SUSE has issued an advisory on December 7: http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html The SUSE bug has a link to the upstream fix: https://bugzilla.suse.com/show_bug.cgi?id=1059134 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (CVE-2017-14502) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.3.1-1.3.mga6 lib(64)archive-devel-3.3.1-1.3.mga6 bsdtar-3.3.1-1.3.mga6 bsdcpio-3.3.1-1.3.mga6 bsdcat-3.3.1-1.3.mga6 from SRPMS: libarchive-3.3.1-1.3.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsCVE: (none) => CVE-2017-14502Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Debian has issued an advisory on December 27: https://www.debian.org/security/2018/dsa-4360 It fixes three new issues.
Assignee: qa-bugs => nicolas.salgueroSummary: libarchive new security issue CVE-2017-14502 => libarchive new security issues CVE-2017-14502, CVE-2018-100087[78], CVE-2018-1000880CC: (none) => qa-bugs
Patches from Debian for 3.3.3 also fix CVE-2018-1000879. Fixed in libarchive-3.3.3-2.mga7 in Cauldron.
Summary: libarchive new security issues CVE-2017-14502, CVE-2018-100087[78], CVE-2018-1000880 => libarchive new security issues CVE-2017-14502, CVE-2018-100087[7-9], CVE-2018-1000880
Advisory: ======================== Updated libarchive packages fix security vulnerabilities: read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header (CVE-2017-14502). Multiple security issues were found in libarchive: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879, CVE-2018-1000880). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880 http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html https://www.debian.org/security/2018/dsa-4360 ======================== Updated packages in core/updates_testing: ======================== libarchive13-3.3.1-1.4.mga6 libarchive-devel-3.3.1-1.4.mga6 bsdtar-3.3.1-1.4.mga6 bsdcpio-3.3.1-1.4.mga6 bsdcat-3.3.1-1.4.mga6 from libarchive-3.3.1-1.4.mga6.src.rpm
CC: qa-bugs => nicolas.salgueroAssignee: nicolas.salguero => qa-bugsCVE: CVE-2017-14502 => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 23437 for tests. At ClI: $ cd Afbeeldingen/ $ bsdtar -c -f ~/archtar * checked contents of archtar with engrampa: all OK $ cd ../tmp $ bsdtar -x -f /home/tester6/archtar Displayed pictures from tmp: all OK
Whiteboard: (none) => mCC: (none) => herman.viaene
Whiteboard: m => MGA6-32-OK
Testing M6/64 I found some test cases. CVE-2017-14502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875974 CVE-2018-1000877-80: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 BEFORE update, all 4 pkgs at version 3.3.1-1.2, and all results as shown in the POC pages. CVE-2017-14502 $ bsdtar -xf oob.rar bsdtar: Unknown file attributes from RAR file's host OS bsdtar: Error exit delayed from previous errors. CVE-2018-1000877-80 $ bsdtar -Oxf oob-read.rar Segmentation fault (core dumped) $ bsdtar -Oxf uaf-read.rar Segmentation fault (core dumped) $ bsdtar -Oxf double-free.rar 5: Unable to allocate memory for uncompressed data. *** Error in `bsdtar': double free or corruption (!prev): 0x0000000001a17f70 *** ======= Backtrace: ========= ... Aborted (core dumped) $ bsdtar -Oxf uaf-rw.rar Segmentation fault (core dumped) ----------------------------------------- AFTER update - bsdcat-3.3.1-1.4.mga6.x86_64 - bsdcpio-3.3.1-1.4.mga6.x86_64 - bsdtar-3.3.1-1.4.mga6.x86_64 - lib64archive13-3.3.1-1.4.mga6.x86_64 CVE-2017-14502 $ bsdtar -xf oob.rar bsdtar: Unknown file attributes from RAR file's host OS bsdtar: Error exit delayed from previous errors. Same as before; sigh. But this starts from a no-crash situation (see below), and the output is as shown in the POC page. CVE-2018-1000877-80 $ bsdtar -Oxf oob-read.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf uaf-read.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf double-free.rar \005\377\377\005t\206t: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. $ bsdtar -Oxf uaf-rw.rar \005\377\377\005txt: Truncated RAR file data bsdtar: Error exit delayed from previous errors. NO crash. This certainly warrants OK & validation.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0030.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED