Debian Bug report logs -
#916962
libarchive: CVE-2018-1000879
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 20 Dec 2018 20:36:02 UTC
Severity: important
Tags: security, upstream
Found in version libarchive/3.3.3-1
Fixed in version libarchive/3.3.3-2
Done: Peter Pentchev <roam@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>
:
Bug#916962
; Package src:libarchive
.
(Thu, 20 Dec 2018 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>
.
(Thu, 20 Dec 2018 20:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Version: 3.3.3-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libarchive.
Note, several issues are discussed in the same upstream pull request
1105, but the set of affected versions is different, thus filling
individual bugs.
CVE-2018-1000879[0]:
| libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205
| onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer
| Dereference vulnerability in ACL parser - libarchive/archive_acl.c,
| archive_acl_from_text_l() that can result in Crash/DoS. This attack
| appear to be exploitable via the victim must open a specially crafted
| archive file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000879
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879
[1] https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
[2] https://github.com/libarchive/libarchive/pull/1105
[3] https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175
Regards,
Salvatore
Reply sent
to Peter Pentchev <roam@debian.org>
:
You have taken responsibility.
(Fri, 21 Dec 2018 16:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 21 Dec 2018 16:39:06 GMT) (full text, mbox, link).
Message #10 received at 916962-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.3.3-2
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 916962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <roam@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Dec 2018 18:01:29 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 916960 916962 916963 916964
Changes:
libarchive (3.3.3-2) unstable; urgency=medium
.
* Add Daniel Axtens's security and reliability patches:
- CVE-2018-1000877.patch: Closes: #916964
- CVE-2018-1000878.patch: Closes: #916963
- CVE-2018-1000879.patch: Closes: #916962
- CVE-2018-1000880.patch: Closes: #916960
- all merged upstream in https://github.com/libarchive/libarchive/pull/1105
Thanks to Salvatore Bonaccorso for filing the Debian bugs!
Checksums-Sha1:
1458c3bed4dbfdc5f0ac7a1376287f1e96f576ad 2356 libarchive_3.3.3-2.dsc
2e2de7d85ed3d69e25697624336e9c38b92e7694 18460 libarchive_3.3.3-2.debian.tar.xz
bed2c5d4bf0c174a92942bb4404f5968648a3c0e 7617 libarchive_3.3.3-2_amd64.buildinfo
Checksums-Sha256:
8bedc724c6d7250c93e112b35bd7e2a2e92e03bd74b64bfe495e384caf9f5751 2356 libarchive_3.3.3-2.dsc
5f9c11e19c428a3b98657b3643d04802e728bbc48f333fee3bfc41f441c140af 18460 libarchive_3.3.3-2.debian.tar.xz
463cf49e06e07440293a27dd3204b911dcb55369f1e5fda3bc23f736e8c87019 7617 libarchive_3.3.3-2_amd64.buildinfo
Files:
ed565ad2f49ee60059bb43c208c915a6 2356 libs optional libarchive_3.3.3-2.dsc
f27f3687f7ea2c31299594df586b05f2 18460 libs optional libarchive_3.3.3-2.debian.tar.xz
7c5e181637fc8d4ae6d3e224f498e93f 7617 libs optional libarchive_3.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAlwdD4sACgkQZR7vsCUn
3xO7SxAA0MeHAu6PEriRFiXG6+7OMv4HJcckJgjtndqX5D0BfdDk5wcdiJEJ2KzU
g/xBqRnsYFezmb42stCYZPCyRzilxquaLNSrDuOAfjhIH91GBZVkrGoE/Jq1JN/h
oavURWmoO6f0rwXdxQD0SS2p7yEjLVKwFvDYHIbEKk27AdEks0D1/F69fBOi8vC6
8R854qY+qJSHxx9vquf2cam4E0zj3v+f6RMdGWSZoc7+LRn0+ZVdHZ/9MZugQel0
/0VDq8bFXwJsu6MdNklq2ve3inXw6wXjUlA60u98G7esMdRIjt4Wvk39wdxAakFs
eskXIalk6FcWsR7p25XoVg4VZtOIbHiHsScTPlgcTbSpz3W63YP8r9vAEuaaxVDm
6JHsBir+Ac0w2WTGWCeFL5ikYzOT2HEyWuVW13+F9DFHlLssnrO2nGZVzku81oOh
rlvLUbfCEZUZx3L3pBbaIYxMEkVCUf2RUF8c8u3aqCmsHU0uLStI1QPIubLS2ine
9SOIipDU99rgP//FyMV+RMesEPwkHi1CfsdH7uygIEMV/VslvbKGpayurDb0KBfp
ocZarnveU2WQwDUoIW8ReWLFNR3EmNi8EGmjoPy0p8jA1ZWFeQOSQrOh0hdDM8mZ
tk+5QF9okaWmgkrikUslcWbHK1ZhGckMAKbBpMWmn6FP+jS/X1w=
=E811
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 05 Feb 2019 07:32:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:08 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.