Bug 18420

Summary:	libarchive new security issue CVE-2016-1541
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	makowski.mageia, marja11, sysadmin-bugs, tarazed25, thierry.vignaud
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/687044/
Whiteboard:	has_procedure advisory MGA5-64-OK
Source RPM:	libarchive-3.1.2-7.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2016-05-09 16:42:48 CEST

Upstream has released version 3.2.0 on May 1, fixing a security issue:
https://groups.google.com/forum/#!topic/libarchive-announce/qdeGf_DRvN4

The fix was in this commit:
https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7

Some of the crash bug fixes may be considered security relevant in some contexts, so upgrading it might be better if possible.

Mageia 5 is also affected.

David Walser 2016-05-09 16:43:01 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-05-09 18:23:44 CEST

Here's Fedora's packaging commit for 3.2.0:
http://pkgs.fedoraproject.org/cgit/rpms/libarchive.git/commit/?id=9e3ae291246c023251a2b07e5a1bd32ea400aaf5

Comment 2 Marja Van Waes 2016-05-10 12:42:01 CEST

Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 3 Rémi Verschelde 2016-05-10 14:13:02 CEST

Will have a look at it.

Assignee: pkg-bugs => rverschelde

Comment 4 David Walser 2016-05-10 17:03:16 CEST

libarchive-3.2.0-1.mga6 uploaded for Cauldron by Thierry.

CC: (none) => thierry.vignaud
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 5 Rémi Verschelde 2016-05-11 07:52:53 CEST

I went ahead and synced libarchive with Cauldron for Mageia 5. The changelog linked in comment 0 sounds like it's worth the version upgrade, as it mostly contains important bug fixes and new features that (a priori) shouldn't have too much impact on the existing API.

The lib major stays the same.

We'll have to check some packages that depend on libarchive to ensure that they still work as expected though (especially rpm):

$ urpmq --whatrequires lib64archive13 | uniq
ark
attract
bsdcat
bsdcpio
bsdtar
claws-mail-archive-plugin
cmake
cmake-qtgui
epic5
file-roller
gnome-boxes
gnome-epub-thumbnailer
grilo-plugins
grub-customizer
gvfs-archive
lib64appstream-builder-gir1.0
lib64appstream-builder8
lib64appstream-glib8
lib64archive-devel
lib64archive13
lib64extractor3
lib64glom1.32_0
lib64gxps2
lib64ostree1
lib64totem-plparser18
lordsawar
meandmyshadow
ocaml-archive
ocaml-archive-devel
pinot
rpm
samba-client
swi-prolog-nox
vdrift
xdg-app
zeal

Comment 6 Rémi Verschelde 2016-05-11 07:55:39 CEST

Assigning to QA. Advisory coming soonâ¢.

RPMs in core/updates_testing:
=============================

lib{,64}archive13-3.2.0-1.mga5
lib{,64}archive-devel-3.2.0-1.mga5
bsdcat-3.2.0-1.mga5
bsdcpio-3.2.0-1.mga5
bsdtar-3.2.0-1.mga5

SRPM in core/updates_testing:
=============================

libarchive-3.2.0-1.mga5

Assignee: rverschelde => qa-bugs

Comment 7 David Walser 2016-05-11 21:10:23 CEST

Debian has issued an advisory for this on May 10:
https://www.debian.org/security/2016/dsa-3574

Advisory:
========================

Updated libarchive packages fix security vulnerability:

Heap-based buffer overflow in the zip_read_mac_metadata function in
archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote
attackers to execute arbitrary code via crafted entry-size values in a ZIP
archive (CVE-2016-1541).

The libarchive package has been updated to version 3.2.0, fixing this issue
and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541
https://groups.google.com/forum/#!topic/libarchive-announce/qdeGf_DRvN4
https://www.debian.org/security/2016/dsa-3574

URL: (none) => http://lwn.net/Vulnerabilities/687044/

Comment 8 claire robinson 2016-05-12 12:02:12 CEST

Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2

Whiteboard: (none) => has_procedure

Comment 9 Len Lawrence 2016-05-13 12:37:38 CEST

Shall test this for 64-bits some time today.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2016-05-13 16:53:38 CEST

mga5  x86_64

Updated the packages listed above and tested them according to Claire's recipe in bug #9671.

