libarchive: CVE-2018-1000879

Debian Bug report logs - #916962
libarchive: CVE-2018-1000879

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libarchive: CVE-2018-1000879

Date: Thu, 20 Dec 2018 21:33:00 +0100

Source: libarchive
Version: 3.3.3-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for libarchive.

Note, several issues are discussed in the same upstream pull request
1105, but the set of affected versions is different, thus filling
individual bugs.

CVE-2018-1000879[0]:
| libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205
| onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer
| Dereference vulnerability in ACL parser - libarchive/archive_acl.c,
| archive_acl_from_text_l() that can result in Crash/DoS. This attack
| appear to be exploitable via the victim must open a specially crafted
| archive file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000879
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879
[1] https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
[2] https://github.com/libarchive/libarchive/pull/1105
[3] https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175

Regards,
Salvatore

Message #10 received at 916962-close@bugs.debian.org (full text, mbox, reply):

From: Peter Pentchev <roam@debian.org>

To: 916962-close@bugs.debian.org

Subject: Bug#916962: fixed in libarchive 3.3.3-2

Date: Fri, 21 Dec 2018 16:36:23 +0000

Source: libarchive
Source-Version: 3.3.3-2

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Pentchev <roam@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Dec 2018 18:01:29 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Description:
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Closes: 916960 916962 916963 916964
Changes:
 libarchive (3.3.3-2) unstable; urgency=medium
 .
   * Add Daniel Axtens's security and reliability patches:
     - CVE-2018-1000877.patch: Closes: #916964
     - CVE-2018-1000878.patch: Closes: #916963
     - CVE-2018-1000879.patch: Closes: #916962
     - CVE-2018-1000880.patch: Closes: #916960
     - all merged upstream in https://github.com/libarchive/libarchive/pull/1105
     Thanks to Salvatore Bonaccorso for filing the Debian bugs!
Checksums-Sha1:
 1458c3bed4dbfdc5f0ac7a1376287f1e96f576ad 2356 libarchive_3.3.3-2.dsc
 2e2de7d85ed3d69e25697624336e9c38b92e7694 18460 libarchive_3.3.3-2.debian.tar.xz
 bed2c5d4bf0c174a92942bb4404f5968648a3c0e 7617 libarchive_3.3.3-2_amd64.buildinfo
Checksums-Sha256:
 8bedc724c6d7250c93e112b35bd7e2a2e92e03bd74b64bfe495e384caf9f5751 2356 libarchive_3.3.3-2.dsc
 5f9c11e19c428a3b98657b3643d04802e728bbc48f333fee3bfc41f441c140af 18460 libarchive_3.3.3-2.debian.tar.xz
 463cf49e06e07440293a27dd3204b911dcb55369f1e5fda3bc23f736e8c87019 7617 libarchive_3.3.3-2_amd64.buildinfo
Files:
 ed565ad2f49ee60059bb43c208c915a6 2356 libs optional libarchive_3.3.3-2.dsc
 f27f3687f7ea2c31299594df586b05f2 18460 libs optional libarchive_3.3.3-2.debian.tar.xz
 7c5e181637fc8d4ae6d3e224f498e93f 7617 libs optional libarchive_3.3.3-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAlwdD4sACgkQZR7vsCUn
3xO7SxAA0MeHAu6PEriRFiXG6+7OMv4HJcckJgjtndqX5D0BfdDk5wcdiJEJ2KzU
g/xBqRnsYFezmb42stCYZPCyRzilxquaLNSrDuOAfjhIH91GBZVkrGoE/Jq1JN/h
oavURWmoO6f0rwXdxQD0SS2p7yEjLVKwFvDYHIbEKk27AdEks0D1/F69fBOi8vC6
8R854qY+qJSHxx9vquf2cam4E0zj3v+f6RMdGWSZoc7+LRn0+ZVdHZ/9MZugQel0
/0VDq8bFXwJsu6MdNklq2ve3inXw6wXjUlA60u98G7esMdRIjt4Wvk39wdxAakFs
eskXIalk6FcWsR7p25XoVg4VZtOIbHiHsScTPlgcTbSpz3W63YP8r9vAEuaaxVDm
6JHsBir+Ac0w2WTGWCeFL5ikYzOT2HEyWuVW13+F9DFHlLssnrO2nGZVzku81oOh
rlvLUbfCEZUZx3L3pBbaIYxMEkVCUf2RUF8c8u3aqCmsHU0uLStI1QPIubLS2ine
9SOIipDU99rgP//FyMV+RMesEPwkHi1CfsdH7uygIEMV/VslvbKGpayurDb0KBfp
ocZarnveU2WQwDUoIW8ReWLFNR3EmNi8EGmjoPy0p8jA1ZWFeQOSQrOh0hdDM8mZ
tk+5QF9okaWmgkrikUslcWbHK1ZhGckMAKbBpMWmn6FP+jS/X1w=
=E811
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.