Summary: | <app-arch/libarchive-3.4.2: unpacking RAR5 files with an invalid or corrupted header (CVE-2020-9308) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | m68k, mgorny, sh+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nvd.nist.gov/vuln/detail/CVE-2020-9308 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
app-arch/libarchive-3.4.2
|
Runtime testing required: | --- |
Description
filip ambroz
2020-02-20 22:09:30 UTC
References: https://github.com/libarchive/libarchive/pull/1326 https://github.com/libarchive/libarchive/pull/1326/commits/94821008d6eea81e315c5881cdf739202961040a @ maintainer(s): Fixed version is already in repository. Please call for stabilization when ready! Sure, let's do it. amd64 stable arm64 stable sparc stable s390 stable ia64 stable ppc stable x86 stable hppa stable ppc64 stable arm stable New vulnerability reported but finalised stabilisation & cleanup here would sort that out. CVE-2019-20509: "archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure valid sizes for UTF-16 input, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted LHA archive." Bug: https://github.com/libarchive/libarchive/issues/1284 Patch: https://github.com/libarchive/libarchive/commit/91cf9372e89f7af4582964b15ceb7fc6d1b37471 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b9c888890857e04acd24efb8339c634dfd99b92 commit 8b9c888890857e04acd24efb8339c634dfd99b92 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-03-10 16:04:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-10 16:05:28 +0000 app-arch/libarchive: Remove vulnerable version Bug: https://bugs.gentoo.org/710358 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-arch/libarchive/Manifest | 1 - .../libarchive-3.4.0-without_zlib_build_fix.patch | 160 --------------------- app-arch/libarchive/libarchive-3.4.0.ebuild | 135 ----------------- 3 files changed, 296 deletions(-) Added to an existing GLSA request. @ maintainer(s): This bug will be closed soon when a GLSA was released because cleanup is already done. When you are still interested in stabilization from m68k and sh arch team, please create your own stabilization bug. This issue was resolved and addressed in GLSA 202003-28 at https://security.gentoo.org/glsa/202003-28 by GLSA coordinator Thomas Deutschmann (whissi). |