Bug 3941 - libarchive missing security update for CVE-2011-1777 and CVE-2011-1778
Summary: libarchive missing security update for CVE-2011-1777 and CVE-2011-1778
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-12-30 03:46 CET by David Walser
Modified: 2012-01-09 15:49 CET (History)
3 users (show)

See Also:
Source RPM: libarchive-2.8.4-2.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2011-12-30 03:46:01 CET 
Mandriva issued this advisory on December 18:
http://lists.mandriva.com/security-announce/2011-12/msg00015.php
Comment 1 Anssi Hannula 2011-12-30 05:10:46 CET 
Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================

Updated packages in core/updates_testing:
=====================
bsdtar-2.8.4-2.1.mga1
bsdcpio-2.8.4-2.1.mga1
lib(64)archive2-2.8.4-2.1.mga1
lib(64)archive-devel-2.8.4-2.1.mga1

from libarchive-2.8.4-2.1.mga1 src.rpm.
=====================

No testcase.

Status: NEW => ASSIGNED
CC: (none) => anssi.hannula
Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2011-12-31 14:15:27 CET 
ark is unable to open ISO's with the updated libarchive for me.
Comment 3 David Walser 2011-12-31 17:56:53 CET 
I can confirm the regression with opening ISOs on i586.
Comment 4 Anssi Hannula 2012-01-01 02:35:52 CET 
The redhat/mdv patch was broken in several places, I've now fixed it and informed the redhat bugzilla ticket about it:
https://bugzilla.redhat.com/show_bug.cgi?id=705849#c23

I'll also send a note to Mandriva security team.

libarchive-2.8.4-2.2.mga1 now submitted to core/updates_testing, please test (it seems to fix the issues for me).
Comment 5 David Walser 2012-01-01 04:45:04 CET 
I can confirm that this update works on i586.  Thanks Anssi (and thanks claire for noticing the bug).
Comment 6 claire robinson 2012-01-05 15:13:16 CET 
Testing complete x86_64

SRPM: libarchive-2.8.4-2.2.mga1

Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 7 Thomas Backlund 2012-01-09 15:49:31 CET 
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.