21682 – libarchive new security issue CVE-2017-14166

Bug 21682 - libarchive new security issue CVE-2017-14166

Summary: libarchive new security issue CVE-2017-14166

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32...
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2017-09-07 18:42 CEST by David Walser
Modified:	2017-09-10 14:37 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	libarchive-3.2.2-1.3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-09-07 18:42:03 CEST

A security issue fixed upstream in libarchive has been announced on September 6:
http://openwall.com/lists/oss-security/2017/09/06/5

The message above contains a link to the commit that fixed the issue.

David Walser 2017-09-07 18:42:20 CEST

Assignee: bugsquad => pkg-bugs
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-09-07 23:01:56 CEST

Pushed in updates_testing

src.rpm:
        libarchive-3.2.2-1.4.mga5
        libarchive-3.3.1-1.1.mga6

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CC: (none) => mageia

Comment 2 David Walser 2017-09-08 00:33:11 CEST

Advisory:
========================

Updated libarchive packages fix security vulnerability:

Heap-based buffer overflow in xml_data() in archive_read_support_format_xar.c
(CVE-2017-14166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
http://openwall.com/lists/oss-security/2017/09/06/5
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.2.2-1.4.mga5
libarchive-devel-3.2.2-1.4.mga5
bsdtar-3.2.2-1.4.mga5
bsdcpio-3.2.2-1.4.mga5
bsdcat-3.2.2-1.4.mga5
libarchive13-3.3.1-1.1.mga6
libarchive-devel-3.3.1-1.1.mga6
bsdtar-3.3.1-1.1.mga6
bsdcpio-3.3.1-1.1.mga6
bsdcat-3.3.1-1.1.mga6

from SRPMS:
libarchive-3.2.2-1.4.mga5.src.rpm
libarchive-3.3.1-1.1.mga6.src.rpm

Comment 3 PC LX 2017-09-08 16:54:43 CEST

Installed and tested without issues.

Tested using bsdtar and ark. Confirmed, using strace, that both use the libarchive.so.13 library.

Tests:
- Created, added, deleted files from compress (gzip, bzip2, xz) tar balls with both ark and bsdtar.
- Tested, using GNU tar, the tar balls created with bsdtar and ark.
- Extracted tar balls and compared (using diff -r) the extracted files with the original files.
- Testing dozens of tar balls on the system with bsdtar (see commands below).

System: Mageia 5, x86_64, Intel CPU.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q bsdtar lib64archive13 ark
bsdtar-3.2.2-1.4.mga5
lib64archive13-3.2.2-1.4.mga5
ark-4.14.3-1.mga5
$ find ~/ -ipath '*.tar' -print -exec bsdtar tf '{}' ';' > /dev/null
$ find ~/ -ipath '*.tar.gz' -print -exec bsdtar tfz '{}' ';' > /dev/null
$ find ~/ -ipath '*.tar.bz2' -print -exec bsdtar tfj '{}' ';' > /dev/null
$ # all tar balls tested OK

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Herman Viaene 2017-09-09 11:26:27 CEST

MGA5-32 on Asus A6000VM Xfce
No installation issues.
At CLI as normal user:
$ cd Documenten -- Dutch installation
$ strace -o libarch.txt bsdtar -c -f ~/archtar ~/Afbeeldingen/
bsdtar: Removing leading '/' from member names

archtar created at my home OK as expected. libarch.txt shows call to libarch as expected
BUT
opened archtar with engrampa and found it contained the whole /home , what I did not expect. My mistake or .....?

CC: (none) => herman.viaene

Comment 5 Brian Rockwell 2017-09-09 19:12:12 CEST

mga6_64

$ uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 9 packages are going to be installed:

- bsdcat-3.3.1-1.1.mga6.x86_64
- bsdcpio-3.3.1-1.1.mga6.x86_64
- bsdtar-3.3.1-1.1.mga6.x86_64
- lib64archive13-3.3.1-1.1.mga6.x86_64
- lib64rpm7-4.13.0.1-3.1.mga6.x86_64
- lib64rpmsign7-4.13.0.1-3.1.mga6.x86_64
- python2-rpm-4.13.0.1-3.1.mga6.x86_64
- python3-rpm-4.13.0.1-3.1.mga6.x86_64
- rpm-4.13.0.1-3.1.mga6.x86_64

181KB of additional disk space will be used.

1.3MB of packages will be retrieved.

Is it ok to continue?

------------

I ran the bsdcpio to create a cpio file with text in it.  Also ran bsdcat.  It seemed to work.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => brtians1

Comment 6 Herman Viaene 2017-09-10 11:37:33 CEST

MGA6-32 on Asus A6000VM MATE
No installation issues.
As normal user at CLI:
$ cd Afbeeldingen/    --Pictures
$ strace -o ~/Documenten/libarch.txt bsdtar -c -f ~/archtar *
Trace shows libarchive, archtar is generated at my home directory. Checking contents of archtar shows correct directory and files from Afbeeldingen.
OK for me.
Will repeat this form of the bsdtar command for M5.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK

Comment 7 Herman Viaene 2017-09-10 12:06:39 CEST

MGA-32, test as per Comment 6 is OK also here.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK

Lewis Smith 2017-09-10 13:34:26 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-09-10 14:37:06 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0337.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.