| Summary: | libarchive new security issues CVE-2017-14502, CVE-2018-100087[7-9], CVE-2018-1000880 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | libarchive-3.3.1-1.2.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-12-26 03:14:35 CET
David Walser
2018-12-26 03:14:42 CET
Whiteboard:
(none) =>
MGA6TOO Suggested advisory: ======================== The updated packages fix a security vulnerability: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (CVE-2017-14502) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.3.1-1.3.mga6 lib(64)archive-devel-3.3.1-1.3.mga6 bsdtar-3.3.1-1.3.mga6 bsdcpio-3.3.1-1.3.mga6 bsdcat-3.3.1-1.3.mga6 from SRPMS: libarchive-3.3.1-1.3.mga6.src.rpm Status:
NEW =>
ASSIGNED Debian has issued an advisory on December 27: https://www.debian.org/security/2018/dsa-4360 It fixes three new issues. Assignee:
qa-bugs =>
nicolas.salguero Patches from Debian for 3.3.3 also fix CVE-2018-1000879. Fixed in libarchive-3.3.3-2.mga7 in Cauldron. Summary:
libarchive new security issues CVE-2017-14502, CVE-2018-100087[78], CVE-2018-1000880 =>
libarchive new security issues CVE-2017-14502, CVE-2018-100087[7-9], CVE-2018-1000880 Advisory: ======================== Updated libarchive packages fix security vulnerabilities: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header (CVE-2017-14502). Multiple security issues were found in libarchive: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879, CVE-2018-1000880). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880 http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html https://www.debian.org/security/2018/dsa-4360 ======================== Updated packages in core/updates_testing: ======================== libarchive13-3.3.1-1.4.mga6 libarchive-devel-3.3.1-1.4.mga6 bsdtar-3.3.1-1.4.mga6 bsdcpio-3.3.1-1.4.mga6 bsdcat-3.3.1-1.4.mga6 from libarchive-3.3.1-1.4.mga6.src.rpm CC:
qa-bugs =>
nicolas.salguero MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 23437 for tests. At ClI: $ cd Afbeeldingen/ $ bsdtar -c -f ~/archtar * checked contents of archtar with engrampa: all OK $ cd ../tmp $ bsdtar -x -f /home/tester6/archtar Displayed pictures from tmp: all OK Whiteboard:
(none) =>
m
Herman Viaene
2019-01-10 16:09:12 CET
Whiteboard:
m =>
MGA6-32-OK Testing M6/64 I found some test cases. CVE-2017-14502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875974 CVE-2018-1000877-80: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 BEFORE update, all 4 pkgs at version 3.3.1-1.2, and all results as shown in the POC pages. CVE-2017-14502 $ bsdtar -xf oob.rar bsdtar: Unknown file attributes from RAR file's host OS bsdtar: Error exit delayed from previous errors. CVE-2018-1000877-80 $ bsdtar -Oxf oob-read.rar Segmentation fault (core dumped) $ bsdtar -Oxf uaf-read.rar Segmentation fault (core dumped) $ bsdtar -Oxf double-free.rar 5: Unable to allocate memory for uncompressed data. *** Error in `bsdtar': double free or corruption (!prev): 0x0000000001a17f70 *** ======= Backtrace: ========= ... Aborted (core dumped) $ bsdtar -Oxf uaf-rw.rar Segmentation fault (core dumped) ----------------------------------------- AFTER update - bsdcat-3.3.1-1.4.mga6.x86_64 - bsdcpio-3.3.1-1.4.mga6.x86_64 - bsdtar-3.3.1-1.4.mga6.x86_64 - lib64archive13-3.3.1-1.4.mga6.x86_64 CVE-2017-14502 $ bsdtar -xf oob.rar bsdtar: Unknown file attributes from RAR file's host OS bsdtar: Error exit delayed from previous errors. Same as before; sigh. But this starts from a no-crash situation (see below), and the output is as shown in the POC page. CVE-2018-1000877-80 $ bsdtar -Oxf oob-read.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf uaf-read.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf double-free.rar \005\377\377\005t\206t: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf uaf-rw.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. This certainly warrants OK & validation. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0030.html Status:
ASSIGNED =>
RESOLVED |