Hi, libarchive project has released version 3.2.1 (https://libarchive.org/downloads/libarchive-3.2.1.tar.gz) that fixes several bugs including: - CVE-2016-4300: - http://www.talosintel.com/reports/TALOS-2016-0152 - https://bugzilla.redhat.com/show_bug.cgi?id=1348439 - CVE-2016-4301: - http://www.talosintel.com/reports/TALOS-2016-0153 - https://bugzilla.redhat.com/show_bug.cgi?id=1348441 - CVE-2016-4302: - http://www.talosintel.com/reports/TALOS-2016-0154 - https://bugzilla.redhat.com/show_bug.cgi?id=1348444 It seems the other bugs have no CVE id. Best regards, Nico.
Source RPM: (none) => libarchiveWhiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no maintainer for this package. Is Mageia5 affected, too?
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
Why didn't I see MGA5TOO?? Anyway, thx for already fixing this in cauldron, Nicolas :-)
Yes, Mga5 is affected too.
Suggested advisory: ======================== The updated packages fix several security vulnerabilities: An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300). An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301). An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302). The libarchive package has been updated to version 3.2.1, fixing those issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302 http://www.talosintel.com/reports/TALOS-2016-0152 http://www.talosintel.com/reports/TALOS-2016-0153 http://www.talosintel.com/reports/TALOS-2016-0154 https://bugzilla.redhat.com/show_bug.cgi?id=1348439 https://bugzilla.redhat.com/show_bug.cgi?id=1348441 https://bugzilla.redhat.com/show_bug.cgi?id=1348444 https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ ======================== Updated packages in core/updates_testing: ======================== i586: libarchive13-3.2.0-1.mga5.i586.rpm libarchive-devel-3.2.0-1.mga5.i586.rpm bsdcat-3.2.0-1.mga5.i586.rpm bsdcpio-3.2.0-1.mga5.i586.rpm bsdtar-3.2.0-1.mga5.i586.rpm x86_64: lib64archive13-3.2.0-1.mga5.x86_64.rpm lib64archive-devel-3.2.0-1.mga5.x86_64.rpm bsdcat-3.2.0-1.mga5.x86_64.rpm bsdcpio-3.2.0-1.mga5.x86_64.rpm bsdtar-3.2.0-1.mga5.x86_64.rpm Source RPMs: libarchive-3.2.1-1.mga5.src.rpm
Updated packages in core/updates_testing: ======================== i586: libarchive13-3.2.1-1.mga5.i586.rpm libarchive-devel-3.2.1-1.mga5.i586.rpm bsdcat-3.2.1-1.mga5.i586.rpm bsdcpio-3.2.1-1.mga5.i586.rpm bsdtar-3.2.1-1.mga5.i586.rpm x86_64: lib64archive13-3.2.1-1.mga5.x86_64.rpm lib64archive-devel-3.2.1-1.mga5.x86_64.rpm bsdcat-3.2.1-1.mga5.x86_64.rpm bsdcpio-3.2.1-1.mga5.x86_64.rpm bsdtar-3.2.1-1.mga5.x86_64.rpm Source RPMs: libarchive-3.2.1-1.mga5.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsSource RPM: libarchive => libarchive-3.2.0-1.mga6.src.rpmWhiteboard: MGA5TOO => has_procedure
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2
Also fixes CVE-2015-8934: http://openwall.com/lists/oss-security/2016/06/23/6 Some details about some of the security issues fixed are in that message.
