Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 586182 (CVE-2015-8916, CVE-2015-8917, CVE-2015-8918, CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8927, CVE-2015-8928, CVE-2015-8929, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934) - <app-arch/libarchive-3.2.1-r3: Multiple vulnerabilities (CVE-2015-{8916,8917,8918,8919,8920,8921,8922,8923,8924,8925,8926,8927,8928,8929,8930,8931,8932,8933,8934})
Summary: <app-arch/libarchive-3.2.1-r3: Multiple vulnerabilities (CVE-2015-{8916,8917,...
Status: RESOLVED FIXED
Alias: CVE-2015-8916, CVE-2015-8917, CVE-2015-8918, CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8927, CVE-2015-8928, CVE-2015-8929, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-8915 CVE-2015-2304 CVE-2016-1541 586086
  Show dependency tree
 
Reported: 2016-06-17 13:04 UTC by Hanno Böck
Modified: 2017-01-01 14:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-06-17 13:04:29 UTC
I have discovered and reported a large number of out of bounds memory reads, null pointer accesses and other issues to libarchive. Most of them (except unfortunately one, I asked upstream about the status) have been fixed in 3.2.0:
https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html

Please bump to 3.2.0.
Comment 1 Hanno Böck gentoo-dev 2016-06-20 17:23:53 UTC
The rar issue that was unfixed in 3.2.0 (CVE-2015-8934) is now fixed in 3.2.1 (+ one integer overflow issue). Therefore please bump to 3.2.1.

CVE-2015-8915 - CVE-2015-8933 all got assigned to issues fixed in 3.2.0.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-27 12:05:57 UTC
(In reply to Hanno Boeck from comment #1)
> The rar issue that was unfixed in 3.2.0 (CVE-2015-8934) is now fixed in
> 3.2.1 (+ one integer overflow issue). Therefore please bump to 3.2.1.
> 
> CVE-2015-8915 - CVE-2015-8933 all got assigned to issues fixed in 3.2.0.

Additionally,

http://www.talosintel.com/reports/TALOS-2016-0152/

http://www.talosintel.com/reports/TALOS-2016-0153/

http://www.talosintel.com/reports/TALOS-2016-0154/
Comment 3 William Hubbs gentoo-dev 2016-07-02 00:10:01 UTC
I bumped this to 3.2.1.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 00:14:19 UTC
(In reply to William Hubbs from comment #3)
> I bumped this to 3.2.1.

Thanks!

@maintainer(s), would you like to let it bake for awhile or push on to stabilization?
Comment 5 Adam Feldman gentoo-dev 2016-07-02 00:31:14 UTC
(In reply to Aaron Bauman from comment #4)
> (In reply to William Hubbs from comment #3)
> > I bumped this to 3.2.1.
> 
> Thanks!
> 
> @maintainer(s), would you like to let it bake for awhile or push on to
> stabilization?

I don't really understand what "let it bake for a while" means.

Considering the huge amount of changes in upstream between 3.1 and 3.2, it'd probably be best to  hold off on stabilizing immediately, if possible (the reason why I haven't managed to bump it myself was it required a lot of attention)
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 01:02:15 UTC
(In reply to NP-Hardass from comment #5)
> (In reply to Aaron Bauman from comment #4)
> > (In reply to William Hubbs from comment #3)
> > > I bumped this to 3.2.1.
> > 
> > Thanks!
> > 
> > @maintainer(s), would you like to let it bake for awhile or push on to
> > stabilization?
> 
> I don't really understand what "let it bake for a while" means.
> 
> Considering the huge amount of changes in upstream between 3.1 and 3.2, it'd
> probably be best to  hold off on stabilizing immediately, if possible (the
> reason why I haven't managed to bump it myself was it required a lot of
> attention)

Thanks for the information.  Please call for stabilization when you are ready.
Comment 7 Adam Feldman gentoo-dev 2016-07-16 18:30:22 UTC
Alright, we should be all good to stabilize on all arches.  Please note that several arches are listed as unstable arches, but have stable keywords on ~3.1.2, so, after consulting those arches, we should probably just drop stable keywords for those arches. There are currently stable keywords for every arch but mips.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-07-17 00:51:05 UTC
@arches, please stabilize:

=app-arch/libarchive-3.2.1-r3
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-17 11:51:47 UTC
Stable on alpha.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-17 19:37:04 UTC
Stable for HPPA PPC64.
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-18 08:50:33 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-18 08:51:05 UTC
x86 stable
Comment 13 Adam Feldman gentoo-dev 2016-07-26 18:19:13 UTC
The cc'd arches have stable keywords on 3.1.2, despite being listed as unstable arches.  Please either drop stable keywords or stabilize 3.2.1.


