Debian Bug report logs -
#837714
libarchive: CVE-2016-5418: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 13 Sep 2016 19:45:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions libarchive/3.2.1-2, libarchive/3.0.4-3, libarchive/3.1.2-11
Fixed in versions libarchive/3.0.4-3+wheezy4, libarchive/3.2.1-4, libarchive/3.1.2-11+deb8u3
Done: Andreas Henriksson <andreas@fatal.se>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#837714; Package src:libarchive.
(Tue, 13 Sep 2016 19:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Tue, 13 Sep 2016 19:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Version: 3.2.1-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for libarchive.
CVE-2016-5418[0]:
|Archive Entry with type 1 (hardlink), but has a non-zero data size
|file overwrite
This corresponds to [1] and [2], which is upstream as [3].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5418
[1] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3
[2] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3
[3] https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
Please adjust the affected versions in the BTS as needed. jessie
version has not been checked yet, but is probably similar affected.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#837714; Package src:libarchive.
(Wed, 14 Sep 2016 04:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Wed, 14 Sep 2016 04:45:04 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 13, 2016 at 09:41:49PM +0200, Salvatore Bonaccorso wrote:
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5418
> [1] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> [2] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> [3] https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
Please note, not (yet) clear if [3] ist the only one. The CVE relates
to https://bugzilla.redhat.com/show_bug.cgi?id=1362601 and to
http://seclists.org/oss-sec/2016/q3/255 .
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#837714; Package src:libarchive.
(Wed, 14 Sep 2016 04:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Wed, 14 Sep 2016 04:45:06 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.1.2-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 14 Sep 2016 04:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#837714; Package src:libarchive.
(Sat, 24 Sep 2016 11:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Sat, 24 Sep 2016 11:30:04 GMT) (full text, mbox, link).
Message #22 received at 837714@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, Sep 14, 2016 at 06:43:41AM +0200, Salvatore Bonaccorso wrote:
> On Tue, Sep 13, 2016 at 09:41:49PM +0200, Salvatore Bonaccorso wrote:
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-5418
> > [1] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> > [2] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> > [3] https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
>
> Please note, not (yet) clear if [3] ist the only one. The CVE relates
> to https://bugzilla.redhat.com/show_bug.cgi?id=1362601 and to
> http://seclists.org/oss-sec/2016/q3/255 .
I have added more information to the security-tracker page. Basically
two commits for #744, #745 and #746 plus two more for the testsuite.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#837714; Package src:libarchive.
(Sun, 25 Sep 2016 10:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Pentchev <roam@ringlet.net>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Sun, 25 Sep 2016 10:30:04 GMT) (full text, mbox, link).
Message #27 received at 837714@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Sep 24, 2016 at 01:27:52PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Sep 14, 2016 at 06:43:41AM +0200, Salvatore Bonaccorso wrote:
> > On Tue, Sep 13, 2016 at 09:41:49PM +0200, Salvatore Bonaccorso wrote:
> > > [0] https://security-tracker.debian.org/tracker/CVE-2016-5418
> > > [1] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> > > [2] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3
> > > [3] https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
> >
> > Please note, not (yet) clear if [3] ist the only one. The CVE relates
> > to https://bugzilla.redhat.com/show_bug.cgi?id=1362601 and to
> > http://seclists.org/oss-sec/2016/q3/255 .
>
> I have added more information to the security-tracker page. Basically
> two commits for #744, #745 and #746 plus two more for the testsuite.
I'm looking into it. Thanks for doing the work so far, and sorry for
not reacting sooner!
G'luck,
Peter
--
Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 03 Oct 2016 22:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 03 Oct 2016 22:06:08 GMT) (full text, mbox, link).
Message #32 received at 837714-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.1.2-11+deb8u3
