Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538152 (CVE-2014-9556) - <app-arch/cabextract-1.6: multiple security vulnerabilities (CVE-2014-9556)
Summary: <app-arch/cabextract-1.6: multiple security vulnerabilities (CVE-2014-9556)
Status: RESOLVED FIXED
Alias: CVE-2014-9556
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-29 13:38 UTC by Hanno Böck
Modified: 2015-06-30 22:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-01-29 13:38:52 UTC
cabextract 1.5 fixes multiple security vulnerabilities, one of them got CVE-2014-9556.

The release notes seem to be not available at a public place (just got them privately via email from the dev), I asked the upstream dev to make them publicly available. Most of the issues are fuzzing-related stuff found with afl.

Please bump to 1.5.
Comment 1 Ben de Groot (RETIRED) gentoo-dev 2015-03-29 11:25:54 UTC
+  29 Mar 2015; Ben de Groot <yngwin@gentoo.org> +cabextract-1.6.ebuild,
+  -cabextract-1.3.ebuild, cabextract-1.4.ebuild, metadata.xml:
+  Version bump, which fixes security bugs #538152 and #540626. Bump EAPI. Rename
+  extra-tools useflag to extras (bug #411643). Remove old.

Not sure if this and bug #540626 can be considered a duplicates? One GLSA should probably be enough to cover this.
Comment 2 Ben de Groot (RETIRED) gentoo-dev 2015-04-05 04:42:07 UTC
Arches, please mark app-arch/cabextract-1.6 as stable.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 05:00:56 UTC
(In reply to Hanno Boeck from comment #0)
> cabextract 1.5 fixes multiple security vulnerabilities, one of them got
> CVE-2014-9556.
> 
> The release notes seem to be not available at a public place (just got them
> privately via email from the dev), I asked the upstream dev to make them
> publicly available. Most of the issues are fuzzing-related stuff found with
> afl.

Can you please forward the notes to security@ if you do not feel comfortable in making them public so we can handle the GLSA accordingly.

Currently assigning B4 Whiteboard (same as Bug # 540626) until further information on vulnerabilities are available.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-04-05 05:01:51 UTC
CVE-2014-9556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9556):
  Integer overflow in the qtmd_decompress function in libmspack 0.4 allows
  remote attackers to cause a denial of service (hang) via a crafted CAB file,
  which triggers an infinite loop.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 05:04:01 UTC
Arches, please test and mark stable:

=app-arch/cabextract-1.6

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
Comment 6 Hanno Böck gentoo-dev 2015-04-05 05:26:13 UTC
Just googled for them, seems they have been posted to some netbsd mailing list, so they're public there and can be referenced:
https://mail-index.netbsd.org/pkgsrc-users/2015/01/30/msg020987.html

Please note: 1.6 also fixes a security issue (directory traversal, CVE-2015-2060), release notes here:
http://comments.gmane.org/gmane.os.netbsd.devel.pkgsrc.user/21307
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 05:32:55 UTC
(In reply to Hanno Boeck from comment #6)
> Just googled for them, seems they have been posted to some netbsd mailing
> list, so they're public there and can be referenced:
> https://mail-index.netbsd.org/pkgsrc-users/2015/01/30/msg020987.html
Thank you 

> Please note: 1.6 also fixes a security issue (directory traversal,
> CVE-2015-2060), 

This is handled by Bug # 540626
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-06 06:59:25 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-04-09 07:32:29 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-09 07:33:18 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2015-04-09 20:47:40 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-04-13 09:45:48 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-04-14 12:33:59 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-04-17 12:45:40 UTC
ppc64 stable
Comment 15 Pacho Ramos gentoo-dev 2015-04-21 18:39:28 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-04-29 09:19:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-05-13 23:04:42 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:30:38 UTC
NO too, closing.