Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598950 (CVE-2016-4300, CVE-2016-4301, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689) - <app-arch/libarchive-3.2.2: multiple vulnerabilities (CVE-2016-{4300,4301,4302,4809,5844,6250,7166})
Summary: <app-arch/libarchive-3.2.2: multiple vulnerabilities (CVE-2016-{4300,4301,430...
Status: RESOLVED FIXED
Alias: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q4/152
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-5418
  Show dependency tree
 
Reported: 2016-11-04 16:37 UTC by Agostino Sarubbo
Modified: 2017-01-15 09:32 UTC (History)
1 user (show)

See Also:
Package list:
=app-arch/libarchive-3.2.2
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-04 16:37:32 UTC
libarchive 3.2.2 fixes some crashes I reported. Can we stabilize it?
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 10:42:38 UTC
CVE-2016-7166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7166):
  libarchive before 3.2.0 does not limit the number of recursive
  decompressions, which allows remote attackers to cause a denial of service
  (memory consumption and application crash) via a crafted gzip file.

CVE-2016-6250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6250):
  Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows
  remote attackers to cause a denial of service (application crash) or execute
  arbitrary code via vectors related to verifying filename lengths when
  writing an ISO9660 archive, which trigger a buffer overflow.

CVE-2016-5844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5844):
  Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote
  attackers to cause a denial of service (application crash) via a crafted ISO
  file.

CVE-2016-4809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4809):
  The archive_read_format_cpio_read_header function in
  archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote
  attackers to cause a denial of service (application crash) via a CPIO
  archive with a large symlink.

CVE-2016-4302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4302):
  Heap-based buffer overflow in the parse_codes function in
  archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote
  attackers to execute arbitrary code via a RAR file with a zero-sized
  dictionary.

CVE-2016-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4301):
  Stack-based buffer overflow in the parse_device function in
  archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote
  attackers to execute arbitrary code via a crafted mtree file.

CVE-2016-4300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4300):
  Integer overflow in the read_SubStreamsInfo function in
  archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote
  attackers to execute arbitrary code via a 7zip file with a large number of
  substreams, which triggers a heap-based buffer overflow.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 10:44:26 UTC
@arches, please stabilize:

=app-arch/libarchive-3.2.2
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 10:45:47 UTC
Once again the CVE's do not match the upstream commits with version numbers.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-21 12:05:57 UTC
You pick the wrong CVEs.

For what I know they are:
CVE-2016-8687
CVE-2016-8688
CVE-2016-8689
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 12:26:16 UTC
(In reply to Agostino Sarubbo from comment #4)
> You pick the wrong CVEs.
> 
> For what I know they are:
> CVE-2016-8687
> CVE-2016-8688
> CVE-2016-8689

Added as well with reference.
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-21 12:43:06 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-21 12:43:54 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2016-11-29 17:41:47 UTC
arm stable
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-12-05 01:39:05 UTC
bump for stable.
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-19 14:39:21 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-19 15:15:50 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-20 09:48:53 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-22 09:37:30 UTC
ppc64 stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2016-12-26 16:50:42 UTC
Stable for HPPA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 14:35:07 UTC
This issue was resolved and addressed in
 GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 14:38:25 UTC
Re-opening for cleanup.

@ Maintainer(s): Please drop <app-arch/libarchive-3.2.2 or apply masks indicating a security problem.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 22:50:35 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/3386