Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 586086 - <app-arch/libarchive-3.2.1-r1: Multiple vulnerabilities
Summary: <app-arch/libarchive-3.2.1-r1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa glsa]
Keywords:
Depends on: CVE-2015-8916, CVE-2015-8917, CVE-2015-8918, CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8927, CVE-2015-8928, CVE-2015-8929, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934
Blocks:
  Show dependency tree
 
Reported: 2016-06-16 08:30 UTC by Agostino Sarubbo
Modified: 2017-01-01 14:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-16 08:30:14 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1347084:

A cpio archive with a ridiculously large symlink can cause memory allocation
to fail, resulting in any attempt to view or extract the archive crashing.
The failed allocation appears to be handled correctly within libarchive and
not lead to further issues.

External references:
    https://github.com/libarchive/libarchive/issues/705

Upstream fix:
    https://github.com/libarchive/libarchive/commit/fd7e0c02



From https://bugzilla.redhat.com/show_bug.cgi?id=1347085:

The ISO9660 writer is subject to integer overflows when verifying the
filename size. This can lead to a crash when writing ISO9660 images with
2GB or 4GB filenames.

External references:
    https://github.com/libarchive/libarchive/files/295073/libarchiveOverflow.txt    
https://github.com/libarchive/libarchive/issues/711

Upstream fix:
    https://github.com/libarchive/libarchive/commit/3014e198


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-06-27 13:08:20 UTC
Both fixes are upstream in the 3.2.1 release.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-06 03:19:51 UTC
Added to existing GLSA.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 14:16:24 UTC
(In reply to Agostino Sarubbo from comment #0)
> From https://bugzilla.redhat.com/show_bug.cgi?id=1347084:
> 
> A cpio archive with a ridiculously large symlink can cause memory allocation
> to fail, resulting in any attempt to view or extract the archive crashing.
> The failed allocation appears to be handled correctly within libarchive and
> not lead to further issues.
> 
> External references:
>     https://github.com/libarchive/libarchive/issues/705
> 
> Upstream fix:
>     https://github.com/libarchive/libarchive/commit/fd7e0c02

CVE-2016-4809 via bug 598950


> From https://bugzilla.redhat.com/show_bug.cgi?id=1347085:
> 
> The ISO9660 writer is subject to integer overflows when verifying the
> filename size. This can lead to a crash when writing ISO9660 images with
> 2GB or 4GB filenames.
> 
> External references:
>    
> https://github.com/libarchive/libarchive/files/295073/libarchiveOverflow.txt
> 
> https://github.com/libarchive/libarchive/issues/711
> 
> Upstream fix:
>     https://github.com/libarchive/libarchive/commit/3014e198

CVE-2016-6250 via bug 598950
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:36 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).