Bug 18769 - libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-4809, CVE-2016-5844
Summary: libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-4809, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/693575/
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-23 09:39 CEST by Nicolas Salguero
Modified: 2016-07-06 18:40 CEST (History)
4 users (show)

See Also:
Source RPM: libarchive-3.2.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2016-06-23 09:39:11 CEST
Hi,

libarchive project has released version 3.2.1 (https://libarchive.org/downloads/libarchive-3.2.1.tar.gz) that fixes several bugs including:
  - CVE-2016-4300:
    - http://www.talosintel.com/reports/TALOS-2016-0152
    - https://bugzilla.redhat.com/show_bug.cgi?id=1348439
  - CVE-2016-4301:
    - http://www.talosintel.com/reports/TALOS-2016-0153
    - https://bugzilla.redhat.com/show_bug.cgi?id=1348441
  - CVE-2016-4302:
    - http://www.talosintel.com/reports/TALOS-2016-0154
    - https://bugzilla.redhat.com/show_bug.cgi?id=1348444

It seems the other bugs have no CVE id.

Best regards,

Nico.
Nicolas Salguero 2016-06-23 09:39:59 CEST

Source RPM: (none) => libarchive
Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-06-23 10:04:14 CEST
Assigning to all packagers collectively, since there is no maintainer for this package.

Is Mageia5 affected, too?

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Marja Van Waes 2016-06-23 10:07:00 CEST
Why didn't I see MGA5TOO??

Anyway, thx for already fixing this in cauldron, Nicolas :-)
Comment 3 Nicolas Salguero 2016-06-23 10:11:44 CEST
Yes, Mga5 is affected too.
Comment 4 Nicolas Salguero 2016-06-23 10:34:15 CEST
Suggested advisory:
========================

The updated packages fix several security vulnerabilities:

An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300).

An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301).

An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302).

The libarchive package has been updated to version 3.2.1, fixing those issues
and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302
http://www.talosintel.com/reports/TALOS-2016-0152
http://www.talosintel.com/reports/TALOS-2016-0153
http://www.talosintel.com/reports/TALOS-2016-0154
https://bugzilla.redhat.com/show_bug.cgi?id=1348439
https://bugzilla.redhat.com/show_bug.cgi?id=1348441
https://bugzilla.redhat.com/show_bug.cgi?id=1348444
https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ
========================

Updated packages in core/updates_testing:
========================
i586:
libarchive13-3.2.0-1.mga5.i586.rpm
libarchive-devel-3.2.0-1.mga5.i586.rpm
bsdcat-3.2.0-1.mga5.i586.rpm
bsdcpio-3.2.0-1.mga5.i586.rpm
bsdtar-3.2.0-1.mga5.i586.rpm

x86_64:
lib64archive13-3.2.0-1.mga5.x86_64.rpm
lib64archive-devel-3.2.0-1.mga5.x86_64.rpm
bsdcat-3.2.0-1.mga5.x86_64.rpm
bsdcpio-3.2.0-1.mga5.x86_64.rpm
bsdtar-3.2.0-1.mga5.x86_64.rpm

Source RPMs:
libarchive-3.2.1-1.mga5.src.rpm
Comment 5 Nicolas Salguero 2016-06-23 10:39:16 CEST
Updated packages in core/updates_testing:
========================
i586:
libarchive13-3.2.1-1.mga5.i586.rpm
libarchive-devel-3.2.1-1.mga5.i586.rpm
bsdcat-3.2.1-1.mga5.i586.rpm
bsdcpio-3.2.1-1.mga5.i586.rpm
bsdtar-3.2.1-1.mga5.i586.rpm

x86_64:
lib64archive13-3.2.1-1.mga5.x86_64.rpm
lib64archive-devel-3.2.1-1.mga5.x86_64.rpm
bsdcat-3.2.1-1.mga5.x86_64.rpm
bsdcpio-3.2.1-1.mga5.x86_64.rpm
bsdtar-3.2.1-1.mga5.x86_64.rpm

Source RPMs:
libarchive-3.2.1-1.mga5.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Source RPM: libarchive => libarchive-3.2.0-1.mga6.src.rpm
Whiteboard: MGA5TOO => has_procedure

Comment 6 Nicolas Salguero 2016-06-23 10:39:29 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2
Comment 7 David Walser 2016-06-23 19:15:23 CEST
Also fixes CVE-2015-8934:
http://openwall.com/lists/oss-security/2016/06/23/6

Some details about some of the security issues fixed are in that message.
Comment 8 Nicolas Salguero 2016-06-24 10:14:36 CEST
New version of the suggested advisory:
========================

The updated packages fix several security vulnerabilities:

An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934).

An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300).

An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301).

An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302).

The libarchive package has been updated to version 3.2.1, fixing those issues
and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302
https://github.com/libarchive/libarchive/issues/521
http://www.talosintel.com/reports/TALOS-2016-0152
http://www.talosintel.com/reports/TALOS-2016-0153
http://www.talosintel.com/reports/TALOS-2016-0154
https://bugzilla.redhat.com/show_bug.cgi?id=1349229
https://bugzilla.redhat.com/show_bug.cgi?id=1348439
https://bugzilla.redhat.com/show_bug.cgi?id=1348441
https://bugzilla.redhat.com/show_bug.cgi?id=1348444
http://openwall.com/lists/oss-security/2016/06/23/6
https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ

Summary: libarchive 3.2.1 fixes CVE-2016-430[0-2] => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2]

Comment 9 David Walser 2016-06-25 00:46:56 CEST
CVE-2016-5844 assigned for another fix in 3.2.1:
http://openwall.com/lists/oss-security/2016/06/24/4
Comment 10 Nicolas Salguero 2016-06-26 14:32:55 CEST
New version of the suggested advisory:
========================

The updated packages fix several security vulnerabilities:

An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934).

An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300).

An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301).

An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302).

A signed integer overflow in iso parser: integer overflow when computing location of volume descriptor (CVE-2016-5844).

The libarchive package has been updated to version 3.2.1, fixing those issues
and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302
https://github.com/libarchive/libarchive/issues/521
http://www.talosintel.com/reports/TALOS-2016-0152
http://www.talosintel.com/reports/TALOS-2016-0153
http://www.talosintel.com/reports/TALOS-2016-0154
https://bugzilla.redhat.com/show_bug.cgi?id=1349229
https://bugzilla.redhat.com/show_bug.cgi?id=1348439
https://bugzilla.redhat.com/show_bug.cgi?id=1348441
https://bugzilla.redhat.com/show_bug.cgi?id=1348444
http://openwall.com/lists/oss-security/2016/06/23/6
https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ
http://openwall.com/lists/oss-security/2016/06/24/4

Summary: libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2] => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-5844

Philippe Makowski 2016-06-26 18:01:05 CEST

CC: makowski.mageia => (none)

Comment 11 David Walser 2016-06-28 00:20:31 CEST
It appears that CVE-2016-4809 is also fixed in 3.2.1:
http://lwn.net/Vulnerabilities/692863/
https://lists.opensuse.org/opensuse-updates/2016-06/msg00102.html
Comment 12 Nicolas Salguero 2016-06-28 14:55:11 CEST
New version of the suggested advisory:
========================

The updated packages fix several security vulnerabilities:

An out of bounds read in the rar parser: invalid read in function copy_from_lzss_window() when unpacking malformed rar (CVE-2015-8934).

An exploitable heap overflow vulnerability exists in the 7zip read_SubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4300).

An exploitable stack based buffer overflow vulnerability exists in the mtree parse_device functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4301).

An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability (CVE-2016-4302).

A cpio archive with a ridiculously large symlink can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing. The failed allocation appears to be handled correctly within libarchive and not lead to further issues (CVE-2016-4809).

A signed integer overflow in iso parser: integer overflow when computing location of volume descriptor (CVE-2016-5844).

The libarchive package has been updated to version 3.2.1, fixing those issues
and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302
https://github.com/libarchive/libarchive/issues/521
http://www.talosintel.com/reports/TALOS-2016-0152
http://www.talosintel.com/reports/TALOS-2016-0153
http://www.talosintel.com/reports/TALOS-2016-0154
https://bugzilla.redhat.com/show_bug.cgi?id=1349229
https://bugzilla.redhat.com/show_bug.cgi?id=1348439
https://bugzilla.redhat.com/show_bug.cgi?id=1348441
https://bugzilla.redhat.com/show_bug.cgi?id=1348444
http://openwall.com/lists/oss-security/2016/06/23/6
https://groups.google.com/forum/#!msg/libarchive-discuss/sui01WaM3ic/WhAgI4ylAwAJ
http://openwall.com/lists/oss-security/2016/06/24/4
http://lwn.net/Vulnerabilities/692863/
https://lists.opensuse.org/opensuse-updates/2016-06/msg00102.html

Summary: libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-5844 => libarchive 3.2.1 fixes CVE-2015-8934, CVE-2016-430[0-2], CVE-2016-4809, CVE-2016-5844

Comment 13 Brian Rockwell 2016-06-30 05:57:28 CEST
The following 4 packages are going to be installed:

- bsdcat-3.2.1-1.mga5.x86_64
- bsdcpio-3.2.1-1.mga5.x86_64
- bsdtar-3.2.1-1.mga5.x86_64
- lib64archive13-3.2.1-1.mga5.x86_64

---installed properly

---checked whether version picked up.

[brian@localhost ~]$ bsdcpio  -h
bsdcpio: manipulate archive files
First option must be a mode specifier:
  -i Input  -o Output  -p Pass
Common Options:
  -v Verbose filenames     -V  one dot per file
Create: bsdcpio -o [options]  < [list of files] > [archive]
  -J,-y,-z,--lzma  Compress archive with xz/bzip2/gzip/lzma
  --format {odc|newc|ustar}  Select archive format
List: bsdcpio -it < [archive]
Extract: bsdcpio -i [options] < [archive]
bsdcpio 3.2.1 -- libarchive 3.2.1 zlib/1.2.8 liblzma/5.2.0 bz2lib/1.0.6

Ran a compress

ls *.o* | bsdcpio -ov > archive.cpio
3186 blocks


Now did a list:

[brian@localhost restore]$ bsdcpio -it < ../archive.cpio
3186 blocks
[brian@localhost restore]$

Did the restore and verified files

so cpio works.


--- trying bsdtar

[brian@localhost restore]$ bsdtar -cvf archive.tar.gz chapter1.odt chapter2.odt
a chapter1.odt
a chapter2.odt

brian@localhost restore]$ ls *.gz
archive.tar.gz

---list contents

[brian@localhost restore]$ bsdtar -tvf archive.tar.gz
-rw-r--r--  0 brian  brian   21827 Jun 29 22:47 chapter1.odt
-rw-r--r--  0 brian  brian   23976 Jun 29 22:47 chapter2.odt
[brian@localhost restore]$

seems to be working as designed.

CC: (none) => brtians1

Comment 14 Brian Rockwell 2016-06-30 05:58:39 CEST
ran bsdcat - it was able to cat a file fine.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Dave Hodgins 2016-07-05 16:43:07 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 15 Mageia Robot 2016-07-05 17:48:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0239.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-07-06 18:40:23 CEST

URL: (none) => http://lwn.net/Vulnerabilities/693575/


Note You need to log in before you can comment on or make changes to this bug.