Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586086

Summary: <app-arch/libarchive-3.2.1-r1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bsd+disabled, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 586182    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-06-16 08:30:14 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1347084:

A cpio archive with a ridiculously large symlink can cause memory allocation
to fail, resulting in any attempt to view or extract the archive crashing.
The failed allocation appears to be handled correctly within libarchive and
not lead to further issues.

External references:
    https://github.com/libarchive/libarchive/issues/705

Upstream fix:
    https://github.com/libarchive/libarchive/commit/fd7e0c02



From https://bugzilla.redhat.com/show_bug.cgi?id=1347085:

The ISO9660 writer is subject to integer overflows when verifying the
filename size. This can lead to a crash when writing ISO9660 images with
2GB or 4GB filenames.

External references:
    https://github.com/libarchive/libarchive/files/295073/libarchiveOverflow.txt    
https://github.com/libarchive/libarchive/issues/711

Upstream fix:
    https://github.com/libarchive/libarchive/commit/3014e198


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-06-27 13:08:20 UTC 
Both fixes are upstream in the 3.2.1 release.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-06 03:19:51 UTC 
Added to existing GLSA.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 14:16:24 UTC 
(In reply to Agostino Sarubbo from comment #0)
> From https://bugzilla.redhat.com/show_bug.cgi?id=1347084:
> 
> A cpio archive with a ridiculously large symlink can cause memory allocation
> to fail, resulting in any attempt to view or extract the archive crashing.
> The failed allocation appears to be handled correctly within libarchive and
> not lead to further issues.
> 
> External references:
>     https://github.com/libarchive/libarchive/issues/705
> 
> Upstream fix:
>     https://github.com/libarchive/libarchive/commit/fd7e0c02

CVE-2016-4809 via bug 598950


> From https://bugzilla.redhat.com/show_bug.cgi?id=1347085:
> 
> The ISO9660 writer is subject to integer overflows when verifying the
> filename size. This can lead to a crash when writing ISO9660 images with
> 2GB or 4GB filenames.
> 
> External references:
>    
> https://github.com/libarchive/libarchive/files/295073/libarchiveOverflow.txt
> 
> https://github.com/libarchive/libarchive/issues/711
> 
> Upstream fix:
>     https://github.com/libarchive/libarchive/commit/3014e198

CVE-2016-6250 via bug 598950
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:36 UTC 
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).