Bug 31679 - peazip new security issue CVE-2023-24785
Summary: peazip new security issue CVE-2023-24785
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-15 15:55 CET by David Walser
Modified: 2023-04-06 23:21 CEST (History)
5 users (show)

See Also:
Source RPM: peazip-7.3.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-03-15 15:55:01 CET
openSUSE has issued an advisory on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LZIRA2ZFJZWEVFCSMWHI56CKGCJG2A3D/

The issue is fixed upstream in 9.1.0.
David Walser 2023-03-15 15:59:35 CET

Status comment: (none) => Fixed upstream in 9.1.0

Comment 1 David GEIGER 2023-03-27 05:57:36 CEST
peazip now updating to 9.1.0 release for mga8!
Comment 2 David Walser 2023-03-27 14:45:16 CEST
peazip-kf5-9.1.0-1.mga8
peazip-9.1.0-1.mga8

from peazip-9.1.0-1.mga8.src.rpm

Status comment: Fixed upstream in 9.1.0 => (none)
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2023-03-28 01:24:02 CEST
mga8, x64
Tried to install the core release packages.
"No package named peazip-kf5"
$ urpmq -i peazip-kf5
No package named peazip-kf5
$ urpmq -i peazip
[...]
PeaZip is a free cross-platform file archiver that provides a unified
portable GUI for many Open Source technologies like 7-Zip, FreeArc, PAQ,
UPX...

From the cli it launches a gui.
Updated the system menus.
No sign of peazip in Tools.
Ran peazip and created a 7z archive from a number of ttf files in user directory.  Moved zip file to ~/tmp and unzipped it with peazip.
$ cd ~/tmp
$ ls *.ttf
dreamorp.ttf  efflores.ttf  gunplay3.ttf  pakenham.ttf  presti.ttf
edmundis.ttf  guanine.ttf   gunplay.ttf   pa.ttf        prest.ttf

Updated the two packages OK with qarepo and then MageiaUpdate.  Had to install peazip-kf5 "manually" because it appears to be a new package.

$ peazip fonts
Created a gzip file and moved it elsewhere.
$ cd data/fonts
$ peazip fonts.tar.gz
This displays the original source directory ~/fonts which is the default for extraction.
Selected a few files for extraction and specified a new directory newfonts for output.  That worked.  In fact the selected files are output to newfonts/fonts.tar/.
All present and correct.
Did not take this any further.  It appears to be functional.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2023-03-29 16:48:00 CEST
Seemed strange that you didn't find peazip in "Tools" so I played with it a bit myself.

I used qarepo to get the two packages, then installed rather than update into a VirtualBox Plasma guest. Peazip was required by peazip-kf5, but not the other way around.

I hunted around in the Plasma menu after the install, expecting it to be in "Tools" if there, but found "Peazip" in the System Tools sub-menu. It launched OK from there.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-29 17:19:23 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Len Lawrence 2023-03-29 17:29:05 CEST
@TJ re comment 4.
Yes, I always check Sytem tools as well in cases like this.  It definitely does not show up even after running update-menus again.  The DE is Mate.  ??
Comment 6 Thomas Andrews 2023-03-29 18:04:06 CEST
(In reply to Len Lawrence from comment #5)
> @TJ re comment 4.
> Yes, I always check Sytem tools as well in cases like this.  It definitely
> does not show up even after running update-menus again.  The DE is Mate.  ??

It doesn't show in the Gnome menu, either - but it does in Xfce. Obviously, the menu part is desktop-dependent.
Comment 7 Dave Hodgins 2023-03-29 18:26:57 CEST
Removing the validation
# diff -u peazip.desktop /usr/share/applications/peazip.desktop|grep Categ
-Categories=GTK;KDE;Utility;System;Archiving;
+Categories=Qt;KDE;Utility;System;Archiving;

Dropping the GTK is causing the menu regression.

Keywords: validated_update => (none)

Comment 8 David GEIGER 2023-03-29 19:50:20 CEST
Does it work if you manually added "GTK"?

-Categories=Qt;KDE;Utility;System;Archiving;
+Categories=GTK;Qt;KDE;Utility;System;Archiving;
Comment 9 Dave Hodgins 2023-03-29 20:38:42 CEST
Yes. With
Categories=GTK;KDE;Utility;System;Archiving;
it shows up in the mate menu under Tools/System Tools and works.
Comment 10 David GEIGER 2023-03-29 21:18:06 CEST
Should be fixed in peazip-9.1.0-1.1.mga8
Comment 11 David Walser 2023-03-30 01:18:03 CEST
peazip-kf5-9.1.0-1.1.mga8
peazip-9.1.0-1.1.mga8

from peazip-9.1.0-1.1.mga8.src.rpm

Keywords: advisory => (none)
Whiteboard: MGA8-64-OK => (none)

Comment 12 Thomas Andrews 2023-03-30 22:07:33 CEST
I ran my Gnome guest again to check out the new update, but when I went to run QArepo from the menu, there, right above it, was peazip. So now I know, it needed a reboot or a logout/login to update the menu after all.

So I removed the two peazip packages, and of course peazip disappeared from the menu. After yet another reboot, I used QArepo to get the latest candidates, and installed them. Checking the menu again, it still wasn't there, but using my new knowledge, I rebooted - and it magically appeared. I ran it, and extracted a zip file. It worked OK.

So now we just need a new test on a MATE system. Len?
Comment 13 Len Lawrence 2023-03-31 23:59:57 CEST
OK.  Installed the new updates.
$ rpm -qa | grep peazip
peazip-kf5-9.1.0-1.1.mga8
peazip-9.1.0-1.1.mga8

Created a couple of archives, moved them and unzipped them correctly.
Not in the system menus.
Rebooted and peazip appears in the tools:system tools menu.
Comment 14 Len Lawrence 2023-04-01 00:07:36 CEST
As a rider to comment 13, tried a dummy run with `update-menus -v`, the verbose option.  That came up with lots of "Unknown 'Layout':" messages.  No idea if there is a bug lurking there.  Could be genuine complaints.
Comment 15 Dave Hodgins 2023-04-01 06:57:55 CEST
Looks like logout/in is all that's required to get the menu entry to show up.

Not clear why. I tried uninstalling gimp, and then reinstalling it and it shows
up immediately. I'll look into it more tomorrow.
Comment 16 Thomas Andrews 2023-04-06 18:52:17 CEST
Anything new on this, Dave? Agreed it is strange.  The menu entry disappeared immediately for me when I removed it, just like gimp did with you, but it didn't re-appear until after a logout/in.

I'm think we could OK it as is since the update is for a security issue, it DOES show up in the menu after a logout/in, and it seems to work OK. 

If you do find the reason for the menu situation, it could be addressed in another bug. What do you think?
Comment 17 Dave Hodgins 2023-04-06 20:24:28 CEST
I don't see what's preventing it from showing up in the menu right away like
things normally do. I agree that since the impact is so minor that this update
should be pushed. Thomas updated the srpm in the svn copy of the advisory.
Restoring the validated/ok tags.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK

Comment 18 Mageia Robot 2023-04-06 23:21:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0124.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.