Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636070 (CVE-2017-14166, CVE-2017-14501) - <app-arch/libarchive-3.3.3: Multiple vulnerabilites (CVE-2017-{14166,14501})
Summary: <app-arch/libarchive-3.3.3: Multiple vulnerabilites (CVE-2017-{14166,14501})
Status: RESOLVED FIXED
Alias: CVE-2017-14166, CVE-2017-14501
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 16:52 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-15 16:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-31 16:52:28 UTC 
CVE-2017-14501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14501):
  An out-of-bounds read flaw exists in parse_file_info in
  archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a
  specially crafted iso9660 iso file, related to
  archive_read_format_iso9660_read_header.

CVE-2017-14166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14166):
  libarchive 3.3.2 allows remote attackers to cause a denial of service
  (xml_data heap-based buffer over-read and application crash) via a crafted
  xar archive, related to the mishandling of empty strings in the atol8
  function in archive_read_support_format_xar.c.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-01-02 13:22:47 UTC 
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2017-14501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14501):
>   An out-of-bounds read flaw exists in parse_file_info in
>   archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a
>   specially crafted iso9660 iso file, related to
>   archive_read_format_iso9660_read_header.

FWICS, there's no fix upstream yet for this and it doesn't look like anybody's working on it.

> CVE-2017-14166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14166):
>   libarchive 3.3.2 allows remote attackers to cause a denial of service
>   (xml_data heap-based buffer over-read and application crash) via a crafted
>   xar archive, related to the mishandling of empty strings in the atol8
>   function in archive_read_support_format_xar.c.

This one has a fix in master (fa7438a0ff4033e4741c807394a9af6207940d71) we could backport. Alternatively, we could make a snapshot.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-02 19:16:01 UTC 
Feel free to only fix CVE-2017-14166 for the moment. We will split out the remaining vulnerability in this case.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-14 20:17:53 UTC 
Both vulnerabilities are now fixed upstream:

CVE-2017-14166: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71

CVE-2017-14501: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 17:05:17 UTC 
@maintainer, please clean vulnerable.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:50:52 UTC 
This issue was resolved and addressed in
 GLSA 201908-11 at https://security.gentoo.org/glsa/201908-11
by GLSA coordinator Aaron Bauman (b-man).
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2019-08-15 15:51:54 UTC 
re-opened for cleanup