Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582526 (CVE-2016-1541)

Summary: <app-arch/libarchive-3.1.2-r5: heap-based buffer overflow due to improper input validation (CVE-2016-1541)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bsd+disabled, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1334211
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 586182    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-05-09 09:36:58 UTC
From ${URL} :

A vulnerability was found in libarchive. A crafted zip file can provide an incorrect compressed size, which may allow an attacker to place arbitrary code on the heap and execute it in the context of the current user. The user must be coerced into unzipping the 
crafted zip file.

External references:

http://www.kb.cert.org/vuls/id/862384

Upstream fix:

https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Adam Feldman gentoo-dev 2016-05-11 04:03:44 UTC
Resolved by revbump to 3.1.2-r5 in 0001631411acdce8a01050c8ff0295825cca626c.

Was going to vbump, but since upstream made their first release since 2013 despite active development, a vbump is too much work to expeditiously handle this bug.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 12:45:28 UTC
CVE-2016-1541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1541):
  Heap-based buffer overflow in the zip_read_mac_metadata function in
  archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote
  attackers to execute arbitrary code via crafted entry-size values in a ZIP
  archive.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-27 12:49:37 UTC
Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:28 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).