Bug 20223 - libarchive new security issue CVE-2017-5601
Summary: libarchive new security issue CVE-2017-5601
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713146/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-01 02:11 CET by David Walser
Modified: 2017-02-20 14:01 CET (History)
3 users (show)

See Also:
Source RPM: libarchive-3.2.2-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-01 02:11:14 CET 
Debian-LTS has issued an advisory today (January 31):
https://lwn.net/Alerts/713127/

The upstream commit is linked from here:
https://security-tracker.debian.org/tracker/CVE-2017-5601

Mageia 5 is also affected.
David Walser 2017-02-01 02:11:24 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Salguero 2017-02-01 11:49:21 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. (CVE-2017-5601)

References:
https://lwn.net/Alerts/713127/
https://security-tracker.debian.org/tracker/CVE-2017-5601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.2.2-1.1.mga5
lib(64)archive-devel-3.2.2-1.1.mga5
bsdtar-3.2.2-1.1.mga5
bsdcpio-3.2.2-1.1.mga5
bsdcat-3.2.2-1.1.mga5

from SRPMS:
libarchive-3.2.2-1.1.mga5.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 5
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2017-02-03 00:51:54 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 2 Herman Viaene 2017-02-08 16:04:10 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues
At CLI:
$ strace -o libarchive.txt engrampa
created an empty test.tar.gz archive and added a folder to it having 39 subfolders and 620 files of all sorts (odt, doc, ods, xlsx, odp, jpeg, png, pnm, pdf and some more)
Found numerous calls to libarchive in the trace
Moved the test.tar.gz archive to other folder, and extracted there. Found all folders back, opened some folders of different types, no problem found.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 3 Dave Hodgins 2017-02-20 07:04:26 CET 
Similar testing on my x86_64 system.

Validating the update

CC: (none) => sysadmin-bugs
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2017-02-20 14:01:09 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0056.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.