A CVE was requested for an issue fixed upstream: http://openwall.com/lists/oss-security/2015/05/04/1 Patch added in Mageia 4 and Cauldron SVN. Freeze push requested. Reproducible: Steps to Reproduce:
Blocks: (none) => 14674Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. PoC on the upstream bug report: https://github.com/libarchive/libarchive/issues/502 Advisory: ======================== Updated libarchive packages fix security vulnerability: An out-of-bounds read flaw was found in the way libarchive processed certain archives. An attacker could create a specially crafted archive that, when processed by an application using the libarchive library, would cause that application to crash (rhbz#1216891). References: https://bugzilla.redhat.com/show_bug.cgi?id=1216891 ======================== Updated packages in core/updates_testing: ======================== libarchive13-3.1.2-2.2.mga4 libarchive-devel-3.1.2-2.2.mga4 bsdtar-3.1.2-2.2.mga4 bsdcpio-3.1.2-2.2.mga4 from libarchive-3.1.2-2.2.mga4.src.rpm
Whiteboard: MGA5TOO, MGA4TOO => has_procedureVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: bugsquad => qa-bugs
Tested fine on Mageia 4 i586. Make sure you install bsdtar, and when you update also install the updated libarchive13. Before the update: $ bsdtar -tvf ../crash_dos.tar ?--------- 8191 0 64768 -69338 Dec 31 1969 Fatal Internal Error in libarchive: Negative skip requested. After the update: $ bsdtar -tvf ../crash_dos.tar ?--------- 8191 0 64768 4294897958 Dec 31 1969 bsdtar: End of file trying to read next cpio header bsdtar: Error exit delayed from previous errors.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Advisory uploaded.
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK
Installed the four packages listed above: Before: $MIRRORLIST: media/../../i586/media/core/updates/liblzo2_2-2.08-1.mga4.i586.rpm $MIRRORLIST: media/../../i586/media/core/updates/libarchive13-3.1.2-2.1.mga4.i586.rpm lib64archive-devel 3.1.2 2.1.mga4 x86_64 lib64lzo-devel 2.08 1.mga4 x86_64 lib64openssl-devel 1.0.1m 1.mga4 x86_64 also out of core updates - mixed architectures or +noarch? $MIRRORLIST: media/core/updates/bsdtar-3.1.2-2.1.mga4.x86_64.rpm $MIRRORLIST: media/core/updates/bsdcpio-3.1.2-2.1.mga4.x86_64.rpm then [lcl@belexeuli ~/Downloads]# bsdtar -tvf crash_dos.tar ?--------- 8191 0 64768 -69338 Jan 1 1970 Segmentation fault After: Enabled core updates testing and installed bdstar but could not find an updated libarchive13. A mirror problem maybe?
CC: (none) => tarazed25
lib64archive13 in 64bit Len
Thanks Claire. Sometimes the lib64 comes up automatically when you ask for a lib package on a 64bit system. In fact lib64archive13 was already installed so the before test is still valid. Onwards and upwards!
Installed the updated packages and ran the test again: [lcl@belexeuli ~/Downloads]$ bsdtar -tvf crash_dos.tar ?--------- 8191 0 64768 4294897958 Jan 1 1970 bsdtar: End of file trying to read next cpio header bsdtar: Error exit delayed from previous errors. So that looks OK. Adding keyword.
Whiteboard: has_procedure advisory MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Well done :) Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0208.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/644037/
This got CVE-2015-8915: http://lists.suse.com/pipermail/sle-security-updates/2019-November/006190.html
Summary: libarchive new crash in bsdtar fixed upstream => libarchive new crash in bsdtar fixed upstream (CVE-2015-8915)