Ping @ remaining arches to stabilize so we can drop the security issue riddled and ancient versions
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-07-27 10:01:27 UTC
(In reply to NP-Hardass from comment #13)
> The cc'd arches have stable keywords on 3.1.2, despite being listed as
> unstable arches.  Please either drop stable keywords or stabilize 3.2.1.
> 
> 
> Ping @ remaining arches to stabilize so we can drop the security issue
> riddled and ancient versions

Yes, they should be dropped as they are not supported by security nor the stable tree.  If they currently have stable keywords they do not continue those forward regardless of repoman complaining.  The rest of Gentoo should not wait on these, which is why such designations are put in place.
Comment 15 Markus Meier gentoo-dev 2016-07-27 20:26:27 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-09-29 09:36:41 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-09-29 12:37:38 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-09-29 13:30:06 UTC
ia64 stable
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 10:22:29 UTC
CVE-2015-8934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8934):
  The copy_from_lzss_window function in archive_read_support_format_rar.c in
  libarchive 3.2.0 and earlier allows remote attackers to cause a denial of
  service (out-of-bounds heap read) via a crafted rar file.

CVE-2015-8933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8933):
  Integer overflow in the archive_read_format_tar_skip function in
  archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote
  attackers to cause a denial of service (crash) via a crafted tar file.

CVE-2015-8932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8932):
  The compress_bidder_init function in archive_read_support_filter_compress.c
  in libarchive before 3.2.0 allows remote attackers to cause a denial of
  service (crash) via a crafted tar file, which triggers an invalid left
  shift.

CVE-2015-8931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8931):
  Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min
  functions in archive_read_support_format_mtree.c in libarchive before 3.2.0
  allow remote attackers to have unspecified impact via a crafted mtree file,
  which triggers undefined behavior.

CVE-2015-8930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8930):
  bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial
  of service (infinite loop) via an ISO with a directory that is a member of
  itself.

CVE-2015-8929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8929):
  Memory leak in the __archive_read_get_extract function in
  archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers
  to cause a denial of service via a tar file.

CVE-2015-8928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8928):
  The process_add_entry function in archive_read_support_format_mtree.c in
  libarchive before 3.2.0 allows remote attackers to cause a denial of service
  (out-of-bounds read) via a crafted mtree file.

CVE-2015-8927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8927):
  The trad_enc_decrypt_update function in archive_read_support_format_zip.c in
  libarchive before 3.2.0 allows remote attackers to cause a denial of service
  (out-of-bounds heap read and crash) via a crafted zip file, related to
  reading the password.

CVE-2015-8926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8926):
  The archive_read_format_rar_read_data function in
  archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote
  attackers to cause a denial of service (crash) via a crafted rar archive.

CVE-2015-8925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8925):
  The readline function in archive_read_support_format_mtree.c in libarchive
  before 3.2.0 allows remote attackers to cause a denial of service (invalid
  read) via a crafted mtree file, related to newline parsing.

CVE-2015-8924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8924):
  The archive_read_format_tar_read_header function in
  archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote
  attackers to cause a denial of service (out-of-bounds read) via a crafted
  tar file.

CVE-2015-8923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8923):
  The process_extra function in libarchive before 3.2.0 uses the size field
  and a signed number in an offset, which allows remote attackers to cause a
  denial of service (crash) via a crafted zip file.

CVE-2015-8922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8922):
  The read_CodersInfo function in archive_read_support_format_7zip.c in
  libarchive before 3.2.0 allows remote attackers to cause a denial of service
  (NULL pointer dereference and crash) via a crafted 7z file, related to the
  _7z_folder struct.

CVE-2015-8921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8921):
  The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0
  allows remote attackers to cause a denial of service (out-of-bounds read)
  via a crafted mtree file.

CVE-2015-8920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8920):
  The _ar_read_header function in archive_read_support_format_ar.c in
  libarchive before 3.2.0 allows remote attackers to cause a denial of service
  (out-of-bounds stack read) via a crafted ar file.

CVE-2015-8919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8919):
  The lha_read_file_extended_header function in
  archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote
  attackers to cause a denial of service (out-of-bounds heap) via a crafted
  (1) lzh or (2) lha file.

CVE-2015-8918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8918):
  The archive_string_append function in archive_string.c in libarchive before
  3.2.0 allows remote attackers to cause a denial of service (crash) via a
  crafted cab files, related to "overlapping memcpy."

CVE-2015-8917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8917):
  bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial
  of service (NULL pointer dereference and crash) via an invalid character in
  the name of a cab file.

CVE-2015-8916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8916):
  bsdtar in libarchive before 3.2.0 returns a success code without filling the
  entry when the header is a "split file in multivolume RAR," which allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  crash) via a crafted rar file.

CVE-2015-8915 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8915):
  bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial
  of service (invalid read and crash) via crafted cpio file.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 10:24:48 UTC
Removing unstable arches. Added to existing GLSA.
Comment 21 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 14:10:05 UTC
CVE-2015-8915 has its own bug report (bug 548110).
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:34:44 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).