Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 596568 (CVE-2016-5418) - <app-arch/libarchive-3.2.2: file overwrite (CVE-2016-5418)
Summary: <app-arch/libarchive-3.2.2: file overwrite (CVE-2016-5418)
Status: RESOLVED FIXED
Alias: CVE-2016-5418
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689
Blocks:
  Show dependency tree
 
Reported: 2016-10-08 19:31 UTC by Ian Zimmerman
Modified: 2017-01-01 14:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-10-08 19:31:34 UTC
According to the RedHat summary [1]:

A vulnerability in libarchive exists that allows an archive Entry with type 1 (hardlink), but has a non-zero data size to cause a file overwrite. This vulnerability can be leveraged in a way that has a significant security impact (this was not clear at first during initial research by upstream).

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5418


Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2016-10-09 14:23:45 UTC
there are some other vulnerabilities. I guess we will go for 3.2.2 directly
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-10-31 22:42:11 UTC
commit 44dbb86594383c91dbb21bb471b4c89347325e48
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 31 22:15:42 2016

    app-arch/libarchive: Security bump to version 3.2.2 (bug #596568).

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 10:35:24 UTC
CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418):
  The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink
  archive entries of non-zero data size, which might allow remote attackers to
  write to arbitrary files via a crafted archive file.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-21 10:41:34 UTC
(In reply to GLSAMaker/CVETool Bot from comment #3)
> CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418):
>   The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink
>   archive entries of non-zero data size, which might allow remote attackers
> to
>   write to arbitrary files via a crafted archive file.

CVE is misleading so please ignore the version numbers.  Upstream Github commits show these were included in 3.2.2 as identified by the previous comments.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:59 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).