Bug 15854

Summary: libarchive new crash in bsdtar fixed upstream (CVE-2015-8915)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644037/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: libarchive-3.1.2-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-05 18:42:56 CEST 
A CVE was requested for an issue fixed upstream:
http://openwall.com/lists/oss-security/2015/05/04/1

Patch added in Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-05 18:43:04 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-06 14:08:18 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

PoC on the upstream bug report:
https://github.com/libarchive/libarchive/issues/502

Advisory:
========================

Updated libarchive packages fix security vulnerability:

An out-of-bounds read flaw was found in the way libarchive processed certain
archives. An attacker could create a specially crafted archive that, when
processed by an application using the libarchive library, would cause that
application to crash (rhbz#1216891).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1216891
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.1.2-2.2.mga4
libarchive-devel-3.1.2-2.2.mga4
bsdtar-3.1.2-2.2.mga4
bsdcpio-3.1.2-2.2.mga4

from libarchive-3.1.2-2.2.mga4.src.rpm

Whiteboard: MGA5TOO, MGA4TOO => has_procedure
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-05-06 14:42:26 CEST 
Tested fine on Mageia 4 i586.

Make sure you install bsdtar, and when you update also install the updated libarchive13.

Before the update:
$ bsdtar -tvf ../crash_dos.tar
?---------  8191 0      64768  -69338 Dec 31  1969 Fatal Internal Error in libarchive: Negative skip requested.

After the update:
$ bsdtar -tvf ../crash_dos.tar
?---------  8191 0      64768 4294897958 Dec 31  1969
bsdtar: End of file trying to read next cpio header
bsdtar: Error exit delayed from previous errors.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-05-11 18:04:03 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK

Comment 4 Len Lawrence 2015-05-11 18:06:10 CEST 
Installed the four packages listed above:

Before:

    $MIRRORLIST: media/../../i586/media/core/updates/liblzo2_2-2.08-1.mga4.i586.rpm
    $MIRRORLIST: media/../../i586/media/core/updates/libarchive13-3.1.2-2.1.mga4.i586.rpm                          

  lib64archive-devel             3.1.2        2.1.mga4      x86_64  
  lib64lzo-devel                 2.08         1.mga4        x86_64  
  lib64openssl-devel             1.0.1m       1.mga4        x86_64  

also out of core updates - mixed architectures or +noarch?

    $MIRRORLIST: media/core/updates/bsdtar-3.1.2-2.1.mga4.x86_64.rpm

    $MIRRORLIST: media/core/updates/bsdcpio-3.1.2-2.1.mga4.x86_64.rpm

then

[lcl@belexeuli ~/Downloads]# bsdtar -tvf crash_dos.tar 
?---------  8191 0      64768  -69338 Jan  1  1970 
Segmentation fault

After:

Enabled core updates testing and installed bdstar but could not find an updated
libarchive13.  A mirror problem maybe?

CC: (none) => tarazed25

Comment 5 claire robinson 2015-05-11 18:09:06 CEST 
lib64archive13 in 64bit Len
Comment 6 Len Lawrence 2015-05-11 18:47:53 CEST 
Thanks Claire.  Sometimes the lib64 comes up automatically when you ask for a lib package on a 64bit system.  In fact lib64archive13 was already installed so the before test is still valid.

Onwards and upwards!
Comment 7 Len Lawrence 2015-05-11 18:54:02 CEST 
Installed  the updated packages and ran the test again:

[lcl@belexeuli ~/Downloads]$ bsdtar -tvf crash_dos.tar
?---------  8191 0      64768 4294897958 Jan  1  1970 
bsdtar: End of file trying to read next cpio header
bsdtar: Error exit delayed from previous errors.

So that looks OK.  Adding keyword.
Len Lawrence 2015-05-11 18:54:26 CEST

Whiteboard: has_procedure advisory MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2015-05-11 19:02:00 CEST 
Well done :)

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-05-11 22:11:38 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0208.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-12 19:07:57 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644037/

Comment 10 David Walser 2019-12-10 23:58:50 CET 
This got CVE-2015-8915:
http://lists.suse.com/pipermail/sle-security-updates/2019-November/006190.html

Summary: libarchive new crash in bsdtar fixed upstream => libarchive new crash in bsdtar fixed upstream (CVE-2015-8915)