Bug 26691

Summary: libarchive new security issue CVE-2019-20509
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libarchive-3.4.0-1.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-05-27 00:29:13 CEST 
Fedora has issued an advisory today (May 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OTE7GWASH2ZOVG5H3HEN5PR6B3KF7JB/

The issue is fixed upstream in 3.4.1.
Comment 1 Nicolas Lécureuil 2020-05-27 21:54:18 CEST 
i updated mageia 7 to legacy version 3.4.3

 libarchive-3.4.3-1.mga7

Assignee: nicolas.salguero => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2020-05-27 21:58:42 CEST 
Thanks, we should have done that last time; could have avoided this.

Advisory:
========================

Updated libarchive packages fix security vulnerability:

archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure
valid sizes for UTF-16 input, which allows remote attackers to cause a denial
of service (heap-based buffer over-read and application crash) via a crafted
LHA archive (CVE-2019-20509).

The libarchive package has been updated to version 3.4.3, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20509
https://github.com/libarchive/libarchive/releases/tag/v3.4.1
https://github.com/libarchive/libarchive/releases/tag/v3.4.2
https://github.com/libarchive/libarchive/releases/tag/v3.4.3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OTE7GWASH2ZOVG5H3HEN5PR6B3KF7JB/
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.4.3-1.mga7
libarchive-devel-3.4.3-1.mga7
bsdtar-3.4.3-1.mga7
bsdcpio-3.4.3-1.mga7
bsdcat-3.4.3-1.mga7

from libarchive-3.4.3-1.mga7.src.rpm
Comment 3 Herman Viaene 2020-05-29 15:32:52 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 24337 for testing.
At CLI:
$ cd Documents/
$ ls
 calib/                     helloworld.class         lib64ssh4.txt    strace.txt           volkstuintjes/
 example.lit                helloworld.java          libgit2.txt      t89-halftone.pdf     wireshark_dns.pcap
 function.json-decode.php   httpparser.txt           libseccomp.txt   testencode.php       wiresharkmerged
 function.json-encode.php   ilmbase.txt              okra/            testpythonbleach/    wiresharktest
 hellodojo.html            'kwis 6  oktober 2015'/   pea.py           testvim.txt          wiresharktest50
'helloworld$1.class'        lib64ntlm0.txt           php/             viewvc.testing.txt

$ bsdtar -c -f ~/archtar *
Checked the archtar file with ark:all folders and files show up. Extracted the archtar to the ~/tmp: all files and folders show up OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-30 15:37:05 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-11 00:16:32 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-06-11 00:58:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0253.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED