Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710358 (CVE-2020-9308) - <app-arch/libarchive-3.4.2: unpacking RAR5 files with an invalid or corrupted header (CVE-2020-9308)
Summary: <app-arch/libarchive-3.4.2: unpacking RAR5 files with an invalid or corrupted...
Status: RESOLVED FIXED
Alias: CVE-2020-9308
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-20 22:09 UTC by filip ambroz
Modified: 2020-03-15 16:28 UTC (History)
3 users (show)

See Also:
Package list:
app-arch/libarchive-3.4.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-20 22:09:30 UTC
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-02-20 22:53:02 UTC
@ maintainer(s): Fixed version is already in repository. Please call for stabilization when ready!
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-21 06:29:52 UTC
Sure, let's do it.
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-21 15:58:05 UTC
amd64 stable
Comment 5 Mart Raudsepp gentoo-dev 2020-02-22 12:22:33 UTC
arm64 stable
Comment 6 Rolf Eike Beer 2020-02-22 15:59:30 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 09:02:34 UTC
s390 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-24 11:29:09 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-02-24 11:45:05 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-02-24 12:51:24 UTC
x86 stable
Comment 11 Rolf Eike Beer 2020-02-26 22:36:32 UTC
hppa stable
Comment 12 Sergei Trofimovich gentoo-dev 2020-03-02 20:39:41 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-05 12:49:34 UTC
arm stable
Comment 14 Sam James archtester gentoo-dev Security 2020-03-10 15:14:07 UTC
New vulnerability reported but finalised stabilisation & cleanup here would sort that out.

CVE-2019-20509:
"archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure valid sizes for UTF-16 input, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted LHA archive."

Bug: https://github.com/libarchive/libarchive/issues/1284
Patch: https://github.com/libarchive/libarchive/commit/91cf9372e89f7af4582964b15ceb7fc6d1b37471
Comment 15 Larry the Git Cow gentoo-dev 2020-03-10 16:05:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b9c888890857e04acd24efb8339c634dfd99b92

commit 8b9c888890857e04acd24efb8339c634dfd99b92
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-03-10 16:04:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-10 16:05:28 +0000

    app-arch/libarchive: Remove vulnerable version
    
    Bug: https://bugs.gentoo.org/710358
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-arch/libarchive/Manifest                       |   1 -
 .../libarchive-3.4.0-without_zlib_build_fix.patch  | 160 ---------------------
 app-arch/libarchive/libarchive-3.4.0.ebuild        | 135 -----------------
 3 files changed, 296 deletions(-)
Comment 16 Thomas Deutschmann gentoo-dev Security 2020-03-15 16:20:56 UTC
Added to an existing GLSA request.
Comment 17 Thomas Deutschmann gentoo-dev Security 2020-03-15 16:22:36 UTC
@ maintainer(s): This bug will be closed soon when a GLSA was released because cleanup is already done. When you are still interested in stabilization from m68k and sh arch team, please create your own stabilization bug.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:28:18 UTC
This issue was resolved and addressed in
 GLSA 202003-28 at https://security.gentoo.org/glsa/202003-28
by GLSA coordinator Thomas Deutschmann (whissi).