Bug 636070 (CVE-2017-14166, CVE-2017-14501)

Comment 1 Michał Górny 2018-01-02 13:22:47 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2017-14501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14501):
>   An out-of-bounds read flaw exists in parse_file_info in
>   archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a
>   specially crafted iso9660 iso file, related to
>   archive_read_format_iso9660_read_header.

FWICS, there's no fix upstream yet for this and it doesn't look like anybody's working on it.

> CVE-2017-14166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14166):
>   libarchive 3.3.2 allows remote attackers to cause a denial of service
>   (xml_data heap-based buffer over-read and application crash) via a crafted
>   xar archive, related to the mishandling of empty strings in the atol8
>   function in archive_read_support_format_xar.c.

This one has a fix in master (fa7438a0ff4033e4741c807394a9af6207940d71) we could backport. Alternatively, we could make a snapshot.

Comment 2 Thomas Deutschmann (RETIRED) 2018-01-02 19:16:01 UTC

Feel free to only fix CVE-2017-14166 for the moment. We will split out the remaining vulnerability in this case.

Comment 3 Thomas Deutschmann (RETIRED) 2018-08-14 20:17:53 UTC

Both vulnerabilities are now fixed upstream:

CVE-2017-14166: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71

CVE-2017-14501: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862

Comment 4 Aaron Bauman (RETIRED) 2019-08-10 17:05:17 UTC

@maintainer, please clean vulnerable.

Comment 5 GLSAMaker/CVETool Bot 2019-08-15 15:50:52 UTC

This issue was resolved and addressed in
 GLSA 201908-11 at https://security.gentoo.org/glsa/201908-11
by GLSA coordinator Aaron Bauman (b-man).

Comment 6 Aaron Bauman (RETIRED) 2019-08-15 15:51:54 UTC

re-opened for cleanup