Bug 23437

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => nicolas.salguero

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (CVE-2017-14501)

libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (CVE-2017-14503)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14503
https://usn.ubuntu.com/3736-1/
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.3.1-1.2.mga6
lib(64)archive-devel-3.3.1-1.2.mga6
bsdtar-3.3.1-1.2.mga6
bsdcpio-3.3.1-1.2.mga6
bsdcat-3.3.1-1.2.mga6

from SRPMS:
libarchive-3.3.1-1.2.mga6.src.rpm

Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 6
CVE: (none) => CVE-2017-14501, CVE-2017-14503
Status: NEW => ASSIGNED
Source RPM: libarchive-3.3.2-3.mga7.src.rpm => libarchive-3.3.1-1.1.mga6.src.rpm

MGA6-32  MATE on IBM Thinkpad R50e
No installation issues.
As normal user at CLI:
$ cd Afbeeldingen/
$ bsdtar -c -f ~/archtar *
Checking contents of archtar in home folder with engrampa shows correct files from Afbeeldingen.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

The CVEs have reproducers; following these up for x86_64 and reporting tomorrow.

CC: (none) => tarazed25

Mageia 6, x86_64
Before updating:
----------------
CVE-2017-14501
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875966
$ gzip -d oob.iso.gz
$ bsdtar -xOf oob.iso
bsdtar: Invalid length of directory record
bsdtar: Error exit delayed from previous errors.
$ valgrind --quiet -- bsdtar -xOf oob.iso
==9805== Invalid read of size 1
==9805==    at 0x4E72079: ??? (in /usr/lib64/libarchive.so.13.3.1)

CVE-2017-14503
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875960
$ bsdtar -xOf oob.lha
Segmentation fault (core dumped)
$ valgrind bsdtar -xOf oob.lha
==31453== Use of uninitialised value of size 8
[...]
==31453==  Address 0x6e35e16 is 6 bytes after a block of size 65,536 alloc'd
[...]
Segmentation fault (core dumped)

That is an out-of-bounds read.

Updated the five packages.
After the updates:
------------------
CVE-2017-14501
$ bsdtar -xOf oob.iso
bsdtar: Invalid directory record length
bsdtar: Error exit delayed from previous errors.
$ valgrind bsdtar -xOf oob.iso
bsdtar: Invalid directory record length
bsdtar: Error exit delayed from previous errors.

Not really much of a change but it looks like the exploit is handled OK.

CVE-2017-14503
$ bsdtar -xOf oob.lha
bsdtar: Invalid LHa entry size
bsdtar: Error exit delayed from previous errors.

That is an improvement - no segfault.

$ cd /data/bin/
$ bsdtar -c -f bintar *
Checked bintar with engrampa (thanks Herman) to confirm that all the files and subdirectories were there.

$ bsdcat hardware.txt.gz
shpchp          : Intel Corporation|9 Series Chipset Family PCI Express Root Port 3 [BRIDGE_PCI] (vendor:8086 device:8c94) (rev: d0)
xhci_pci        : Intel Corporation|9 Series Chipset Family USB xHCI Controller [SERIAL_USB] (vendor:8086 device:8cb1 subv:1462 subd:7816)
shpchp          : ASMedia Technology Inc.|ASM1083/1085 PCIe to PCI Bridge [BRIDGE_PCI] (vendor:1b21 device:1080) (rev: 03)
[...]

That is OK.

$ cd temp
$ bsdtar -x -f bintar

This extracted the contents into the current directory.

Looks OK for 64-bits.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0361.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED