 as a reference.

Used CAB files prepared earlier with lcab/gcab which do not use libmspack.
Note this from
$ urpmq -i libmspack0
[...]
Summary     : Library for CAB and related files compression and decompression
Description :
The purpose of libmspack is to provide both compression and decompression of
some loosely related file formats used by Microsoft.

There do not appear to be any compression utilities based on libmspack.

$ cabextract -t odt.cab
Testing cabinet: odt.cab
  xyz.odt  OK                                  a63bdf66a070493d7ce15d2ff09877dc
All done, no errors.

$ cabextract -l ruby.cab
Viewing cabinet: ruby.cab
 File size | Date       Time     | Name
-----------+---------------------+-------------
         2 | 15.04.2012 10:14:26 | data/ruby/ascii_chart
         0 | 30.06.2014 22:49:06 | data/ruby/backup
         0 | 24.05.2015 11:04:46 | data/ruby/books
         0 | 17.11.2015 07:18:44 | data/ruby/calco
[...]
      6059 | 10.07.2014 23:51:02 | data/ruby/xmlviewer.rb
         0 | 23.08.2010 11:16:54 | data/ruby/xosd
All done, no errors.

$ mkdir ruby
$ cabextract -d ruby ruby.cab
Extracting cabinet: ruby.cab
  extracting ruby/data/ruby/ascii_chart
  extracting ruby/data/ruby/backup
[...]
$ ls ruby/data/ruby | wc -l
103
<The destination does not have to exist already>
$ cabextract -d tmp ruby.cab
Extracting cabinet: ruby.cab
  extracting tmp/data/ruby/ascii_chart
  extracting tmp/data/ruby/backup
[...]
$ ls tmp
data/

This is as far as we need take this.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2019-09-05 04:49:02 CEST
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-06 19:26:49 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-09-06 23:11:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0248.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.