Bug 3941

Summary: libarchive missing security update for CVE-2011-1777 and CVE-2011-1778
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: anssi.hannula, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libarchive-2.8.4-2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2011-12-30 03:46:01 CET 
Mandriva issued this advisory on December 18:
http://lists.mandriva.com/security-announce/2011-12/msg00015.php
Comment 1 Anssi Hannula 2011-12-30 05:10:46 CET 
Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================

Updated packages in core/updates_testing:
=====================
bsdtar-2.8.4-2.1.mga1
bsdcpio-2.8.4-2.1.mga1
lib(64)archive2-2.8.4-2.1.mga1
lib(64)archive-devel-2.8.4-2.1.mga1

from libarchive-2.8.4-2.1.mga1 src.rpm.
=====================

No testcase.

Status: NEW => ASSIGNED
CC: (none) => anssi.hannula
Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2011-12-31 14:15:27 CET 
ark is unable to open ISO's with the updated libarchive for me.
Comment 3 David Walser 2011-12-31 17:56:53 CET 
I can confirm the regression with opening ISOs on i586.
Comment 4 Anssi Hannula 2012-01-01 02:35:52 CET 
The redhat/mdv patch was broken in several places, I've now fixed it and informed the redhat bugzilla ticket about it:
https://bugzilla.redhat.com/show_bug.cgi?id=705849#c23

I'll also send a note to Mandriva security team.

libarchive-2.8.4-2.2.mga1 now submitted to core/updates_testing, please test (it seems to fix the issues for me).
Comment 5 David Walser 2012-01-01 04:45:04 CET 
I can confirm that this update works on i586.  Thanks Anssi (and thanks claire for noticing the bug).
Comment 6 claire robinson 2012-01-05 15:13:16 CET 
Testing complete x86_64

SRPM: libarchive-2.8.4-2.2.mga1

Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 7 Thomas Backlund 2012-01-09 15:49:31 CET 
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED