Debian Bug report logs -
#669197
libarchive: cve-2010-4666 and cve-2011-1777
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 18 Apr 2012 03:57:02 UTC
Severity: important
Fixed in version 3.0.4-2
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>
:
Bug#669197
; Package libarchive
.
(Wed, 18 Apr 2012 03:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>
.
(Wed, 18 Apr 2012 03:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: libarchive
severity: important
tag: security
A couple issues were reported in libarchive >= 3.0, and are likely
fixed already, but there outside access to the bug reports are still
restricted, so its impossible to know. Please check the info at the
following google code restricted links or with upstream:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
More info can be found in the redhat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=705849
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>
:
Bug#669197
; Package libarchive
.
(Thu, 26 Apr 2012 11:36:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Henriksson <andreas@fatal.se>
:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>
.
(Thu, 26 Apr 2012 11:36:21 GMT) (full text, mbox, link).
Message #10 received at 669197@bugs.debian.org (full text, mbox, reply):
Hello Michael!
I'm really confused by different claims which completely lacks any
references or background information, so I have no way to figure out
what is true and not.
On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
> A couple issues were reported in libarchive >= 3.0, and are likely
> fixed already, but there outside access to the bug reports are still
> restricted, so its impossible to know. Please check the info at the
> following google code restricted links or with upstream:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
From what I can see the issue was reported against PRE-relases of 3.0,
so < 3.0 .... do you have any indication that they also affect >= 3.0 ?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.
http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!
The comment says "vulnerable code not present in 2.x series" which contradicts
the CVE report totally. I'd like to know where this information comes from!
Who should I beleive here when I have no information to support either story?!
>
> More info can be found in the redhat bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=705849
--
Andreas Henriksson
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>
:
Bug#669197
; Package libarchive
.
(Sun, 29 Apr 2012 04:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>
.
(Sun, 29 Apr 2012 04:39:03 GMT) (full text, mbox, link).
Message #15 received at 669197@bugs.debian.org (full text, mbox, reply):
On Thu, Apr 26, 2012 at 7:37 AM, Andreas Henriksson wrote:
> Hello Michael!
>
> I'm really confused by different claims which completely lacks any
> references or background information, so I have no way to figure out
> what is true and not.
>
> On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
>> A couple issues were reported in libarchive >= 3.0, and are likely
>> fixed already, but there outside access to the bug reports are still
>> restricted, so its impossible to know. Please check the info at the
>> following google code restricted links or with upstream:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
>
> From what I can see the issue was reported against PRE-relases of 3.0,
> so < 3.0 .... do you have any indication that they also affect >= 3.0 ?
I have no info either way, which is why these issues need to be
checked against real information. That is behind restricted chrome
bug reports, so you'll need to get access to those somehow.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
>
> This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.
>
> http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
> hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!
>
> The comment says "vulnerable code not present in 2.x series" which contradicts
> the CVE report totally. I'd like to know where this information comes from!
That is based on the statement toward the bottom of the redhat bug
report, which may be right or wrong. Again, its something that needs
to be checked against real information. Unfortunately all of it is
behind those restricted chrome reports.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>
:
Bug#669197
; Package libarchive
.
(Thu, 06 Sep 2012 16:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>
.
(Thu, 06 Sep 2012 16:09:05 GMT) (full text, mbox, link).
Message #20 received at 669197@bugs.debian.org (full text, mbox, reply):
On Sun, Apr 29, 2012 at 12:35:00AM -0400, Michael Gilbert wrote:
> On Thu, Apr 26, 2012 at 7:37 AM, Andreas Henriksson wrote:
> > Hello Michael!
> >
> > I'm really confused by different claims which completely lacks any
> > references or background information, so I have no way to figure out
> > what is true and not.
> >
> > On Tue, Apr 17, 2012 at 11:55:14PM -0400, Michael Gilbert wrote:
> >> A couple issues were reported in libarchive >= 3.0, and are likely
> >> fixed already, but there outside access to the bug reports are still
> >> restricted, so its impossible to know. Please check the info at the
> >> following google code restricted links or with upstream:
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
> >
> > From what I can see the issue was reported against PRE-relases of 3.0,
> > so < 3.0 .... do you have any indication that they also affect >= 3.0 ?
>
> I have no info either way, which is why these issues need to be
> checked against real information. That is behind restricted chrome
> bug reports, so you'll need to get access to those somehow.
>
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
> >
> > This one is mentioned to affect 2.8.4 & 2.8.5 via TAR and ISO9660.
> >
> > http://security-tracker.debian.org/tracker/CVE-2011-1779 on the other
> > hand says that our 2.8.4 package apparently is not affected, while 3.0.4-1 is!
> >
> > The comment says "vulnerable code not present in 2.x series" which contradicts
> > the CVE report totally. I'd like to know where this information comes from!
>
> That is based on the statement toward the bottom of the redhat bug
> report, which may be right or wrong. Again, its something that needs
> to be checked against real information. Unfortunately all of it is
> behind those restricted chrome reports.
Andreas,
could you contact upstream and let them confirm the upstream releases, which
fixed these issues? I'd like to get this sorted out for Wheezy.
Cheers,
Moritz
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Fri, 07 Dec 2012 07:24:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>
:
Bug acknowledged by developer.
(Fri, 07 Dec 2012 07:24:06 GMT) (full text, mbox, link).
Message #25 received at 669197-done@bugs.debian.org (full text, mbox, reply):
Version: 3.0.4-2
On Sun, Apr 29, 2012 at 12:35:00AM -0400, Michael Gilbert wrote:
> That is based on the statement toward the bottom of the redhat bug
> report, which may be right or wrong. Again, its something that needs
> to be checked against real information. Unfortunately all of it is
> behind those restricted chrome reports.
The references are not hidden bug reports, but SVN revisions for a repo
that now uses git (that's why the refs 404).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1779
http://code.google.com/p/libarchive/source/detail?r=0736e0890a8fce59e96d57340405c56f084407e7
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4666
http://code.google.com/p/libarchive/source/detail?r=488ef3fb28c416285ebe4c00266268db7330466b
I've verified that these fixes are present in Wheezy, closing.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 05 Jan 2013 07:28:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:34:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.