Debian Bug report logs -
#875960
libarchive: CVE-2017-14503: out-of-bounds read in lha_read_data_none()
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Peter Pentchev <roam@ringlet.net>
:
Bug#875960
; Package libarchive13
.
(Sat, 16 Sep 2017 15:09:03 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libarchive13
Version: 3.2.2-3.1
bsdtar crashes on the attached LHA file:
$ bsdtar -xOf oob.lha
Segmentation fault
Valgrind says it's an out-of-bounds read when computing CRC:
Invalid read of size 2
at 0x4894AA6: lha_crc16.part.6 (archive_read_support_format_lha.c:1739)
by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
by 0x4897727: archive_read_format_lha_read_data (archive_read_support_format_lha.c:1390)
by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
by 0x10D5BB: read_archive (read.c:369)
by 0x10DCAC: tar_mode_x (read.c:112)
by 0x10C2BB: main (bsdtar.c:809)
Address 0x6ca56ce is 6 bytes after a block of size 65,536 alloc'd
at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x487ABEC: file_open (archive_read_open_filename.c:358)
by 0x4874DE9: archive_read_open1 (archive_read.c:479)
by 0x487B0F6: archive_read_open_filenames (archive_read_open_filename.c:152)
by 0x487B18C: archive_read_open_filename (archive_read_open_filename.c:109)
by 0x10D321: read_archive (read.c:223)
by 0x10DCAC: tar_mode_x (read.c:112)
by 0x10C2BB: main (bsdtar.c:809)
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x73B4000
at 0x4894ABC: lha_crc16.part.6 (archive_read_support_format_lha.c:1740)
by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
by 0x4897727: archive_read_format_lha_read_data (archive_read_support_format_lha.c:1390)
by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
by 0x10D5BB: read_archive (read.c:369)
by 0x10DCAC: tar_mode_x (read.c:112)
by 0x10C2BB: main (bsdtar.c:809)
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages libarchive13 depends on:
ii libacl1 2.2.52-3+b1
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-17
ii liblz4-1 0.0~r131-2+b1
ii liblzma5 5.2.2-1.3
ii liblzo2-2 2.08-1.2+b2
ii libnettle6 3.3-2
ii libxml2 2.9.4+dfsg1-4
ii zlib1g 1:1.2.8.dfsg-5
--
Jakub Wilk
[oob.lha (application/x-lha, attachment)]
No longer marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 18:45:09 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 18:45:09 GMT) (full text, mbox, link).
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 18:45:10 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.1.2-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 18:57:09 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: out-of-bounds read in lha_read_data_none()' from 'libarchive13: out-of-bounds read in lha_read_data_none()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:03:03 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: CVE-2017-14503: out-of-bounds read in lha_read_data_none()' from 'libarchive: out-of-bounds read in lha_read_data_none()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Sep 2017 18:27:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Wed, 25 Jul 2018 19:54:04 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@jwilk.net>
:
Bug acknowledged by developer.
(Wed, 25 Jul 2018 19:54:04 GMT) (full text, mbox, link).
Message #24 received at 875960-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.2.2-4.1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Jul 2018 21:29:42 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875960 875974
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Reject LHA archive entries with negative size (CVE-2017-14503)
(Closes: #875960)
* Avoid a read off-by-one error for UTF16 names in RAR archives
(CVE-2017-14502)
(Closes: #875974)
Checksums-Sha1:
ddc385b8c84c699cf97a604ac99b2139303a2dca 2490 libarchive_3.2.2-4.1.dsc
8a9e579048d0f04f85ee0b51fb6d139da2aa043e 17564 libarchive_3.2.2-4.1.debian.tar.xz
Checksums-Sha256:
01dcf95baf5eda7f2aeb0f99d52f92a03718506903fa908d738646fa60897cfa 2490 libarchive_3.2.2-4.1.dsc
dcb64e96a2b794fd03919099fb3d9807f77013d620039c9ab8ffb9998d114c48 17564 libarchive_3.2.2-4.1.debian.tar.xz
Files:
abaa2e81da50adaf4b8ed10e3db54794 2490 libs optional libarchive_3.2.2-4.1.dsc
5c24d5a83c8c36d783865b634f76802b 17564 libs optional libarchive_3.2.2-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltY0eJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENvkP/3VViHRDKocQIsgJnDkD1ncwMCN8idCM
UVo04DSQY7HdHc8fe7RmV0owMDspN4ZHlRTO9PawDSIPdusq1+Xm8RyPIt2eeCS7
/X7pwalgrwOyhe9WFOrHI0TLp02qivap8hwHFpWmuCpjzKb+7uaqD5lhBk2VjyH+
EbS792lltjnoXm1qFuLmHoRiHNPLJTc5vaJBmx/HiBHsJarEuXKZjdlhsA2o6s7i
hit7Su11ERgH2ZloyVnqmxzH851VaiN9rm6iDbwWiWwj7IwxWLz1EjBU0oe321yR
TtrD3o9LITdDYnkcgGZmUWlsnHraaGloU9lptV6bZoWyexMKci+0Z14m5e9LpNDF
baSYoXXZlahphHGFbYqFtQ3v33cvCCK1CqA7Ggx/v7u/NgetH8+81UvUXwXbR13L
vbiRI6yYJykQNgz2DSMu8B7NlclxQrzTIMU+YkY0KyxIY1UPX7kZvyocgNSHqiWA
7FfItXUDQIh0uKeIHIrqG/3cSPIksY1ZiSabNIalt17DPu8TwG/HE530iGgrwyVW
BYXarYcIsk/LgzX2ndZVvVTumE7kF+gqX4IgOuIzHcfbTl6Yz3Zujp9YrF+fKp0A
pAOWydsWCEOJzZ2IDxkO4HvTcXVmu6cFD6b/uvVFkuPwnianQHa6oZyZpsv6g8JI
rfa7h67G2H5X
=W8Ld
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 25 Sep 2018 07:28:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.