$ ls *.mp4 | bsdcpio -ov > videos.cpio
LaRouteDIstanbul.mp4
pangea.mp4
TheTeam_1.mp4
YosemiteII.mp4
yosemite.mp4
7991442 blocks

$ bsdcpio -it < videos.cpio
LaRouteDIstanbul.mp4
pangea.mp4
TheTeam_1.mp4
YosemiteII.mp4
yosemite.mp4
7991442 blocks

$ cd archive
LaRouteDIstanbul.mp4
pangea.mp4
TheTeam_1.mp4
YosemiteII.mp4
yosemite.mp4
7991442 blocks

$ ls
LaRouteDIstanbul.mp4  TheTeam_1.mp4  YosemiteII.mp4
pangea.mp4            videos.cpio    yosemite.mp4

$ bsdtar cJf videos.tar.xz *.mp4
$ ls -l
total 11974052
-rw-r--r-- 1 lcl lcl 1799284326 May 13 14:54 LaRouteDIstanbul.mp4
-rw-rw-r-- 1 lcl lcl  215569492 May 13 14:54 pangea.mp4
-rw-r--r-- 1 lcl lcl  996016561 May 13 14:55 TheTeam_1.mp4
-rw-r--r-- 1 lcl lcl 4091618304 May 13 14:48 videos.cpio
-rw-r--r-- 1 lcl lcl 4078149280 May 13 15:29 videos.tar.xz
-rw-rw-r-- 1 lcl lcl  811535501 May 13 14:55 YosemiteII.mp4
-rw-rw-r-- 1 lcl lcl  269211538 May 13 14:55 yosemite.mp4

Verified the integrity of the mp4 files - some of them.

$ rm -rf *.mp4
$ bsdtar xJf videos.tar.xz
$ ls
LaRouteDIstanbul.mp4  TheTeam_1.mp4  videos.tar.xz   yosemite.mp4
pangea.mp4            videos.cpio    YosemiteII.mp4

Played a couple of files with vlc.  No problems.

Used ark to examine isos, tarfiles and zipped files, extracted contents of an iso and a few compressed file archives.  Working perfectly.

Good for 64-bits.  Validating this.
Over to sysadmin - thanks.

Len Lawrence 2016-05-13 16:54:05 CEST

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Len Lawrence 2016-05-13 16:54:32 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-05-18 18:42:17 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK

Comment 11 Mageia Robot 2016-05-18 22:15:21 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0179.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2016-06-20 10:27:51 CEST

Wow, good thing we updated this.

CVE-2016-8915 through CVE-2016-8934 were also fixed in 3.2.0:
http://openwall.com/lists/oss-security/2016/06/17/5

Comment 13 David Walser 2016-07-15 23:01:59 CEST

(In reply to David Walser from comment #12)
> Wow, good thing we updated this.
> 
> CVE-2016-8915 through CVE-2016-8934 were also fixed in 3.2.0:
> http://openwall.com/lists/oss-security/2016/06/17/5

LWN reference:
http://lwn.net/Vulnerabilities/694629/

Comment 14 David Walser 2016-07-21 18:43:00 CEST

CVE-2016-6250 assigned for more issues fixed in 3.2.0:
http://openwall.com/lists/oss-security/2016/07/21/3

Comment 15 David Walser 2016-07-28 18:17:08 CEST

(In reply to David Walser from comment #14)
> CVE-2016-6250 assigned for more issues fixed in 3.2.0:
> http://openwall.com/lists/oss-security/2016/07/21/3

LWN reference:
http://lwn.net/Vulnerabilities/695689/

Comment 16 David Walser 2016-07-29 18:24:44 CEST

CVE-2015-8918 CVE-2015-8929 also fixed in 3.2.0:
http://lwn.net/Vulnerabilities/695807/

Comment 17 David Walser 2016-09-08 20:09:21 CEST

CVE-2016-7166 also fixed in 3.2.0:
http://www.openwall.com/lists/oss-security/2016/09/08/18

Comment 18 David Walser 2016-09-12 22:11:22 CEST

LWN reference for CVE-2015-8915 and CVE-2016-7166:
http://lwn.net/Vulnerabilities/700387/

Comment 19 David Walser 2017-01-03 20:40:51 CET

CVE-2015-8927 also fixed in 3.2.0:
https://lwn.net/Vulnerabilities/710487/