26290 – libarchive new security issues CVE-2019-19221 and CVE-2020-9308

Bug 26290 - libarchive new security issues CVE-2019-19221 and CVE-2020-9308

Summary: libarchive new security issues CVE-2019-19221 and CVE-2020-9308

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-03-02 21:28 CET by David Walser
Modified:	2020-03-06 17:16 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libarchive-3.4.0-1.mga7.src.rpm
CVE:	CVE-2019-19221, CVE-2020-9308
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-02 21:28:05 CET

Ubuntu has issued an advisory today (March 2):
https://usn.ubuntu.com/4293-1/

The issues are fixed upstream in 3.4.1 and 3.4.2, respectively.

David Walser 2020-03-02 21:36:38 CET

Status comment: (none) => Fixed upstream in 3.4.2

Comment 1 Nicolas Salguero 2020-03-03 09:05:00 CET

Suggested advisory:
========================

The updated packages fix several issues including security vulnerabilities:

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. (CVE-2019-19221)

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact. (CVE-2020-9308)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308
https://usn.ubuntu.com/4293-1/
========================

Updated packages in core/updates_testing:
========================
lib(64)archive13-3.4.0-1.1.mga7
lib(64)archive-devel-3.4.0-1.1.mga7
bsdtar-3.4.0-1.1.mga7
bsdcpio-3.4.0-1.1.mga7
bsdcat-3.4.0-1.1.mga7

from SRPMS:
libarchive-3.4.0-1.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2019-19221, CVE-2020-9308
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 3.4.2 => (none)

Comment 2 Herman Viaene 2020-03-04 15:21:02 CET

MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 24337 for testing.
At CLI:
$ cd Documents/
$ ls
calib/  example.lit  okra/  php/  wireshark_dns.pcap  wiresharkmerged  wiresharktest50  wiresharktest.pcapng
[tester7@mach5 Documents]$ bsdtar -c -f ~/archtar *
Checked the archtar file with ark:all folers and files show up. Extracted the archtar to the ~/tmp: all files and folders show up OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2020-03-04 16:44:31 CET

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 15:48:25 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2020-03-06 17:16:02 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0127.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.