[CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Debian Bug report logs - #432924
[CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Date: Fri, 13 Jul 2007 07:11:39 +0200

Package: libarchive1
Version: 2.2.3-1
Tags: security
Severity: grave

FreeBSD has disclosed several security problems in libarchive:

| Several problems have been found in the code used to parse the tar and
| pax interchange formats.  These include entering an infinite loop if an
| archive prematurely ends within a pax extension header or if certain
| types of corruption occur in pax extension headers [CVE-2007-3644];
| dereferencing a NULL pointer if an archive prematurely ends within a
| tar header immediately following a pax extension header or if certain
| other types of corruption occur in pax extension headers [CVE-2007-3645];
| and miscomputing the length of a buffer resulting in a buffer overflow
| if yet another type of corruption occurs in a pax extension header
| [CVE-2007-3641].

Please mention the CVE names when fixing these bugs.

Message #10 received at 432924@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: Florian Weimer <fw@deneb.enyo.de>, 432924@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Date: Fri, 13 Jul 2007 08:16:07 -0500

I will upload a fix to unstable shortly.  However, it sounds like this could 
also impact the version in stable, so CCing security@debian.org.

On Fri July 13 2007 12:11:39 am Florian Weimer wrote:
> Package: libarchive1
> Version: 2.2.3-1
> Tags: security
> Severity: grave
>
> FreeBSD has disclosed several security problems in libarchive:
> | Several problems have been found in the code used to parse the tar and
> | pax interchange formats.  These include entering an infinite loop if an
> | archive prematurely ends within a pax extension header or if certain
> | types of corruption occur in pax extension headers [CVE-2007-3644];
> | dereferencing a NULL pointer if an archive prematurely ends within a
> | tar header immediately following a pax extension header or if certain
> | other types of corruption occur in pax extension headers
> | [CVE-2007-3645]; and miscomputing the length of a buffer resulting in a
> | buffer overflow if yet another type of corruption occurs in a pax
> | extension header [CVE-2007-3641].
>
> Please mention the CVE names when fixing these bugs.

Message #15 received at 432924@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: John Goerzen <jgoerzen@complete.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 432924@bugs.debian.org, security@debian.org

Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Date: Fri, 13 Jul 2007 14:28:08 +0100

On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote:
> I will upload a fix to unstable shortly.  However, it sounds like this could 
> also impact the version in stable, so CCing security@debian.org.

  Yes that looks to be the case.

  If you had a patch that would apply to the version in Stable that
 would be appreciated.  I applied the FreeBSd patch but that failed
 more than it succeeded ..

  I'll have a few hours tomorrow to look at it, so don't worry too
 much if you can't supply it.

Steve
-- 

Message #20 received at 432924-close@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: 432924-close@bugs.debian.org

Subject: Bug#432924: fixed in libarchive 2.2.4-1

Date: Fri, 13 Jul 2007 13:32:02 +0000

Source: libarchive
Source-Version: 2.2.4-1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive:

bsdtar_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/bsdtar_2.2.4-1_i386.deb
libarchive-dev_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/libarchive-dev_2.2.4-1_i386.deb
libarchive1_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/libarchive1_2.2.4-1_i386.deb
libarchive_2.2.4-1.diff.gz
  to pool/main/liba/libarchive/libarchive_2.2.4-1.diff.gz
libarchive_2.2.4-1.dsc
  to pool/main/liba/libarchive/libarchive_2.2.4-1.dsc
libarchive_2.2.4.orig.tar.gz
  to pool/main/liba/libarchive/libarchive_2.2.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 432924@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Goerzen <jgoerzen@complete.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 13 Jul 2007 08:14:00 -0500
Source: libarchive
Binary: libarchive-dev libarchive1 bsdtar
Architecture: source i386
Version: 2.2.4-1
Distribution: unstable
Urgency: high
Maintainer: John Goerzen <jgoerzen@complete.org>
Changed-By: John Goerzen <jgoerzen@complete.org>
Description: 
 bsdtar     - tar(1) from FreeBSD, using libarchive
 libarchive-dev - Single library to read/write tar, cpio, pax, zip, iso9660, etc.
 libarchive1 - Single library to read/write tar, cpio, pax, zip, iso9660, etc.
Closes: 432924
Changes: 
 libarchive (2.2.4-1) unstable; urgency=high
 .
   * New upstream version with security fixes.  Closes: #432924.
     Fixes: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645
Files: 
 c127391c6c9379894545ce6648c05e1f 697 libs optional libarchive_2.2.4-1.dsc
 1dd9d267af446921cf93deb27d1fbe9e 636879 libs optional libarchive_2.2.4.orig.tar.gz
 289fdffab7686eb09c4cf85610eb2929 5048 libs optional libarchive_2.2.4-1.diff.gz
 27771af37903d368f850495a5e1d7e5d 129606 libdevel optional libarchive-dev_2.2.4-1_i386.deb
 a34339f519b000d3b8f415e09eae2332 90998 libs optional libarchive1_2.2.4-1_i386.deb
 b4f5672a6ed2e7ef1758689dd974e686 94418 libs optional bsdtar_2.2.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGl3tt0miF3hOB5ikRAjElAKCYz++33rg8BA6oSlNQF6vDyAJfsACfXvPq
I0hOUlloDUR29Kk0LG0s4bs=
=03bK
-----END PGP SIGNATURE-----

Message #25 received at 432924@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: Steve Kemp <skx@debian.org>, 432924@bugs.debian.org

Cc: Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

Date: Fri, 13 Jul 2007 11:40:37 -0500

On Fri July 13 2007 8:28:08 am Steve Kemp wrote:
> On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote:
> > I will upload a fix to unstable shortly.  However, it sounds like this
> > could also impact the version in stable, so CCing security@debian.org.
>
>   Yes that looks to be the case.
>
>   If you had a patch that would apply to the version in Stable that
>  would be appreciated.  I applied the FreeBSd patch but that failed
>  more than it succeeded ..
>
>   I'll have a few hours tomorrow to look at it, so don't worry too
>  much if you can't supply it.

I'm afraid I don't have anything other than that same FreeBSD patch, and am 
going to be pretty much tied up until next week.  Thanks for your help, 
Steve.

-- John

Send a report that this bug log contains spam.