Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 596568 (CVE-2016-5418)

Summary: <app-arch/libarchive-3.2.2: file overwrite (CVE-2016-5418)
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bsd+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 598950    
Bug Blocks:    

Description Ian Zimmerman 2016-10-08 19:31:34 UTC
According to the RedHat summary [1]:

A vulnerability in libarchive exists that allows an archive Entry with type 1 (hardlink), but has a non-zero data size to cause a file overwrite. This vulnerability can be leveraged in a way that has a significant security impact (this was not clear at first during initial research by upstream).

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5418


Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2016-10-09 14:23:45 UTC
there are some other vulnerabilities. I guess we will go for 3.2.2 directly
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-31 22:42:11 UTC
commit 44dbb86594383c91dbb21bb471b4c89347325e48
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 31 22:15:42 2016

    app-arch/libarchive: Security bump to version 3.2.2 (bug #596568).

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 10:35:24 UTC
CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418):
  The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink
  archive entries of non-zero data size, which might allow remote attackers to
  write to arbitrary files via a crafted archive file.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-21 10:41:34 UTC
(In reply to GLSAMaker/CVETool Bot from comment #3)
> CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418):
>   The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink
>   archive entries of non-zero data size, which might allow remote attackers
> to
>   write to arbitrary files via a crafted archive file.

CVE is misleading so please ignore the version numbers.  Upstream Github commits show these were included in 3.2.2 as identified by the previous comments.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:59 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).