| Summary: | <app-arch/libarchive-3.2.1-r3: Multiple vulnerabilities (CVE-2015-{8916,8917,8918,8919,8920,8921,8922,8923,8924,8925,8926,8927,8928,8929,8930,8931,8932,8933,8934}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | np-hardass, ssuominen |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 548110, 552646, 582526, 586086 | ||
|
Description
Hanno Böck
2016-06-17 13:04:29 UTC
The rar issue that was unfixed in 3.2.0 (CVE-2015-8934) is now fixed in 3.2.1 (+ one integer overflow issue). Therefore please bump to 3.2.1. CVE-2015-8915 - CVE-2015-8933 all got assigned to issues fixed in 3.2.0. (In reply to Hanno Boeck from comment #1) > The rar issue that was unfixed in 3.2.0 (CVE-2015-8934) is now fixed in > 3.2.1 (+ one integer overflow issue). Therefore please bump to 3.2.1. > > CVE-2015-8915 - CVE-2015-8933 all got assigned to issues fixed in 3.2.0. Additionally, http://www.talosintel.com/reports/TALOS-2016-0152/ http://www.talosintel.com/reports/TALOS-2016-0153/ http://www.talosintel.com/reports/TALOS-2016-0154/ I bumped this to 3.2.1. (In reply to William Hubbs from comment #3) > I bumped this to 3.2.1. Thanks! @maintainer(s), would you like to let it bake for awhile or push on to stabilization? (In reply to Aaron Bauman from comment #4) > (In reply to William Hubbs from comment #3) > > I bumped this to 3.2.1. > > Thanks! > > @maintainer(s), would you like to let it bake for awhile or push on to > stabilization? I don't really understand what "let it bake for a while" means. Considering the huge amount of changes in upstream between 3.1 and 3.2, it'd probably be best to hold off on stabilizing immediately, if possible (the reason why I haven't managed to bump it myself was it required a lot of attention) (In reply to NP-Hardass from comment #5) > (In reply to Aaron Bauman from comment #4) > > (In reply to William Hubbs from comment #3) > > > I bumped this to 3.2.1. > > > > Thanks! > > > > @maintainer(s), would you like to let it bake for awhile or push on to > > stabilization? > > I don't really understand what "let it bake for a while" means. > > Considering the huge amount of changes in upstream between 3.1 and 3.2, it'd > probably be best to hold off on stabilizing immediately, if possible (the > reason why I haven't managed to bump it myself was it required a lot of > attention) Thanks for the information. Please call for stabilization when you are ready. Alright, we should be all good to stabilize on all arches. Please note that several arches are listed as unstable arches, but have stable keywords on ~3.1.2, so, after consulting those arches, we should probably just drop stable keywords for those arches. There are currently stable keywords for every arch but mips. @arches, please stabilize: =app-arch/libarchive-3.2.1-r3 Stable on alpha. Stable for HPPA PPC64. amd64 stable x86 stable The cc'd arches have stable keywords on 3.1.2, despite being listed as unstable arches. Please either drop stable keywords or stabilize 3.2.1. Ping @ remaining arches to stabilize so we can drop the security issue riddled and ancient versions (In reply to NP-Hardass from comment #13) > The cc'd arches have stable keywords on 3.1.2, despite being listed as > unstable arches. Please either drop stable keywords or stabilize 3.2.1. > > > Ping @ remaining arches to stabilize so we can drop the security issue > riddled and ancient versions Yes, they should be dropped as they are not supported by security nor the stable tree. If they currently have stable keywords they do not continue those forward regardless of repoman complaining. The rest of Gentoo should not wait on these, which is why such designations are put in place. arm stable sparc stable ppc stable ia64 stable CVE-2015-8934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8934): The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file. CVE-2015-8933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8933): Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file. CVE-2015-8932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8932): The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift. CVE-2015-8931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8931): Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior. CVE-2015-8930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8930): bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself. CVE-2015-8929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8929): Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file. CVE-2015-8928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8928): The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. CVE-2015-8927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8927): The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password. CVE-2015-8926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8926): The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive. CVE-2015-8925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8925): The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing. CVE-2015-8924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8924): The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file. CVE-2015-8923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8923): The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file. CVE-2015-8922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8922): The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct. CVE-2015-8921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8921): The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. CVE-2015-8920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8920): The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file. CVE-2015-8919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8919): The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file. CVE-2015-8918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8918): The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to "overlapping memcpy." CVE-2015-8917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8917): bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file. CVE-2015-8916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8916): bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file. CVE-2015-8915 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8915): bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file. Removing unstable arches. Added to existing GLSA. CVE-2015-8915 has its own bug report (bug 548110). This issue was resolved and addressed in GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03 by GLSA coordinator Thomas Deutschmann (whissi). |