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 837714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 Sep 2016 13:25:26 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: source
Version: 3.1.2-11+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 837714
Description:
bsdcpio - Implementation of the 'cpio' program from FreeBSD
bsdtar - Implementation of the 'tar' program from FreeBSD
libarchive-dev - Multi-format archive and compression library (development files)
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.1.2-11+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-7166: Denial of service using a crafted gzip file
* CVE-2016-6250: Integer overflow in the ISO9660 writer
* CVE-2016-5418: Archive Entry with type 1 (hardlink), but has a non-zero
data size file overwrite (Closes: #837714)
Checksums-Sha1:
effe9337181e17f0dbedd313ec796cb59dd66cba 2453 libarchive_3.1.2-11+deb8u3.dsc
518986a94568b2111a1e087a0ca0cd5ebaa9b268 36064 libarchive_3.1.2-11+deb8u3.debian.tar.xz
Checksums-Sha256:
5838e99469280cb3e90653d327c5b3b315fba810414591cb45206488017fb598 2453 libarchive_3.1.2-11+deb8u3.dsc
ab2c0220d1253675b07a23c6fe8a4eeea9d59168b165bdf59f6a93c78d25fbe0 36064 libarchive_3.1.2-11+deb8u3.debian.tar.xz
Files:
3345cb4ec3faea86a57c70d9fffd703e 2453 libs optional libarchive_3.1.2-11+deb8u3.dsc
10b2951cb6feb392bb6d3831797982e2 36064 libs optional libarchive_3.1.2-11+deb8u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJX54P9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRDHE
EACMnMrIj3TPAhWfJ0azDLuFkU7xWZWwaSHGAN87cZ6OjRTg8I3U0VLkpXrATpFA
LXrog/M/ahyM3y4obPNroVUbYwz0tk0Yh/UPa9szVKOPfcprJUyW9iXX0u3oP6Zo
GtCLLm2ZBlbgs3bCdEOZBUUzlW/FmpfLfylcXeDSrz2SNvoaT4XBYveGBhgqRwAz
Ox7sfVbk5Rzpup7jOJJHrV8fWCcbTAdwap/MpJzRHSmrac1tqEwpVGaZLfUQHTgi
GuvKkCsU1V6N5A5tH7cqc//xcfpL0KE1x07DzkxgJNru2lhAc0SoFv0PSsK5VRVM
DB4frOERNciOwxqu9le9ktivzlyfrzZrw/HK5ZjMyLFMjKv+Pq6iPNRL16dyKRkG
LqcDLkAR8HK4uWus1VaJHtpyxiWWbzIuh/kE39EtOMSv3YNrJkKU+J/eBMMATh4n
kmGCKEcGeWpYD0Np65jXU/qB5RkyaJoaG8trv4juhZYPTyO9lPqOhqiDQe59jB1M
7iCmFRbM5IjMBSSh4HDnvBIout6QTwzBnCfvGI28gft6FPVUHTD4UiT0ZccZ+VZl
BdBUbmCV3Q8DAWiT6rV0qFQjGatbfk2ysomFp8FTAzPjHiAtTzdAmHy6VMq9Nn/O
PjVNV2mEH5pYoDDj6p4LfZuZGXC7GUrWN85zHWnEV18I9Q==
=DopT
-----END PGP SIGNATURE-----
Reply sent
to Andreas Henriksson <andreas@fatal.se>:
You have taken responsibility.
(Thu, 06 Oct 2016 23:27:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Oct 2016 23:27:07 GMT) (full text, mbox, link).
Message #37 received at 837714-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.2.1-4
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 837714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Oct 2016 23:01:41 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 659650 837714
Changes:
libarchive (3.2.1-4) unstable; urgency=medium
.
* Bump debhelper compat to 10
* Install manpages via debian/*.install
* libarchive-dev: ship examples/ directory (Closes: #659650)
* Use the "fail-missing" dh_install option
* Cherry-pick upstream commits for CVE-2016-5418 (Closes: #837714)
Checksums-Sha1:
0815a19cdeb8040cb2d1b52b3b88ef6d60af8758 2425 libarchive_3.2.1-4.dsc
673c7cb7d80687e76386b98b11185866de28f584 24520 libarchive_3.2.1-4.debian.tar.xz
Checksums-Sha256:
ebeb429e811977aca590686716d186b2cf61154e0ecdad114489baabf3ba6550 2425 libarchive_3.2.1-4.dsc
d298a385d996cb8add92365249608d634eb46d29977db704fcd75043d4eae97d 24520 libarchive_3.2.1-4.debian.tar.xz
Files:
8a3523f74efc9b5807de68a41f229651 2425 libs optional libarchive_3.2.1-4.dsc
c3ff01760eb6f184978bb8ec6d39ef14 24520 libs optional libarchive_3.2.1-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIuBAEBCgAYBQJX9tRrERxhbmRyZWFzQGZhdGFsLnNlAAoJEAvEfcZNE1MGPg4Q
AIdUNGzI5gXP+InSVEfWZ6xgtScF17JnIrcFQj/Ig0CvRckp8jArqh0E/YubGFHo
fJ8d8Ni0lTAPF2ElZPghN9sGDJcGh4ZAyhotUPxZLMfuyJnxHp4T75eI4/8YGnud
gq3bIAEweSNfxscVa8/a0bu0xpl0jkgoiugx9EUxELAhu/6UU5gJGJeG3XCmTQ2p
RnPjTTB7MpML7IRhtaV969EOUXOQBcD3L+A9zG051CO7Q2awCA3eggjBNxKXmYwR
9Y30qeQCZev0U5qELzlf42l/FybPWKP4XiMJS2dhwrykwaqcZKnJzchhaLCr5KJc
GPy2Z3GfWREpUhl2TZyXYPgvDDVx9P2NwjbdFCA41y/KqpsH/GoKuabWynLkALvF
y7t6C18cxm62Mhg/Ej1b3kFUn8CCEmV10ELNuwFMEQ2HG3bb74cvC+JpTdQSgFp4
0Kkd+w1OvmCmL4Bqw6SAwa9cldNp5/WQS1sizFqJ2tkAeM5qvwiSnQG5+xZq59LB
UAZua+ONdlXg395CB7ZtloQFBe7xpK/6/9rFnOXKDnXuVmBewAV11FIg3Gv6q+VP
6fiBZeetLtQdLsqaIVjIpqa6VPR8wmzbtZXlb0uPYM7ckicJ7EKuyE1DX6buJyEt
/kBH1Qu+Pq6P8tEeEqTwb+oWcBzDRMhHUFV3rOaBQSMu
=tvBC
-----END PGP SIGNATURE-----
Marked as found in versions libarchive/3.0.4-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 16 Oct 2016 06:54:03 GMT) (full text, mbox, link).
Marked as fixed in versions libarchive/3.0.4-3+wheezy4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 16 Oct 2016 06:54:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 08:00:42 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:56:21 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Feb 2017 07:26:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:56:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon