Fedora has issued an advisory on April 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X6XSEKB66L7HSSU7YBNH4K6BNY64HLGK/ We already fixed CVE-2017-5601 in Bug 20223. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
I verified that CVE-2016-10209 is already fixed in libarchive-3.3.1 so Cauldron is not affected.
Suggested advisory: ======================== The updated packages fix a security vulnerability: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (CVE-2016-10209) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10209 ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.2.2-1.2.mga5 lib(64)archive-devel-3.2.2-1.2.mga5 bsdtar-3.2.2-1.2.mga5 bsdcpio-3.2.2-1.2.mga5 bsdcat-3.2.2-1.2.mga5 from SRPMS: libarchive-3.2.2-1.2.mga5.src.rpm
Assignee: nicolas.salguero => qa-bugsSource RPM: libarchive-3.3.1-1.mga6.src.rpm => libarchive-3.2.2-1.1.mga5.src.rpmWhiteboard: MGA5TOO => (none)Version: Cauldron => 5
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
$ uname -a Linux localhost.localdomain 4.4.59-desktop586-1.mga5 #1 SMP Thu Mar 30 21:18:19 UTC 2017 i686 i686 i686 GNU/Linux --------------- The following 4 packages are going to be installed: - bsdcat-3.2.2-1.2.mga5.i586 - bsdcpio-3.2.2-1.2.mga5.i586 - bsdtar-3.2.2-1.2.mga5.i586 - libarchive13-3.2.2-1.2.mga5.i586 158KB of additional disk space will be used. 437KB of packages will be retrieved. Is it ok to continue? bsdtar -czf hello.tar.gz helloworld.java used file to review and open the tar file - worked as designed bsdcat helloworld.java - produced the output file
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
Nicolas, do we have fixes for CVE-2016-10349 and CVE-2016-10350? http://openwall.com/lists/oss-security/2017/05/01/12 They would only affect Mageia 5.
$ uname -a Linux localhost 4.4.59-desktop-1.mga5 #1 SMP Thu Mar 30 21:28:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux The following 15 packages are going to be installed: - bsdcat-3.2.2-1.2.mga5.x86_64 - bsdcpio-3.2.2-1.2.mga5.x86_64 - bsdtar-3.2.2-1.2.mga5.x86_64 - glibc-devel-2.20-24.mga5.x86_64 - kernel-userspace-headers-4.4.65-1.mga5.x86_64 - lib64acl-devel-2.2.52-5.mga5.x86_64 - lib64archive-devel-3.2.2-1.2.mga5.x86_64 - lib64archive13-3.2.2-1.2.mga5.x86_64 - lib64attr-devel-2.4.47-5.mga5.x86_64 - lib64bzip2-devel-1.0.6-7.1.mga5.x86_64 - lib64lzma-devel-5.2.0-1.mga5.x86_64 - lib64lzo-devel-2.09-1.mga5.x86_64 - lib64openssl-devel-1.0.2k-1.mga5.x86_64 - lib64xml2-devel-2.9.4-1.1.mga5.x86_64 - lib64zlib-devel-1.2.8-7.1.mga5.x86_64 28MB of additional disk space will be used. 7.2MB of packages will be retrieved. Is it ok to continue? $ bsdcat --version bsdcat 3.2.2 - libarchive 3.2.2 zlib/1.2.8 liblzma/5.2.0 bz2lib/1.0.6 $ bsdtar -czf file.tar.gz filelist.txt clamdoc.pdf $ bsdcat filelist.txt $ bsdcpio -o < filelist.txt > file It created a file I could review and extract with arc. From what I can tell everything is working as designed.
Whiteboard: mga5-32-ok => mga5-32-ok mga5-64-ok
Adding the feedback tag until we get an answer for Comment 4.
Whiteboard: mga5-32-ok mga5-64-ok => mga5-32-ok mga5-64-ok feedback
According to https://github.com/libarchive/libarchive/issues/834 (CVE-2016-10349) and https://github.com/libarchive/libarchive/issues/835 (CVE-2016-10350), this commit fixes both issues: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 so I added the patch. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (CVE-2016-10209) The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (CVE-2016-10349) The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (CVE-2016-10350) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350 http://openwall.com/lists/oss-security/2017/05/01/12 ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.2.2-1.3.mga5 lib(64)archive-devel-3.2.2-1.3.mga5 bsdtar-3.2.2-1.3.mga5 bsdcpio-3.2.2-1.3.mga5 bsdcat-3.2.2-1.3.mga5 from SRPMS: libarchive-3.2.2-1.3.mga5.src.rpm
Whiteboard: mga5-32-ok mga5-64-ok feedback => mga5-32-ok mga5-64-ok
Whiteboard: mga5-32-ok mga5-64-ok => (none)
CVE: (none) => CVE-2016-10209, CVE-2016-10349, CVE-2016-10350Summary: libarchive new security issue CVE-2016-10209 => libarchive new security issues CVE-2016-10209, CVE-2016-10349 and CVE-2016-10350
MGA-32 on Asus A6000VM Xfce No installation issues. Ref bug 20223 Comment 2, did similar test with engrampa archiving a 125Mb folder containing all sorts of documents and a few pictures. Copying the resulting tar.gz to another location and unpacking there was OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing M5-64 After update:- bsdcat-3.2.2-1.3.mga5 bsdcpio-3.2.2-1.3.mga5 bsdtar-3.2.2-1.3.mga5 bsdtar-3.2.2-1.3.mga5 lib64archive13-3.2.2-1.3.mga5 $ gzip cycleRockies2.txt [to have a .gz text file] $ bsdcat cycleRockies2.txt.gz | less gave correct output. $ find . | bsdcpio -ov > ../tmp/test.cpio [archive current directory] $ cd ../tmp $ bsdcpio -itvF test.cpio | less gave good output. The library is called: $ strace bsdcpio -itvF test.cpio 2>&1 | grep libarchive open("/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 Probed the archive (including its embedded CPIO file) with both FileRoller and Ark, all inspections good. $ bsdcpio -ivF test.cpio reproduced the original directory tree in the current directory. $ bsdtar -cvf test.tar . [65Mb mixed, including one .cpio] The result viewed correctly with: $ bsdtar -tf test.tar and the library is called: $ strace bsdtar -tf test.tar 2>&1 | grep libarchive open("/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 Probed the archive (including its embedded CPIO file) with both FileRoller and Ark, all inspections good. $ bsdtar -xvf test.tar reproduced the original directory tree in the current directory. The update looks good. Validating. Advisory (Comment 7) to follow.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0132.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED