Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 366687 (CVE-2010-4666)

Summary: <app-arch/libarchive-2.8.5: Multiple vulnerabilities (CVE-2010-4666, CVE-2011-{1777,1778,1779})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexanderyt, bsd+disabled, ferringb
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/05/09/12
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-05-10 04:15:38 UTC
From the oss-security posting at $URL:

----- Original Message -----
> Hello,
> our maintainer found the following patches:
> -----------
> I was doing some maintainance on bsdtar package and noticed that there
> was a buffer overflow fix upstream, see
> http://code.google.com/p/libarchive/source/detail?r=3158&path=/trunk/libarchive/archive_read_support_format_iso9660.c

Use CVE-2011-1777

> 
> Also SUSE package does not include the
> http://pkgs.fedoraproject.org/gitweb/?p=libarchive.git;a=blob_plain;f=libarchive-2.8.4-iso9660-data-types.patch;hb=HEAD
> patch which seems to be security sensitive also.

I'm not sure I'd call this one security. It's a crash only from what I can
see:

https://code.google.com/p/libarchive/source/detail?r=1984&path=/trunk/libarchive/archive_read_support_format_iso9660.c

It's just silly input to a format string. If you want one I'll assign it
though.

> More overflow fixes:
> 
> http://code.google.com/p/libarchive/source/detail?r=2842

This one needs a 2010 ID.
Use CVE-2010-4666

> http://code.google.com/p/libarchive/source/detail?r=3160

Use CVE-2011-1778

> 
> Use-after-free fix (not sure if exploitable):
> 
> http://code.google.com/p/libarchive/source/detail?r=3038

I'm going to give this an ID, I'd rather have it revoked than not assigned.

Use CVE-2011-1779
Comment 1 Brian Harring gentoo-dev 2011-05-11 04:37:06 UTC
Poking the rest of upstream (specifically the lead kientzle) about this... haven't seen any notification on that end.

Doubt it, but checking into a release being cut for it also; extracting the patches out is potential, but may require tweaking (2.8.4 is near a year old now).
Comment 2 Sebastian Pipping gentoo-dev 2011-12-04 23:45:15 UTC
According to [1] libarchive 2.8.5 fixes this hole.
The current Gentoo stable is 2.8.4-r1.  Can we stabilize 2.8.5?


[1] http://securitytracker.com/id/1026365
Comment 3 Samuli Suominen gentoo-dev 2012-01-13 17:45:01 UTC
(In reply to comment #2)
> According to [1] libarchive 2.8.5 fixes this hole.
> The current Gentoo stable is 2.8.4-r1.  Can we stabilize 2.8.5?
> 
> 
> [1] http://securitytracker.com/id/1026365

sure
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-13 17:59:53 UTC
Arches, please test and mark stable:
=app-arch/libarchive-2.8.5
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-01-13 22:03:10 UTC
amd64 stable
Comment 6 Tobias Klausmann gentoo-dev 2012-01-15 14:30:20 UTC
Stable on alpha.
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2012-01-16 20:34:10 UTC
ppc/ppc64 done
Comment 8 Jeroen Roovers gentoo-dev 2012-01-17 05:16:48 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2012-01-18 21:14:07 UTC
arm stable
Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-01-19 00:47:39 UTC
Archtested on x86: Everything fine
Comment 11 Thomas Kahle (RETIRED) gentoo-dev 2012-01-20 10:40:43 UTC
x86 done. thanks JD
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-01-22 15:02:05 UTC
ia64/s390/sh/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-01-22 19:10:19 UTC
Thanks, everyone. GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:14:58 UTC
CVE-2011-1779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1779):
  Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow
  remote attackers to cause a denial of service (application crash) or
  possibly have unspecified other impact via a crafted (1) TAR archive or (2)
  ISO9660 image.

CVE-2011-1778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1778):
  Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause
  a denial of service (application crash) or possibly execute arbitrary code
  via a crafted TAR archive.

CVE-2011-1777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1777):
  Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir
  functions in archive_read_support_format_iso9660.c in libarchive through
  2.8.5 allow remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted ISO9660 image.

CVE-2010-4666 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4666):
  Buffer overflow in libarchive 3.0 pre-release code allows remote attackers
  to cause a denial of service (application crash) or possibly have
  unspecified other impact via a crafted CAB file, which is not properly
  handled during the reading of Huffman code data within LZX compressed data.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 15:22:46 UTC
This issue was resolved and addressed in
 GLSA 201406-02 at http://security.gentoo.org/glsa/glsa-201406-02.xml
by GLSA coordinator Sean Amoss (ackle).