Bug 26290

Summary: libarchive new security issues CVE-2019-19221 and CVE-2020-9308
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libarchive-3.4.0-1.mga7.src.rpm CVE: CVE-2019-19221, CVE-2020-9308
Status comment:

Description David Walser 2020-03-02 21:28:05 CET 
Ubuntu has issued an advisory today (March 2):
https://usn.ubuntu.com/4293-1/

The issues are fixed upstream in 3.4.1 and 3.4.2, respectively.
David Walser 2020-03-02 21:36:38 CET

Status comment: (none) => Fixed upstream in 3.4.2

Comment 1 Nicolas Salguero 2020-03-03 09:05:00 CET 
Suggested advisory:
========================

The updated packages fix several issues including security vulnerabilities:

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. (CVE-2019-19221)

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact. (CVE-2020-9308)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308
https://usn.ubuntu.com/4293-1/
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.4.0-1.1.mga7
lib(64)archive-devel-3.4.0-1.1.mga7
bsdtar-3.4.0-1.1.mga7
bsdcpio-3.4.0-1.1.mga7
bsdcat-3.4.0-1.1.mga7

from SRPMS:
libarchive-3.4.0-1.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2019-19221, CVE-2020-9308
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 3.4.2 => (none)

Comment 2 Herman Viaene 2020-03-04 15:21:02 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 24337 for testing.
At CLI:
$ cd Documents/
$ ls
calib/  example.lit  okra/  php/  wireshark_dns.pcap  wiresharkmerged  wiresharktest50  wiresharktest.pcapng
[tester7@mach5 Documents]$ bsdtar -c -f ~/archtar *
Checked the archtar file with ark:all folers and files show up. Extracted the archtar to the ~/tmp: all files and folders show up OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2020-03-04 16:44:31 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 15:48:25 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2020-03-06 17:16:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0127.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED