Ubuntu has issued an advisory today (August 13): https://usn.ubuntu.com/3736-1/ Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (CVE-2017-14501) libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (CVE-2017-14503) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14503 https://usn.ubuntu.com/3736-1/ ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.3.1-1.2.mga6 lib(64)archive-devel-3.3.1-1.2.mga6 bsdtar-3.3.1-1.2.mga6 bsdcpio-3.3.1-1.2.mga6 bsdcat-3.3.1-1.2.mga6 from SRPMS: libarchive-3.3.1-1.2.mga6.src.rpm
Assignee: nicolas.salguero => qa-bugsVersion: Cauldron => 6CVE: (none) => CVE-2017-14501, CVE-2017-14503Status: NEW => ASSIGNEDSource RPM: libarchive-3.3.2-3.mga7.src.rpm => libarchive-3.3.1-1.1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. As normal user at CLI: $ cd Afbeeldingen/ $ bsdtar -c -f ~/archtar * Checking contents of archtar in home folder with engrampa shows correct files from Afbeeldingen. OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
The CVEs have reproducers; following these up for x86_64 and reporting tomorrow.
CC: (none) => tarazed25
Mageia 6, x86_64 Before updating: ---------------- CVE-2017-14501 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875966 $ gzip -d oob.iso.gz $ bsdtar -xOf oob.iso bsdtar: Invalid length of directory record bsdtar: Error exit delayed from previous errors. $ valgrind --quiet -- bsdtar -xOf oob.iso ==9805== Invalid read of size 1 ==9805== at 0x4E72079: ??? (in /usr/lib64/libarchive.so.13.3.1) CVE-2017-14503 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875960 $ bsdtar -xOf oob.lha Segmentation fault (core dumped) $ valgrind bsdtar -xOf oob.lha ==31453== Use of uninitialised value of size 8 [...] ==31453== Address 0x6e35e16 is 6 bytes after a block of size 65,536 alloc'd [...] Segmentation fault (core dumped) That is an out-of-bounds read. Updated the five packages. After the updates: ------------------ CVE-2017-14501 $ bsdtar -xOf oob.iso bsdtar: Invalid directory record length bsdtar: Error exit delayed from previous errors. $ valgrind bsdtar -xOf oob.iso bsdtar: Invalid directory record length bsdtar: Error exit delayed from previous errors. Not really much of a change but it looks like the exploit is handled OK. CVE-2017-14503 $ bsdtar -xOf oob.lha bsdtar: Invalid LHa entry size bsdtar: Error exit delayed from previous errors. That is an improvement - no segfault. $ cd /data/bin/ $ bsdtar -c -f bintar * Checked bintar with engrampa (thanks Herman) to confirm that all the files and subdirectories were there. $ bsdcat hardware.txt.gz shpchp : Intel Corporation|9 Series Chipset Family PCI Express Root Port 3 [BRIDGE_PCI] (vendor:8086 device:8c94) (rev: d0) xhci_pci : Intel Corporation|9 Series Chipset Family USB xHCI Controller [SERIAL_USB] (vendor:8086 device:8cb1 subv:1462 subd:7816) shpchp : ASMedia Technology Inc.|ASM1083/1085 PCIe to PCI Bridge [BRIDGE_PCI] (vendor:1b21 device:1080) (rev: 03) [...] That is OK. $ cd temp $ bsdtar -x -f bintar This extracted the contents into the current directory. Looks OK for 64-bits.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0361.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED