Bug 20223

Summary: libarchive new security issue CVE-2017-5601
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/713146/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: libarchive-3.2.2-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-02-01 02:11:14 CET 
Debian-LTS has issued an advisory today (January 31):
https://lwn.net/Alerts/713127/

The upstream commit is linked from here:
https://security-tracker.debian.org/tracker/CVE-2017-5601

Mageia 5 is also affected.
David Walser 2017-02-01 02:11:24 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Salguero 2017-02-01 11:49:21 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. (CVE-2017-5601)

References:
https://lwn.net/Alerts/713127/
https://security-tracker.debian.org/tracker/CVE-2017-5601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.2.2-1.1.mga5
lib(64)archive-devel-3.2.2-1.1.mga5
bsdtar-3.2.2-1.1.mga5
bsdcpio-3.2.2-1.1.mga5
bsdcat-3.2.2-1.1.mga5

from SRPMS:
libarchive-3.2.2-1.1.mga5.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 5
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2017-02-03 00:51:54 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 2 Herman Viaene 2017-02-08 16:04:10 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues
At CLI:
$ strace -o libarchive.txt engrampa
created an empty test.tar.gz archive and added a folder to it having 39 subfolders and 620 files of all sorts (odt, doc, ods, xlsx, odp, jpeg, png, pnm, pdf and some more)
Found numerous calls to libarchive in the trace
Moved the test.tar.gz archive to other folder, and extracted there. Found all folders back, opened some folders of different types, no problem found.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 3 Dave Hodgins 2017-02-20 07:04:26 CET 
Similar testing on my x86_64 system.

Validating the update

CC: (none) => sysadmin-bugs
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2017-02-20 14:01:09 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0056.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED