Bug 658548 (CVE-2018-1002209)

Summary:	<dev-libs/quazip-0.7.6: zip slip - arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
Product:	Gentoo Security	Reporter:	Florian Schuhmacher <mynt1aa>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	Flags:	stable-bot: sanity-check+
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/stachenov/quazip/commit/5d2fc16a1976e5bf78d2927b012f67a2ae047a98
Whiteboard:	B3 [noglsa cve]
Package list:	dev-libs/quazip-0.7.6	Runtime testing required:	---

Description Florian Schuhmacher 2018-06-20 02:20:48 UTC

A vulnerability has been found in the way developers have implemented the archive extraction of files. An arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar,xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Of course if an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. This affects multiple libraries that lacks of a high level APIs that provide the archive extraction functionality.

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Larry the Git Cow gentoo-dev

2018-06-20 13:03:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d40e5767c67082e1f69117553766ad1a3614354

commit 8d40e5767c67082e1f69117553766ad1a3614354
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-06-20 12:22:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-06-20 13:03:25 +0000

    dev-libs/quazip: 0.7.6 version bump, moved to GitHub
    
    Bug: https://bugs.gentoo.org/658548
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/quazip/Manifest            |  1 +
 dev-libs/quazip/quazip-0.7.6.ebuild | 48 +++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

Comment 2 Andreas Sturmlechner gentoo-dev

2018-06-20 13:17:54 UTC

See also: https://github.com/stachenov/quazip/commit/5d2fc16a1976e5bf78d2927b012f67a2ae047a98

Comment 3 Andreas Sturmlechner gentoo-dev

2018-07-15 23:55:16 UTC

Arches, please stabilise...

Comment 4 Agostino Sarubbo gentoo-dev

2018-07-17 13:55:30 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-07-20 22:42:44 UTC

x86 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-07-29 16:27:57 UTC

ppc64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-11 19:09:21 UTC

ppc stable

Last arch. Closing.

Comment 8 Larry the Git Cow gentoo-dev

2018-08-11 19:32:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1658bd3a1fc7f931f5a9451cb824a5bd2390278

commit c1658bd3a1fc7f931f5a9451cb824a5bd2390278
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-11 19:31:15 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-11 19:31:52 +0000

    dev-libs/quazip: Cleanup vulnerable 0.7.3
    
    Bug: https://bugs.gentoo.org/658548
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 dev-libs/quazip/Manifest               |  1 -
 dev-libs/quazip/quazip-0.7.3-r1.ebuild | 51 ----------------------------------
 2 files changed, 52 deletions(-)

Comment 9 Andreas Sturmlechner gentoo-dev

2018-09-15 13:15:19 UTC

ping sec - sci is done here, in case you didn't notice.