154334 2006-11-07 02:41 0000 app-arch/bsdtar: infinite loop [CVE-2006-5680] 2006-11-20 08:22:18 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://security.freebsd.org/advisories/FreeBSD-SA-06:24.libarchive.asc C3? [noglsa] P2 normal --- 1 taviso@gentoo.org security@gentoo.org flameeyes@gentoo.org taviso@gentoo.org 2006-11-07 02:41:05 0000 infinite loop in bsdtar when handling truncated archives. Flameeyes, please prepare an updated ebuild, but do not commit until after 8 Nov 2006 14:00 UTC. taviso@gentoo.org 2006-11-07 02:41:45 0000 Created an attachment (id=101383) Patch from the FreeBSD project taviso@gentoo.org 2006-11-07 02:42:21 0000 Rink Springer is credited with the discovery of this bug. flameeyes@gentoo.org 2006-11-07 03:00:50 0000 Created an attachment (id=101384) bsdtar-1.3.1-r2.ebuild Here it comes the ebuild. flameeyes@gentoo.org 2006-11-07 03:03:19 0000 (From update of attachment 101383) Rename the patch so that it matches the ebuild's epatch line. flameeyes@gentoo.org 2006-11-07 03:06:12 0000 Also, should I update the stage we release for Gentoo/FreeBSD? Both 6.1 and 6.2, x86 and sparc, use the vulnerable bsdtar. jaervosz@gentoo.org 2006-11-07 03:13:30 0000 I don't see any need to update stages for this. Just a DoS and we don't normally rebuild for each security issue. vorlon@gentoo.org 2006-11-09 06:41:20 0000 public now flameeyes, pls commit the ebuild from the advisory: II. Problem Description If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data. III. Impact An attacker able to cause a system to extract (via "tar -x" or another application which uses libarchive) or list the contents (via "tar -t" or another libarchive-using application) of an archive provided by the attacker can cause libarchive to enter an infinite loop and use all available CPU time. flameeyes@gentoo.org 2006-11-09 06:50:19 0000 Committed. jaervosz@gentoo.org 2006-11-09 08:24:51 0000 Thx Diego. amd64 please test and mark stable. thedude0001@gmx.de 2006-11-10 18:22:40 0000 Emerges and works fine on amd64. Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 05:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS blubb@gentoo.org 2006-11-11 04:44:17 0000 mkay, stable then. vorlon@gentoo.org 2006-11-11 10:21:41 0000 security, please vote on GLSA publication jaervosz@gentoo.org 2006-11-12 09:20:29 0000 I vote NO. frilled@gentoo.org 2006-11-13 02:34:18 0000 I don't get the impact of this. Is this what is used on Gentoo/FreeBSD instead of gnu tar? Or is it just the BSD tar? If the latter I vote NO, else yes (thinking automation). flameeyes@gentoo.org 2006-11-13 05:43:49 0000 It is used by default on Gentoo/FreeBSD as default tar command, and can be used on Linux on alternative command too. frilled@gentoo.org 2006-11-13 06:20:43 0000 Thanks Diego, I was afraid you'd say that .-) So I vote YES here. falco@gentoo.org 2006-11-20 07:49:27 0000 i vote a second no jaervosz@gentoo.org 2006-11-20 08:22:18 0000 Two NO votes -> Closing with NO GLSA. Feel free to reopen if you disagree. 101383 2006-11-07 02:41 0000 libarchive-1.3.1-infiniteloop.patch libarchive-1.3.1-infiniteloop.patch text/plain SW5kZXg6IGxpYi9saWJhcmNoaXZlL2FyY2hpdmVfcmVhZF9zdXBwb3J0X2NvbXByZXNzaW9uX25v bmUuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvaG9tZS9uY3ZzL3NyYy9saWIvbGliYXJjaGl2ZS9h cmNoaXZlX3JlYWRfc3VwcG9ydF9jb21wcmVzc2lvbl9ub25lLmMsdgpyZXRyaWV2aW5nIHJldmlz aW9uIDEuOApkaWZmIC11IC1JX19GQlNESUQgLXIxLjggYXJjaGl2ZV9yZWFkX3N1cHBvcnRfY29t cHJlc3Npb25fbm9uZS5jCi0tLSBsaWIvbGliYXJjaGl2ZS9hcmNoaXZlX3JlYWRfc3VwcG9ydF9j b21wcmVzc2lvbl9ub25lLmMJMjkgQXVnIDIwMDYgMDQ6NTk6MjUgLTAwMDAJMS44CisrKyBsaWIv bGliYXJjaGl2ZS9hcmNoaXZlX3JlYWRfc3VwcG9ydF9jb21wcmVzc2lvbl9ub25lLmMJMiBOb3Yg MjAwNiAwNToxNzoyOCAtMDAwMApAQCAtMjU3LDcgKzI1Nyw5IEBACiB9CiAKIC8qCi0gKiBTa2lw IGF0IG1vc3QgcmVxdWVzdCBieXRlcy4gU2tpcHBlZCBkYXRhIGlzIG1hcmtlZCBhcyBjb25zdW1l ZC4KKyAqIFNraXAgZm9yd2FyZCBieSBleGFjdGx5IHRoZSByZXF1ZXN0ZWQgYnl0ZXMgb3IgZWxz ZSByZXR1cm4KKyAqIEFSQ0hJVkVfRkFUQUwuICBOb3RlIHRoYXQgdGhpcyBkaWZmZXJzIGZyb20g dGhlIGNvbnRyYWN0IGZvcgorICogcmVhZF9haGVhZCwgd2hpY2ggZG9lcyBub3QgZ2F1cmFudGVl IGEgbWluaW11bSBjb3VudC4KICAqLwogc3RhdGljIHNzaXplX3QKIGFyY2hpdmVfZGVjb21wcmVz c29yX25vbmVfc2tpcChzdHJ1Y3QgYXJjaGl2ZSAqYSwgc2l6ZV90IHJlcXVlc3QpCkBAIC0yODcs OSArMjg5LDcgQEAKIAlpZiAocmVxdWVzdCA9PSAwKQogCQlyZXR1cm4gKHRvdGFsX2J5dGVzX3Nr aXBwZWQpOwogCS8qCi0JICogSWYgbm8gY2xpZW50X3NraXBwZXIgaXMgcHJvdmlkZWQsIGp1c3Qg cmVhZCB0aGUgb2xkIHdheS4gSXQgaXMgdmVyeQotCSAqIGxpa2VseSB0aGF0IGFmdGVyIHNraXBw aW5nLCB0aGUgcmVxdWVzdCBoYXMgbm90IHlldCBiZWVuIGZ1bGx5Ci0JICogc2F0aXNmaWVkIChh bmQgaXMgc3RpbGwgPiAwKS4gSW4gdGhhdCBjYXNlLCByZWFkIGFzIHdlbGwuCisJICogSWYgYSBj bGllbnRfc2tpcHBlciB3YXMgcHJvdmlkZWQsIHRyeSB0aGF0IGZpcnN0LgogCSAqLwogCWlmIChh LT5jbGllbnRfc2tpcHBlciAhPSBOVUxMKSB7CiAJCWJ5dGVzX3NraXBwZWQgPSAoYS0+Y2xpZW50 X3NraXBwZXIpKGEsIGEtPmNsaWVudF9kYXRhLApAQCAtMzA3LDYgKzMwNywxMiBAQAogCQlhLT5y YXdfcG9zaXRpb24gKz0gYnl0ZXNfc2tpcHBlZDsKIAkJc3RhdGUtPmNsaWVudF9hdmFpbCA9IHN0 YXRlLT5jbGllbnRfdG90YWwgPSAwOwogCX0KKwkvKgorCSAqIE5vdGUgdGhhdCBjbGllbnRfc2tp cHBlciB3aWxsIHVzdWFsbHkgbm90IHNhdGlzZnkgdGhlCisJICogZnVsbCByZXF1ZXN0IChkdWUg dG8gbG93LWxldmVsIGJsb2NraW5nIGNvbmNlcm5zKSwKKwkgKiBzbyBldmVuIGlmIGNsaWVudF9z a2lwcGVyIGlzIHByb3ZpZGVkLCB3ZSBtYXkgc3RpbGwKKwkgKiBoYXZlIHRvIHVzZSBvcmRpbmFy eSByZWFkcyB0byBmaW5pc2ggb3V0IHRoZSByZXF1ZXN0LgorCSAqLwogCXdoaWxlIChyZXF1ZXN0 ID4gMCkgewogCQljb25zdCB2b2lkKiBkdW1teV9idWZmZXI7CiAJCXNzaXplX3QgYnl0ZXNfcmVh ZDsKQEAgLTMxNCw2ICszMjAsMTIgQEAKIAkJICAgICZkdW1teV9idWZmZXIsIHJlcXVlc3QpOwog CQlpZiAoYnl0ZXNfcmVhZCA8IDApCiAJCQlyZXR1cm4gKGJ5dGVzX3JlYWQpOworCQlpZiAoYnl0 ZXNfcmVhZCA9PSAwKSB7CisJCQkvKiBXZSBoaXQgRU9GIGJlZm9yZSB3ZSBzYXRpc2ZpZWQgdGhl IHNraXAgcmVxdWVzdC4gKi8KKwkJCWFyY2hpdmVfc2V0X2Vycm9yKGEsIEFSQ0hJVkVfRVJSTk9f TUlTQywKKwkJCSAgICAiVHJ1bmNhdGVkIGlucHV0IGZpbGUgKG5lZWQgdG8gc2tpcCAlZCBieXRl cykiLCAoaW50KXJlcXVlc3QpOworCQkJcmV0dXJuIChBUkNISVZFX0ZBVEFMKTsKKwkJfQogCQlh c3NlcnQoYnl0ZXNfcmVhZCA+PSAwKTsgLyogcHJlY29uZGl0aW9uIGZvciBjYXN0IGJlbG93ICov CiAJCW1pbiA9IG1pbmltdW0oKHNpemVfdClieXRlc19yZWFkLCByZXF1ZXN0KTsKIAkJYnl0ZXNf cmVhZCA9IGFyY2hpdmVfZGVjb21wcmVzc29yX25vbmVfcmVhZF9jb25zdW1lKGEsIG1pbik7Cg== 101384 2006-11-07 03:00 0000 bsdtar-1.3.1-r2.ebuild bsdtar-1.3.1-r2.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2FwcC1hcmNoL2JzZHRhci9ic2R0YXItMS4zLjEt cjEuZWJ1aWxkLHYgMS4zIDIwMDYvMTAvMTcgMTI6MDE6MTAgdWJlcmxvcmQgRXhwICQKCldBTlRf QVVUT0NPTkY9bGF0ZXN0CldBTlRfQVVUT01BS0U9bGF0ZXN0Cgppbmhlcml0IGV1dGlscyBhdXRv dG9vbHMgdG9vbGNoYWluLWZ1bmNzIGZsYWctby1tYXRpYwoKTVlfUD0ibGliYXJjaGl2ZS0ke1BW fSIKCkRFU0NSSVBUSU9OPSJCU0QgdGFyIGNvbW1hbmQiCkhPTUVQQUdFPSJodHRwOi8vcGVvcGxl LmZyZWVic2Qub3JnL35raWVudHpsZS9saWJhcmNoaXZlLyIKU1JDX1VSST0iaHR0cDovL3Blb3Bs ZS5mcmVlYnNkLm9yZy9+a2llbnR6bGUvbGliYXJjaGl2ZS9zcmMvJHtNWV9QfS50YXIuZ3oiCgpM SUNFTlNFPSJCU0QiClNMT1Q9IjAiCktFWVdPUkRTPSJ+YW1kNjQgfmhwcGEgfnBwYyB+c3BhcmMt ZmJzZCB+eDg2IH54ODYtZmJzZCIKSVVTRT0iYnVpbGQgc3RhdGljIGFjbCB4YXR0ciIKClJERVBF TkQ9IiFkZXYtbGlicy9saWJhcmNoaXZlCglrZXJuZWxfbGludXg/ICgKCQlhY2w/ICggc3lzLWFw cHMvYWNsICkKCQl4YXR0cj8gKCBzeXMtYXBwcy9hdHRyICkKCSkKCSFzdGF0aWM/ICggIWJ1aWxk PyAoCgkJYXBwLWFyY2gvYnppcDIKCQlzeXMtbGlicy96bGliICkgKSIKREVQRU5EPSIke1JERVBF TkR9CglrZXJuZWxfbGludXg/ICggc3lzLWZzL2UyZnNwcm9ncwoJCXZpcnR1YWwvb3MtaGVhZGVy cyApIgoKUz0iJHtXT1JLRElSfS8ke01ZX1B9IgoKc3JjX3VucGFjaygpIHsKCXVucGFjayAke0F9 CgljZCAiJHtTfSIKCgllcGF0Y2ggIiR7RklMRVNESVJ9Ii9saWJhcmNoaXZlLTEuMy4xLXN0YXRp Yy5wYXRjaAoJZXBhdGNoICIke0ZJTEVTRElSfSIvbGliYXJjaGl2ZS0xLjIuNTctYWNsLnBhdGNo CgllcGF0Y2ggIiR7RklMRVNESVJ9Ii9saWJhcmNoaXZlLTEuMi41My1zdHJpY3QtYWxpYXNpbmcu cGF0Y2gKCWVwYXRjaCAiJHtGSUxFU0RJUn0iL2xpYmFyY2hpdmUtMS4zLjEtaW5maW5pdGVsb29w LnBhdGNoCgoJZWF1dG9yZWNvbmYKCWVwdW50X2N4eAp9CgpzcmNfY29tcGlsZSgpIHsKCWxvY2Fs IG15Y29uZgoKCWlmIHVzZSBzdGF0aWMgfHwgdXNlIGJ1aWxkIDsgdGhlbgoJCW15Y29uZj0iJHtt eWNvbmZ9IC0tZW5hYmxlLXN0YXRpYy1ic2R0YXIiCgllbHNlCgkJbXljb25mPSIke215Y29uZn0g LS1kaXNhYmxlLXN0YXRpYy1ic2R0YXIiCglmaQoKCWVjb25mIFwKCQktLWJpbmRpcj0vYmluIFwK CQkkKHVzZV9lbmFibGUgYWNsKSBcCgkJJCh1c2VfZW5hYmxlIHhhdHRyKSBcCgkJJHtteWNvbmZ9 IHx8IGRpZSAiZWNvbmYgZmFpbGVkIgoJZW1ha2UgfHwgZGllICJlbWFrZSBmYWlsZWQiCn0KCnNy Y19pbnN0YWxsKCkgewoJZW1ha2UgLWoxIERFU1RESVI9IiR7RH0iIGluc3RhbGwgfHwgZGllICJl bWFrZSBpbnN0YWxsIGZhaWxlZCIKCgkjIENyZWF0ZSB0YXIgc3ltbGluayBmb3IgRnJlZUJTRAoJ aWYgW1sgJHtDSE9TVH0gPT0gKi1mcmVlYnNkKiBdXTsgdGhlbgoJCWRvc3ltIGJzZHRhciAvYmlu L3RhcgoJCWRvc3ltIGJzZHRhci4xLmd6IC91c3Ivc2hhcmUvbWFuL21hbjEvdGFyLjEuZ3oKCWZp CgoJaWYgdXNlIGJ1aWxkOyB0aGVuCgkJcm0gLXJmICIke0R9Ii91c3IKCQlybSAtcmYgIiR7RH0i L2xpYi8qLnNvKgoJCXJldHVybiAwCglmaQoKCWRvZGlyIC8kKGdldF9saWJkaXIpCgltdiAiJHtE fSIvdXNyLyQoZ2V0X2xpYmRpcikvKi5zbyogIiR7RH0iLyQoZ2V0X2xpYmRpcikKCWdlbl91c3Jf bGRzY3JpcHQgbGliYXJjaGl2ZS5zbwp9Cg==