New version of the suggested advisory: ======================== The updated packages fix several security vulnerabilities: An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934). An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300). An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301). An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302). The libarchive package has been updated to version 3.2.1, fixing those issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302 https://github.com/libarchive/libarchive/issues/521 http://www.talosintel.com/reports/TALOS-2016-0152 http://www.talosintel.com/reports/TALOS-2016-0153 http://www.talosintel.com/reports/TALOS-2016-0154 https://bugzilla.redhat.com/show_bug.cgi?id=1349229 https://bugzilla.redhat.com/show_bug.cgi?id=1348439 https://bugzilla.redhat.com/show_bug.cgi?id=1348441 https://bugzilla.redhat.com/show_bug.cgi?id=1348444 http://openwall.com/lists/oss-security/2016/06/23/6 https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ
Summary: libarchive 3.2.1 fixes CVE-2016-430[0-2] => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2]
CVE-2016-5844 assigned for another fix in 3.2.1: http://openwall.com/lists/oss-security/2016/06/24/4
New version of the suggested advisory: ======================== The updated packages fix several security vulnerabilities: An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934). An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300). An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301). An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302). A signed integer overflow in iso parser: integer overflow when computing location of volume descriptor (CVE-2016-5844). The libarchive package has been updated to version 3.2.1, fixing those issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302 https://github.com/libarchive/libarchive/issues/521 http://www.talosintel.com/reports/TALOS-2016-0152 http://www.talosintel.com/reports/TALOS-2016-0153 http://www.talosintel.com/reports/TALOS-2016-0154 https://bugzilla.redhat.com/show_bug.cgi?id=1349229 https://bugzilla.redhat.com/show_bug.cgi?id=1348439 https://bugzilla.redhat.com/show_bug.cgi?id=1348441 https://bugzilla.redhat.com/show_bug.cgi?id=1348444 http://openwall.com/lists/oss-security/2016/06/23/6 https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ http://openwall.com/lists/oss-security/2016/06/24/4
Summary: libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2] => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-5844
CC: makowski.mageia => (none)
It appears that CVE-2016-4809 is also fixed in 3.2.1: http://lwn.net/Vulnerabilities/692863/ https://lists.opensuse.org/opensuse-updates/2016-06/msg00102.html
New version of the suggested advisory: ======================== The updated packages fix several security vulnerabilities: An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934). An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300). An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301). An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302). A cpio archive with a ridiculously large symlink can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing. The failed allocation appears to be handled correctly within libarchive and not lead to further issues (CVE-2016-4809). A signed integer overflow in iso parser: integer overflow when computing location of volume descriptor (CVE-2016-5844). The libarchive package has been updated to version 3.2.1, fixing those issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302 https://github.com/libarchive/libarchive/issues/521 http://www.talosintel.com/reports/TALOS-2016-0152 http://www.talosintel.com/reports/TALOS-2016-0153 http://www.talosintel.com/reports/TALOS-2016-0154 https://bugzilla.redhat.com/show_bug.cgi?id=1349229 https://bugzilla.redhat.com/show_bug.cgi?id=1348439 https://bugzilla.redhat.com/show_bug.cgi?id=1348441 https://bugzilla.redhat.com/show_bug.cgi?id=1348444 http://openwall.com/lists/oss-security/2016/06/23/6 https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ http://openwall.com/lists/oss-security/2016/06/24/4 http://lwn.net/Vulnerabilities/692863/ https://lists.opensuse.org/opensuse-updates/2016-06/msg00102.html
Summary: libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-5844 => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-4809, CVE-2016-5844
The following 4 packages are going to be installed: - bsdcat-3.2.1-1.mga5.x86_64 - bsdcpio-3.2.1-1.mga5.x86_64 - bsdtar-3.2.1-1.mga5.x86_64 - lib64archive13-3.2.1-1.mga5.x86_64 ---installed properly ---checked whether version picked up. [brian@localhost ~]$ bsdcpio -h bsdcpio: manipulate archive files First option must be a mode specifier: -i Input -o Output -p Pass Common Options: -v Verbose filenames -V one dot per file Create: bsdcpio -o [options] < [list of files] > [archive] -J,-y,-z,--lzma Compress archive with xz/bzip2/gzip/lzma --format {odc|newc|ustar} Select archive format List: bsdcpio -it < [archive] Extract: bsdcpio -i [options] < [archive] bsdcpio 3.2.1 -- libarchive 3.2.1 zlib/1.2.8 liblzma/5.2.0 bz2lib/1.0.6 Ran a compress ls *.o* | bsdcpio -ov > archive.cpio 3186 blocks Now did a list: [brian@localhost restore]$ bsdcpio -it < ../archive.cpio 3186 blocks [brian@localhost restore]$ Did the restore and verified files so cpio works. --- trying bsdtar [brian@localhost restore]$ bsdtar -cvf archive.tar.gz chapter1.odt chapter2.odt a chapter1.odt a chapter2.odt brian@localhost restore]$ ls *.gz archive.tar.gz ---list contents [brian@localhost restore]$ bsdtar -tvf archive.tar.gz -rw-r--r-- 0 brian brian 21827 Jun 29 22:47 chapter1.odt -rw-r--r-- 0 brian brian 23976 Jun 29 22:47 chapter2.odt [brian@localhost restore]$ seems to be working as designed.
CC: (none) => brtians1
ran bsdcat - it was able to cat a file fine.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0239.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/693575/