tl;dr: Update GCab from your distributor.
Longer version: Just before Christmas I found a likely exploitable bug in the libgcab library. Various security teams have been busy with slightly more important issues, and so it’s taken a lot longer than usual to be verified and assigned a CVE. The issue I found was that libgcab attempted to read a large chunk into a small buffer, overwriting lots of interesting things past the end of the buffer. ALSR and SELinux saves us in nearly all cases, so it’s not the end of the world. Almost a textbook C buffer overflow (rust, yada, whatever) so it was easy to fix.
Some key points:
- This only affects libgcab, not cabarchive or libarchive
- All gcab versions less than 0.8 are affected
- Anything that links to gcab is affected, so gnome-software, appstream-glib and fwupd at least
- Once you install the fixed gcab you need to restart anything that’s using it, e.g. fwupd
- There is no silly branded name for this bug
- The GCab project is incredibly well written, and I’ve been hugely impressed with the code quality
- You can test if your GCab has been fixed by attempting to decompress this file, if the program crashes, you need to update
With Marc-André’s blessing, I’ve released version v0.8 of gcab with this fix. I’ve also released v1.0 which has this fix (and many more nice API additions) which also switches the build system to Meson and cleans up a lot of leaks using g_autoptr(). If you’re choosing a version to update to, the answer is probably 1.0 unless you’re building for something more sedate like RHEL 5 or 6. You can get the Fedora 27 packages here or they’ll be on the mirrors tomorrow.
