Debian Bug report logs -
#875974
libarchive: CVE-2017-14502: out-of-bounds read in archive_read_format_rar_read_header()
Reported by: Jakub Wilk <jwilk@jwilk.net>
Date: Sat, 16 Sep 2017 18:15:01 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in versions libarchive/3.2.2-3.1, libarchive/3.1.2-11
Fixed in version libarchive/3.2.2-4.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Peter Pentchev <roam@ringlet.net>
:
Bug#875974
; Package libarchive13
.
(Sat, 16 Sep 2017 18:15:03 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libarchive13
Version: 3.2.2-3.1
$ valgrind --quiet -- bsdtar -xf oob.rar
==1880== Invalid read of size 1
==1880== at 0x4832FF0: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880== by 0x489B5E0: memcpy (string3.h:53)
==1880== by 0x489B5E0: read_header (archive_read_support_format_rar.c:1577)
==1880== by 0x489C347: archive_read_format_rar_read_header (archive_read_support_format_rar.c:932)
==1880== by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==1880== by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==1880== by 0x10D384: read_archive (read.c:261)
==1880== by 0x10DCAC: tar_mode_x (read.c:112)
==1880== by 0x10C2BB: main (bsdtar.c:809)
==1880== Address 0x6ca726a is 0 bytes after a block of size 98 alloc'd
==1880== at 0x482E1FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880== by 0x4830520: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880== by 0x489B451: read_header (archive_read_support_format_rar.c:1423)
==1880== by 0x489C347: archive_read_format_rar_read_header (archive_read_support_format_rar.c:932)
==1880== by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==1880== by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==1880== by 0x10D384: read_archive (read.c:261)
==1880== by 0x10DCAC: tar_mode_x (read.c:112)
==1880== by 0x10C2BB: main (bsdtar.c:809)
==1880==
bsdtar: Unknown file attributes from RAR file's host OS
bsdtar: Error exit delayed from previous errors.
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages libarchive13 depends on:
ii libacl1 2.2.52-3+b1
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-17
ii liblz4-1 0.0~r131-2+b1
ii liblzma5 5.2.2-1.3
ii liblzo2-2 2.08-1.2+b2
ii libnettle6 3.3-2
ii libxml2 2.9.4+dfsg1-4
ii zlib1g 1:1.2.8.dfsg-5
--
Jakub Wilk
[oob.rar (application/rar, attachment)]
No longer marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:36:03 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:36:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Pentchev <roam@ringlet.net>
:
Bug#875974
; Package src:libarchive
.
(Sat, 16 Sep 2017 19:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Pentchev <roam@ringlet.net>
.
(Sat, 16 Sep 2017 19:39:05 GMT) (full text, mbox, link).
Message #14 received at 875974@bugs.debian.org (full text, mbox, reply):
Hi
This should be fixed upstream with
https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
Regards,
Salvatore
Marked as found in versions libarchive/3.1.2-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:39:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Pentchev <roam@ringlet.net>
:
Bug#875974
; Package src:libarchive
.
(Sat, 16 Sep 2017 19:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Pentchev <roam@ringlet.net>
.
(Sat, 16 Sep 2017 19:48:03 GMT) (full text, mbox, link).
Message #21 received at 875974@bugs.debian.org (full text, mbox, reply):
Hi
On Sat, Sep 16, 2017 at 09:35:31PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> This should be fixed upstream with
>
> https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
Additional reference, the mentioned OSS-Fuzz issue is
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
Regards,
Salvatore
No longer marked as found in versions libarchive/3.1.2-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:57:03 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()' from 'libarchive13: out-of-bounds read in archive_read_format_rar_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:57:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream, security, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 16 Sep 2017 19:57:04 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.1.2-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Sep 2017 18:24:02 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: CVE-2017-14502: out-of-bounds read in archive_read_format_rar_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Sep 2017 18:27:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Wed, 25 Jul 2018 19:54:07 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@jwilk.net>
:
Bug acknowledged by developer.
(Wed, 25 Jul 2018 19:54:07 GMT) (full text, mbox, link).
Message #36 received at 875974-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.2.2-4.1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875974@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Jul 2018 21:29:42 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875960 875974
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-4.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Reject LHA archive entries with negative size (CVE-2017-14503)
(Closes: #875960)
* Avoid a read off-by-one error for UTF16 names in RAR archives
(CVE-2017-14502)
(Closes: #875974)
Checksums-Sha1:
ddc385b8c84c699cf97a604ac99b2139303a2dca 2490 libarchive_3.2.2-4.1.dsc
8a9e579048d0f04f85ee0b51fb6d139da2aa043e 17564 libarchive_3.2.2-4.1.debian.tar.xz
Checksums-Sha256:
01dcf95baf5eda7f2aeb0f99d52f92a03718506903fa908d738646fa60897cfa 2490 libarchive_3.2.2-4.1.dsc
dcb64e96a2b794fd03919099fb3d9807f77013d620039c9ab8ffb9998d114c48 17564 libarchive_3.2.2-4.1.debian.tar.xz
Files:
abaa2e81da50adaf4b8ed10e3db54794 2490 libs optional libarchive_3.2.2-4.1.dsc
5c24d5a83c8c36d783865b634f76802b 17564 libs optional libarchive_3.2.2-4.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltY0eJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENvkP/3VViHRDKocQIsgJnDkD1ncwMCN8idCM
UVo04DSQY7HdHc8fe7RmV0owMDspN4ZHlRTO9PawDSIPdusq1+Xm8RyPIt2eeCS7
/X7pwalgrwOyhe9WFOrHI0TLp02qivap8hwHFpWmuCpjzKb+7uaqD5lhBk2VjyH+
EbS792lltjnoXm1qFuLmHoRiHNPLJTc5vaJBmx/HiBHsJarEuXKZjdlhsA2o6s7i
hit7Su11ERgH2ZloyVnqmxzH851VaiN9rm6iDbwWiWwj7IwxWLz1EjBU0oe321yR
TtrD3o9LITdDYnkcgGZmUWlsnHraaGloU9lptV6bZoWyexMKci+0Z14m5e9LpNDF
baSYoXXZlahphHGFbYqFtQ3v33cvCCK1CqA7Ggx/v7u/NgetH8+81UvUXwXbR13L
vbiRI6yYJykQNgz2DSMu8B7NlclxQrzTIMU+YkY0KyxIY1UPX7kZvyocgNSHqiWA
7FfItXUDQIh0uKeIHIrqG/3cSPIksY1ZiSabNIalt17DPu8TwG/HE530iGgrwyVW
BYXarYcIsk/LgzX2ndZVvVTumE7kF+gqX4IgOuIzHcfbTl6Yz3Zujp9YrF+fKp0A
pAOWydsWCEOJzZ2IDxkO4HvTcXVmu6cFD6b/uvVFkuPwnianQHa6oZyZpsv6g8JI
rfa7h67G2H5X
=W8Ld
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 25 Sep 2018 07:29:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:34:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.