26691 – libarchive new security issue CVE-2019-20509

Bug 26691 - libarchive new security issue CVE-2019-20509

Summary: libarchive new security issue CVE-2019-20509

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-05-27 00:29 CEST by David Walser
Modified:	2020-06-11 00:58 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	libarchive-3.4.0-1.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-05-27 00:29:13 CEST

Fedora has issued an advisory today (May 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OTE7GWASH2ZOVG5H3HEN5PR6B3KF7JB/

The issue is fixed upstream in 3.4.1.

Comment 1 Nicolas Lécureuil 2020-05-27 21:54:18 CEST

i updated mageia 7 to legacy version 3.4.3

 libarchive-3.4.3-1.mga7

Assignee: nicolas.salguero => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2020-05-27 21:58:42 CEST

Thanks, we should have done that last time; could have avoided this.

Advisory:
========================

Updated libarchive packages fix security vulnerability:

archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure
valid sizes for UTF-16 input, which allows remote attackers to cause a denial
of service (heap-based buffer over-read and application crash) via a crafted
LHA archive (CVE-2019-20509).

The libarchive package has been updated to version 3.4.3, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20509
https://github.com/libarchive/libarchive/releases/tag/v3.4.1
https://github.com/libarchive/libarchive/releases/tag/v3.4.2
https://github.com/libarchive/libarchive/releases/tag/v3.4.3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6OTE7GWASH2ZOVG5H3HEN5PR6B3KF7JB/
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.4.3-1.mga7
libarchive-devel-3.4.3-1.mga7
bsdtar-3.4.3-1.mga7
bsdcpio-3.4.3-1.mga7
bsdcat-3.4.3-1.mga7

from libarchive-3.4.3-1.mga7.src.rpm

Comment 3 Herman Viaene 2020-05-29 15:32:52 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 24337 for testing.
At CLI:
$ cd Documents/
$ ls
 calib/                     helloworld.class         lib64ssh4.txt    strace.txt           volkstuintjes/
 example.lit                helloworld.java          libgit2.txt      t89-halftone.pdf     wireshark_dns.pcap
 function.json-decode.php   httpparser.txt           libseccomp.txt   testencode.php       wiresharkmerged
 function.json-encode.php   ilmbase.txt              okra/            testpythonbleach/    wiresharktest
 hellodojo.html            'kwis 6  oktober 2015'/   pea.py           testvim.txt          wiresharktest50
'helloworld$1.class'        lib64ntlm0.txt           php/             viewvc.testing.txt

$ bsdtar -c -f ~/archtar *
Checked the archtar file with ark:all folders and files show up. Extracted the archtar to the ~/tmp: all files and folders show up OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-30 15:37:05 CEST

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-06-11 00:16:32 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-06-11 00:58:27 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0253.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.