Bug 23437 - libarchive new security issues CVE-2017-1450[13]
Summary: libarchive new security issues CVE-2017-1450[13]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-13 23:12 CEST by David Walser
Modified: 2018-08-31 23:13 CEST (History)
5 users (show)

See Also:
Source RPM: libarchive-3.3.1-1.1.mga6.src.rpm
CVE: CVE-2017-14501, CVE-2017-14503
Status comment:


Attachments

Description David Walser 2018-08-13 23:12:41 CEST
Ubuntu has issued an advisory today (August 13):
https://usn.ubuntu.com/3736-1/

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-08-16 12:16:28 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2018-08-27 11:19:11 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (CVE-2017-14501)

libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (CVE-2017-14503)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14503
https://usn.ubuntu.com/3736-1/
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.3.1-1.2.mga6
lib(64)archive-devel-3.3.1-1.2.mga6
bsdtar-3.3.1-1.2.mga6
bsdcpio-3.3.1-1.2.mga6
bsdcat-3.3.1-1.2.mga6

from SRPMS:
libarchive-3.3.1-1.2.mga6.src.rpm

Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 6
CVE: (none) => CVE-2017-14501, CVE-2017-14503
Status: NEW => ASSIGNED
Source RPM: libarchive-3.3.2-3.mga7.src.rpm => libarchive-3.3.1-1.1.mga6.src.rpm

Comment 3 Herman Viaene 2018-08-28 15:44:01 CEST
MGA6-32  MATE on IBM Thinkpad R50e
No installation issues.
As normal user at CLI:
$ cd Afbeeldingen/
$ bsdtar -c -f ~/archtar *
Checking contents of archtar in home folder with engrampa shows correct files from Afbeeldingen.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2018-08-30 01:13:42 CEST
The CVEs have reproducers; following these up for x86_64 and reporting tomorrow.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-08-30 02:22:47 CEST
Mageia 6, x86_64
Before updating:
----------------
CVE-2017-14501
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875966
$ gzip -d oob.iso.gz
$ bsdtar -xOf oob.iso
bsdtar: Invalid length of directory record
bsdtar: Error exit delayed from previous errors.
$ valgrind --quiet -- bsdtar -xOf oob.iso
==9805== Invalid read of size 1
==9805==    at 0x4E72079: ??? (in /usr/lib64/libarchive.so.13.3.1)

CVE-2017-14503
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875960
$ bsdtar -xOf oob.lha
Segmentation fault (core dumped)
$ valgrind bsdtar -xOf oob.lha
==31453== Use of uninitialised value of size 8
[...]
==31453==  Address 0x6e35e16 is 6 bytes after a block of size 65,536 alloc'd
[...]
Segmentation fault (core dumped)

That is an out-of-bounds read.

Updated the five packages.
After the updates:
------------------
CVE-2017-14501
$ bsdtar -xOf oob.iso
bsdtar: Invalid directory record length
bsdtar: Error exit delayed from previous errors.
$ valgrind bsdtar -xOf oob.iso
bsdtar: Invalid directory record length
bsdtar: Error exit delayed from previous errors.

Not really much of a change but it looks like the exploit is handled OK.

CVE-2017-14503
$ bsdtar -xOf oob.lha
bsdtar: Invalid LHa entry size
bsdtar: Error exit delayed from previous errors.

That is an improvement - no segfault.

$ cd /data/bin/
$ bsdtar -c -f bintar *
Checked bintar with engrampa (thanks Herman) to confirm that all the files and subdirectories were there.

$ bsdcat hardware.txt.gz
shpchp          : Intel Corporation|9 Series Chipset Family PCI Express Root Port 3 [BRIDGE_PCI] (vendor:8086 device:8c94) (rev: d0)
xhci_pci        : Intel Corporation|9 Series Chipset Family USB xHCI Controller [SERIAL_USB] (vendor:8086 device:8cb1 subv:1462 subd:7816)
shpchp          : ASMedia Technology Inc.|ASM1083/1085 PCIe to PCI Bridge [BRIDGE_PCI] (vendor:1b21 device:1080) (rev: 03)
[...]

That is OK.

$ cd temp
$ bsdtar -x -f bintar

This extracted the contents into the current directory.

Looks OK for 64-bits.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Thomas Backlund 2018-08-31 22:19:40 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 6 Mageia Robot 2018-08-31 23:13:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0361.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.