Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 710358 (CVE-2020-9308)

Summary: <app-arch/libarchive-3.4.2: unpacking RAR5 files with an invalid or corrupted header (CVE-2020-9308)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: m68k, mgorny, sh+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-9308
Whiteboard: A3 [glsa+ cve]
Package list:
app-arch/libarchive-3.4.2
 Runtime testing required: ---

Description filip ambroz 2020-02-20 22:09:30 UTC 
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-20 22:53:02 UTC 
@ maintainer(s): Fixed version is already in repository. Please call for stabilization when ready!
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-21 06:29:52 UTC 
Sure, let's do it.
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-21 15:58:05 UTC 
amd64 stable
Comment 5 Mart Raudsepp gentoo-dev 2020-02-22 12:22:33 UTC 
arm64 stable
Comment 6 Rolf Eike Beer archtester 2020-02-22 15:59:30 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 09:02:34 UTC 
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-24 11:29:09 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-02-24 11:45:05 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-02-24 12:51:24 UTC 
x86 stable
Comment 11 Rolf Eike Beer archtester 2020-02-26 22:36:32 UTC 
hppa stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-02 20:39:41 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-05 12:49:34 UTC 
arm stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-10 15:14:07 UTC 
New vulnerability reported but finalised stabilisation & cleanup here would sort that out.

CVE-2019-20509:
"archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure valid sizes for UTF-16 input, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted LHA archive."

Bug: https://github.com/libarchive/libarchive/issues/1284
Patch: https://github.com/libarchive/libarchive/commit/91cf9372e89f7af4582964b15ceb7fc6d1b37471
Comment 15 Larry the Git Cow gentoo-dev 2020-03-10 16:05:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b9c888890857e04acd24efb8339c634dfd99b92

commit 8b9c888890857e04acd24efb8339c634dfd99b92
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-03-10 16:04:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-10 16:05:28 +0000

    app-arch/libarchive: Remove vulnerable version
    
    Bug: https://bugs.gentoo.org/710358
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-arch/libarchive/Manifest                       |   1 -
 .../libarchive-3.4.0-without_zlib_build_fix.patch  | 160 ---------------------
 app-arch/libarchive/libarchive-3.4.0.ebuild        | 135 -----------------
 3 files changed, 296 deletions(-)
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:20:56 UTC 
Added to an existing GLSA request.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:22:36 UTC 
@ maintainer(s): This bug will be closed soon when a GLSA was released because cleanup is already done. When you are still interested in stabilization from m68k and sh arch team, please create your own stabilization bug.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:28:18 UTC 
This issue was resolved and addressed in
 GLSA 202003-28 at https://security.gentoo.org/glsa/202003-28
by GLSA coordinator Thomas Deutschmann (whissi).