Bug 21682

Summary: libarchive new security issue CVE-2017-14166
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, herman.viaene, mageia, mageia, nicolas.salguero, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK
Source RPM: libarchive-3.2.2-1.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-09-07 18:42:03 CEST 
A security issue fixed upstream in libarchive has been announced on September 6:
http://openwall.com/lists/oss-security/2017/09/06/5

The message above contains a link to the commit that fixed the issue.
David Walser 2017-09-07 18:42:20 CEST

Assignee: bugsquad => pkg-bugs
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-09-07 23:01:56 CEST 
Pushed in updates_testing

src.rpm:
        libarchive-3.2.2-1.4.mga5
        libarchive-3.3.1-1.1.mga6

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CC: (none) => mageia

Comment 2 David Walser 2017-09-08 00:33:11 CEST 
Advisory:
========================

Updated libarchive packages fix security vulnerability:

Heap-based buffer overflow in xml_data() in archive_read_support_format_xar.c
(CVE-2017-14166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
http://openwall.com/lists/oss-security/2017/09/06/5
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.2.2-1.4.mga5
libarchive-devel-3.2.2-1.4.mga5
bsdtar-3.2.2-1.4.mga5
bsdcpio-3.2.2-1.4.mga5
bsdcat-3.2.2-1.4.mga5
libarchive13-3.3.1-1.1.mga6
libarchive-devel-3.3.1-1.1.mga6
bsdtar-3.3.1-1.1.mga6
bsdcpio-3.3.1-1.1.mga6
bsdcat-3.3.1-1.1.mga6

from SRPMS:
libarchive-3.2.2-1.4.mga5.src.rpm
libarchive-3.3.1-1.1.mga6.src.rpm
Comment 3 PC LX 2017-09-08 16:54:43 CEST 
Installed and tested without issues.

Tested using bsdtar and ark. Confirmed, using strace, that both use the libarchive.so.13 library.

Tests:
- Created, added, deleted files from compress (gzip, bzip2, xz) tar balls with both ark and bsdtar.
- Tested, using GNU tar, the tar balls created with bsdtar and ark.
- Extracted tar balls and compared (using diff -r) the extracted files with the original files.
- Testing dozens of tar balls on the system with bsdtar (see commands below).

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q bsdtar lib64archive13 ark
bsdtar-3.2.2-1.4.mga5
lib64archive13-3.2.2-1.4.mga5
ark-4.14.3-1.mga5
$ find ~/ -ipath '*.tar' -print -exec bsdtar tf '{}' ';' > /dev/null
$ find ~/ -ipath '*.tar.gz' -print -exec bsdtar tfz '{}' ';' > /dev/null
$ find ~/ -ipath '*.tar.bz2' -print -exec bsdtar tfj '{}' ';' > /dev/null
$ # all tar balls tested OK

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Herman Viaene 2017-09-09 11:26:27 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
At CLI as normal user:
$ cd Documenten -- Dutch installation
$ strace -o libarch.txt bsdtar -c -f ~/archtar ~/Afbeeldingen/
bsdtar: Removing leading '/' from member names

archtar created at my home OK as expected. libarch.txt shows call to libarch as expected
BUT
opened archtar with engrampa and found it contained the whole /home , what I did not expect. My mistake or .....?

CC: (none) => herman.viaene

Comment 5 Brian Rockwell 2017-09-09 19:12:12 CEST 
mga6_64

$ uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 9 packages are going to be installed:

- bsdcat-3.3.1-1.1.mga6.x86_64
- bsdcpio-3.3.1-1.1.mga6.x86_64
- bsdtar-3.3.1-1.1.mga6.x86_64
- lib64archive13-3.3.1-1.1.mga6.x86_64
- lib64rpm7-4.13.0.1-3.1.mga6.x86_64
- lib64rpmsign7-4.13.0.1-3.1.mga6.x86_64
- python2-rpm-4.13.0.1-3.1.mga6.x86_64
- python3-rpm-4.13.0.1-3.1.mga6.x86_64
- rpm-4.13.0.1-3.1.mga6.x86_64

181KB of additional disk space will be used.

1.3MB of packages will be retrieved.

Is it ok to continue?

------------

I ran the bsdcpio to create a cpio file with text in it.  Also ran bsdcat.  It seemed to work.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => brtians1

Comment 6 Herman Viaene 2017-09-10 11:37:33 CEST 
MGA6-32 on Asus A6000VM MATE
No installation issues.
As normal user at CLI:
$ cd Afbeeldingen/    --Pictures
$ strace -o ~/Documenten/libarch.txt bsdtar -c -f ~/archtar *
Trace shows libarchive, archtar is generated at my home directory. Checking contents of archtar shows correct directory and files from Afbeeldingen.
OK for me.
Will repeat this form of the bsdtar command for M5.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK

Comment 7 Herman Viaene 2017-09-10 12:06:39 CEST 
MGA-32, test as per Comment 6 is OK also here.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK

Lewis Smith 2017-09-10 13:34:26 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-09-10 14:37:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0337.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED