Bug 9671 - libarchive new security issue CVE-2013-0211
: libarchive new security issue CVE-2013-0211
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546489/
: has_procedure mga2-32-ok MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-08 23:00 CEST by David Walser
Modified: 2013-04-18 00:26 CEST (History)
3 users (show)

See Also:
Source RPM: libarchive-3.0.4-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-04-08 23:00:07 CEST
Fedora has issued an advisory on March 30:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html

Mageia 2 is also probably affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-10 18:14:44 CEST
Patched packages uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated libarchive packages fix security vulnerability:

Fabian Yamaguchi reported a read buffer overflow flaw in libarchive on 64-bit
systems where sizeof(size_t) is equal to 8. In the archive_write_zip_data()
function in libarchive/archive_write_set_format_zip.c, the "s" parameter is of
type size_t (64 bit, unsigned) and is cast to a 64 bit signed integer. If "s"
is larger than MAX_INT, it will not be set to "zip->remaining_data_bytes" even
though it is larger than "zip->remaining_data_bytes", which leads to a buffer
overflow when calling deflate(). This can lead to a segfault in an application
that uses libarchive to create ZIP archives (CVE-2013-0211).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html
========================

Updated packages in core/updates_testing:
========================
libarchive12-3.0.3-1.1.mga2
libarchive-devel-3.0.3-1.1.mga2
bsdtar-3.0.3-1.1.mga2
bsdcpio-3.0.3-1.1.mga2

from libarchive-3.0.3-1.1.mga2.src.rpm
Comment 2 claire robinson 2013-04-11 16:37:01 CEST
Testing complete mga2 32

Testing libarchive12 with ark, opening several formats including iso which failed with a previous update.

Testing bsdtar and bsdcpio separately


$ ls *.jpg | bsdcpio -ov > somefiles.cpio
22.jpg
6270015-610-407.jpg
7870.jpg
test.jpg
5422 blocks

$ bsdcpio -it < somefiles.cpio
22.jpg
6270015-610-407.jpg
7870.jpg
test.jpg
5422 blocks

$ cd tmp
$ cpio -iv < ~/somefiles.cpio
22.jpg
6270015-610-407.jpg
7870.jpg
test.jpg
5422 blocks

$ ls
22.jpg  6270015-610-407.jpg  7870.jpg  test.jpg

$ bsdtar cJf tarfile.tar.xz *.jpg
$ ls
22.jpg  6270015-610-407.jpg  7870.jpg  test.jpg  tarfile.tar.xz
$ file tarfile.tar.xz
tarfile.tar.xz: XZ compressed data
$ rm -f *.jpg
$ bsdtar xJf tarfile.tar.xz
$ ls
22.jpg  6270015-610-407.jpg  7870.jpg  test.jpg  tarfile.tar.xz
Comment 3 Dave Hodgins 2013-04-11 23:58:56 CEST
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
libarchive-3.0.3-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated libarchive packages fix security vulnerability:

Fabian Yamaguchi reported a read buffer overflow flaw in libarchive on 64-bit
systems where sizeof(size_t) is equal to 8. In the archive_write_zip_data()
function in libarchive/archive_write_set_format_zip.c, the "s" parameter is of
type size_t (64 bit, unsigned) and is cast to a 64 bit signed integer. If "s"
is larger than MAX_INT, it will not be set to "zip->remaining_data_bytes" even
though it is larger than "zip->remaining_data_bytes", which leads to a buffer
overflow when calling deflate(). This can lead to a segfault in an application
that uses libarchive to create ZIP archives (CVE-2013-0211).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html

https://bugs.mageia.org/show_bug.cgi?id=9671
Comment 4 Thomas Backlund 2013-04-18 00:26:25 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0119

Note You need to log in before you can comment on or make changes to this bug.