Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libarchive: cve-2010-4666 and cve-2011-1777

Related Vulnerabilities: cve-2010-4666   cve-2011-1777   CVE-2010-4666   CVE-2011-1779  

Source

Debian Bug report logs - #669197
libarchive: cve-2010-4666 and cve-2011-1777

version graph

Package: libarchive; Maintainer for libarchive is Peter Pentchev <roam@debian.org>;

Reported by: Michael Gilbert <mgilbert@debian.org>

Date: Wed, 18 Apr 2012 03:57:02 UTC

Severity: important

Fixed in version 3.0.4-2

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#669197; Package libarchive. (Wed, 18 Apr 2012 03:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>. (Wed, 18 Apr 2012 03:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libarchive: cve-2010-4666 and cve-2011-1777
Date: Tue, 17 Apr 2012 23:55:14 -0400
package: libarchive
severity: important
tag: security

A couple issues were reported in libarchive >= 3.0, and are likely
fixed already, but there outside access to the bug reports are still
restricted, so its impossible to know.  Please check the info at the
following google code restricted links or with upstream:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779

More info can be found in the redhat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=705849

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#669197; Package libarchive. (Thu, 26 Apr 2012 11:36:18 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>. (Thu, 26 Apr 2012 11:36:21 GMT) (full text, mbox, link).

Message #10 received at 669197@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>
To: Michael Gilbert <mgilbert@debian.org>, 669197@bugs.debian.org
Subject: Re: Bug#669197: libarchive: cve-2010-4666 and cve-2011-1777
Date: Thu, 26 Apr 2012 13:37:13 +0200
Hello Michael!

I'm really confused by different claims which completely lacks any
references or background information, so I have no way to figure out
what is true and not.

On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
> A couple issues were reported in libarchive >= 3.0, and are likely
> fixed already, but there outside access to the bug reports are still
> restricted, so its impossible to know.  Please check the info at the
> following google code restricted links or with upstream:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666

From what I can see the issue was reported against PRE-relases of 3.0,
so < 3.0 .... do you have any indication that they also affect >= 3.0 ?

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779

This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.

http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!

The comment says "vulnerable code not present in 2.x series" which contradicts
the CVE report totally. I'd like to know where this information comes from!

Who should I beleive here when I have no information to support either story?!

> 
> More info can be found in the redhat bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=705849


-- 
Andreas Henriksson

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#669197; Package libarchive. (Sun, 29 Apr 2012 04:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>. (Sun, 29 Apr 2012 04:39:03 GMT) (full text, mbox, link).

Message #15 received at 669197@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 669197@bugs.debian.org
Subject: Re: Bug#669197: libarchive: cve-2010-4666 and cve-2011-1777
Date: Sun, 29 Apr 2012 00:35:00 -0400
On Thu, Apr 26, 2012 at 7:37 AM, Andreas Henriksson wrote:
> Hello Michael!
>
> I'm really confused by different claims which completely lacks any
> references or background information, so I have no way to figure out
> what is true and not.
>
> On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
>> A couple issues were reported in libarchive >= 3.0, and are likely
>> fixed already, but there outside access to the bug reports are still
>> restricted, so its impossible to know.  Please check the info at the
>> following google code restricted links or with upstream:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
>
> From what I can see the issue was reported against PRE-relases of 3.0,
> so < 3.0 .... do you have any indication that they also affect >= 3.0 ?

I have no info either way, which is why these issues need to be
checked against real information.  That is behind restricted chrome
bug reports, so you'll need to get access to those somehow.

>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
>
> This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.
>
> http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
> hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!
>
> The comment says "vulnerable code not present in 2.x series" which contradicts
> the CVE report totally. I'd like to know where this information comes from!

That is based on the statement toward the bottom of the redhat bug
report, which may be right or wrong.  Again, its something that needs
to be checked against real information.  Unfortunately all of it is
behind those restricted chrome reports.

Best wishes,
Mike

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#669197; Package libarchive. (Thu, 06 Sep 2012 16:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>. (Thu, 06 Sep 2012 16:09:05 GMT) (full text, mbox, link).

Message #20 received at 669197@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: andreas@fatal.se
Cc: 669197@bugs.debian.org
Subject: Re: Bug#669197: libarchive: cve-2010-4666 and cve-2011-1777
Date: Thu, 6 Sep 2012 18:05:06 +0200
On Sun, Apr 29, 2012 at 12:35:00AM -0400, Michael Gilbert wrote:
> On Thu, Apr 26, 2012 at 7:37 AM, Andreas Henriksson wrote:
> > Hello Michael!
> >
> > I'm really confused by different claims which completely lacks any
> > references or background information, so I have no way to figure out
> > what is true and not.
> >
> > On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
> >> A couple issues were reported in libarchive >= 3.0, and are likely
> >> fixed already, but there outside access to the bug reports are still
> >> restricted, so its impossible to know.  Please check the info at the
> >> following google code restricted links or with upstream:
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
> >
> > From what I can see the issue was reported against PRE-relases of 3.0,
> > so < 3.0 .... do you have any indication that they also affect >= 3.0 ?
> 
> I have no info either way, which is why these issues need to be
> checked against real information.  That is behind restricted chrome
> bug reports, so you'll need to get access to those somehow.
> 
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
> >
> > This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.
> >
> > http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
> > hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!
> >
> > The comment says "vulnerable code not present in 2.x series" which contradicts
> > the CVE report totally. I'd like to know where this information comes from!
> 
> That is based on the statement toward the bottom of the redhat bug
> report, which may be right or wrong.  Again, its something that needs
> to be checked against real information.  Unfortunately all of it is
> behind those restricted chrome reports.

Andreas,
could you contact upstream and let them confirm the upstream releases, which
fixed these issues? I'd like to get this sorted out for Wheezy.

Cheers,
        Moritz

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Fri, 07 Dec 2012 07:24:06 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer. (Fri, 07 Dec 2012 07:24:06 GMT) (full text, mbox, link).

Message #25 received at 669197-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Michael Gilbert <mgilbert@debian.org>
Cc: 669197-done@bugs.debian.org
Subject: Re: Bug#669197: libarchive: cve-2010-4666 and cve-2011-1777
Date: Fri, 7 Dec 2012 08:19:08 +0100
Version: 3.0.4-2

On Sun, Apr 29, 2012 at 12:35:00AM -0400, Michael Gilbert wrote:
> That is based on the statement toward the bottom of the redhat bug
> report, which may be right or wrong.  Again, its something that needs
> to be checked against real information.  Unfortunately all of it is
> behind those restricted chrome reports.

The references are not hidden bug reports, but SVN revisions for a repo
that now uses git (that's why the refs 404).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
http://code.google.com/p/libarchive/source/detail?r=0736e0890a8fce59e96d57340405c56f084407e7

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
http://code.google.com/p/libarchive/source/detail?r=488ef3fb28c416285ebe4c00266268db7330466b

I've verified that these fixes are present in Wheezy, closing.

Cheers,
        Moritz

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 05 Jan 2013 07:28:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:34:05 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started