Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

infinite loop in bsdtar when handling truncated archives.

Flameeyes, please prepare an updated ebuild, but do not commit until after 8
Nov 2006 14:00 UTC.

Created an attachment (id=101383) [details]
Patch from the FreeBSD project

Rink Springer is credited with the discovery of this bug.

Created an attachment (id=101384) [details]
bsdtar-1.3.1-r2.ebuild

Here it comes the ebuild.

(From update of attachment 101383 [details])
Rename the patch so that it matches the ebuild's epatch line.

Also, should I update the stage we release for Gentoo/FreeBSD? Both 6.1 and
6.2, x86 and sparc, use the vulnerable bsdtar.

I don't see any need to update stages for this. Just a DoS and we don't
normally rebuild for each security issue.

public now

flameeyes, pls commit the ebuild

from the advisory:

II.  Problem Description

If the end of an archive is reached while attempting to "skip" past a
region of an archive, libarchive will enter an infinite loop wherein it
repeatedly attempts (and fails) to read further data.

III. Impact

An attacker able to cause a system to extract (via "tar -x" or another
application which uses libarchive) or list the contents (via "tar -t" or
another libarchive-using application) of an archive provided by the
attacker can cause libarchive to enter an infinite loop and use all
available CPU time.

Committed.

Thx Diego.

amd64 please test and mark stable.

Emerges and works fine on amd64.

Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.18-suspend2-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64
Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 05:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks
metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage_overlay"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups
dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox
fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap
input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal
kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls
nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4
quicktime readline reflection sdl session spell spl sqlite ssl tcpd test
truetype truetype-fonts type1-fonts udev unicode userland_GNU
video_cards_radeon vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS,
PORTAGE_RSYNC_EXTRA_OPTS

mkay, stable then.

security, please vote on GLSA publication

I vote NO.

I don't get the impact of this. Is this what is used on Gentoo/FreeBSD instead
of gnu tar? Or is it just the BSD tar? If the latter I vote NO, else yes
(thinking automation).

It is used by default on Gentoo/FreeBSD as default tar command, and can be used
on Linux on alternative command too.

Thanks Diego, I was afraid you'd say that .-)

So I vote YES here.

i vote a second no

Two NO votes -> Closing with NO GLSA. Feel free to reopen if you disagree.