Bug 15438

Summary: libarchive new directory traversal security issue in bsdcpio (CVE-2015-2304)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/635764/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: libarchive-3.1.2-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-05 22:29:43 CET 
Debian has issued an advisory today (March 5):
https://lists.debian.org/debian-security-announce/2015/msg00064.html

The DSA will be posted here:
https://www.debian.org/security/2015/dsa-3180

I've fixed this in libarchive-3.1.2-5.mga5.

It will also be fixed in libarchive-3.1.2-2.1.mga4, currently in SVN.

I'll push it soon if no CVE is assigned.

The fix was posted here, and the CVE request in the thread is still pending:
http://openwall.com/lists/oss-security/2015/03/05/7

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-06 22:15:36 CET

URL: (none) => http://lwn.net/Vulnerabilities/635764/

Comment 1 David Walser 2015-03-11 15:49:12 CET 
It doesn't look like this is getting a CVE (no responses).

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libarchive packages fix security vulnerability:

Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio"
program part of the libarchive project, is susceptible to a directory
traversal vulnerability via absolute paths.

References:
http://openwall.com/lists/oss-security/2015/01/16/7
https://www.debian.org/security/2015/dsa-3180
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.1.2-2.1.mga4
libarchive-devel-3.1.2-2.1.mga4
bsdtar-3.1.2-2.1.mga4
bsdcpio-3.1.2-2.1.mga4

from libarchive-3.1.2-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-03-11 16:33:43 CET 
The issue is in the bsdcpio package.  You do have to update libarchive13 as well for the fix to take effect.

PoC is here:
https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J

Note, just use "bsdcpio" and not "./bsdcpio"

I was able to reproduce the results in the link above before the update.

After the update, it ends with:
$ bsdcpio -iv < test.cpio
/tmp/abs
/tmp/abs: Path is absolute
1 block
$ ls /tmp/abs
ls: cannot access /tmp/abs: No such file or directory

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 3 Shlomi Fish 2015-03-11 17:53:04 CET 
PoC fix verified to work on MGA4-x86-64 in a VBox VM. Marking as MGA4-64-OK .

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2015-03-12 12:55:22 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-03-12 16:31:27 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0106.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2015-03-16 14:45:16 CET 
This has finally been assigned a CVE:
http://openwall.com/lists/oss-security/2015/03/15/7

Advisory:
========================

Updated libarchive packages fix security vulnerability:

Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio"
program part of the libarchive project, is susceptible to a directory
traversal vulnerability via absolute paths (CVE-2015-2304).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
http://openwall.com/lists/oss-security/2015/03/15/7
https://www.debian.org/security/2015/dsa-3180

Summary: libarchive new directory traversal security issue in bsdcpio => libarchive new directory traversal security issue in bsdcpio (CVE-2015-2304)