libarchive: CVE-2016-10209

Debian Bug report logs - #859456
libarchive: CVE-2016-10209

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libarchive: CVE-2016-10209

Date: Mon, 03 Apr 2017 21:06:19 +0200

Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: upstream security
Forwarded: https://github.com/libarchive/libarchive/issues/842

Hi,

the following vulnerability was published for libarchive.

CVE-2016-10209[0]:
| The archive_wstring_append_from_mbs function in archive_string.c in
| libarchive 3.2.2 allows remote attackers to cause a denial of service
| (NULL pointer dereference and application crash) via a crafted archive
| file.

It was reported upstream at [1] and if I'm correct the fix should be
[2]. Can you confirm that? 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10209
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10209
[1] https://github.com/libarchive/libarchive/issues/842
[2] https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0

Please adjust the affected versions in the BTS as needed.

Regarding an update, I do not think this would warrant a DSA on it's
own but would be great once fixed for sid and stretch, if a fix can as
well land in jessie (via a point release as well for the other issues
marked currently no-dsa).

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 859456@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 859456@bugs.debian.org

Subject: Re: Bug#859456: libarchive: CVE-2016-10209

Date: Thu, 6 Apr 2017 18:02:41 +0200

Hi,

On Mon, 03 Apr 2017, Salvatore Bonaccorso wrote:
> CVE-2016-10209[0]:
> | The archive_wstring_append_from_mbs function in archive_string.c in
> | libarchive 3.2.2 allows remote attackers to cause a denial of service
> | (NULL pointer dereference and application crash) via a crafted archive
> | file.
> 
> It was reported upstream at [1] and if I'm correct the fix should be
> [2]. Can you confirm that? 
> 
> [1] https://github.com/libarchive/libarchive/issues/842
> [2] https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0

I tried to reproduce the issue on all Debian versions and using "bsdtar"
from "libarchive-tools" (in stretch 3.2.1-6 and sid 3.2.2-2) or from
"bsdtar" (in jessie 3.1.2-11+deb8u3 / wheezy 3.0.4-3+wheezy5+deb7u1), I always
get the same error:

$ wget https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs -O CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
$ bsdtar -t -f CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
bsdtar: Archive entry has empty or unreadable filename ... skipping.
bsdtar: (null)
bsdtar: Error exit delayed from previous errors.

Thus I don't have any segfault similar to what is reported in [1].
I'm not sure what conclusion I should draw from this...

My tests have been made on amd64.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #15 received at 859456@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 859456@bugs.debian.org

Subject: Re: Bug#859456: libarchive: CVE-2016-10209

Date: Fri, 7 Apr 2017 10:55:35 +0200

Hi Raphael,

On Thu, Apr 06, 2017 at 06:02:41PM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Mon, 03 Apr 2017, Salvatore Bonaccorso wrote:
> > CVE-2016-10209[0]:
> > | The archive_wstring_append_from_mbs function in archive_string.c in
> > | libarchive 3.2.2 allows remote attackers to cause a denial of service
> > | (NULL pointer dereference and application crash) via a crafted archive
> > | file.
> > 
> > It was reported upstream at [1] and if I'm correct the fix should be
> > [2]. Can you confirm that? 
> > 
> > [1] https://github.com/libarchive/libarchive/issues/842
> > [2] https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
> 
> I tried to reproduce the issue on all Debian versions and using "bsdtar"
> from "libarchive-tools" (in stretch 3.2.1-6 and sid 3.2.2-2) or from
> "bsdtar" (in jessie 3.1.2-11+deb8u3 / wheezy 3.0.4-3+wheezy5+deb7u1), I always
> get the same error:
> 
> $ wget https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs -O CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
> $ bsdtar -t -f CVE-2016-10209-la_segv_archive_wstring_append_from_mbs
> bsdtar: Archive entry has empty or unreadable filename ... skipping.
> bsdtar: (null)
> bsdtar: Error exit delayed from previous errors.
> 
> Thus I don't have any segfault similar to what is reported in [1].
> I'm not sure what conclusion I should draw from this...
> 
> My tests have been made on amd64.

what follows is not yet a full analysis. But the problem seems hided.
In the upstream report the issue is raised at

577     archive_wstring_append_from_mbs(struct archive_wstring *dest,
578         const char *p, size_t len)
[...]
588             const char *mbs = p;
[...]
603             while (*mbs && mbs_length > 0) {

load in debugger, and setting a break to the repsecitve function
archive_wstring_append_from_mbs, if it get's p=0x0, there the null
pointer will be dereferenced.

Now the upper function is archive_mstring_get_wcs, and if aes->aes_set is
AES_SET_MBS and aes->aes_mbs.s is NULL, then the above situation arise.

----cut---------cut---------cut---------cut---------cut---------cut-----
archive_mstring_get_wcs(struct archive *a, struct archive_mstring *aes,
    const wchar_t **wp)
{
        int r, ret = 0;

        (void)a;/* UNUSED */
        /* Return WCS form if we already have it. */
        if (aes->aes_set & AES_SET_WCS) {
                *wp = aes->aes_wcs.s;
                return (ret);
        }

        *wp = NULL;
        /* Try converting MBS to WCS using native locale. */
        if (aes->aes_set & AES_SET_MBS) {
                archive_wstring_empty(&(aes->aes_wcs));
                r = archive_wstring_append_from_mbs(&(aes->aes_wcs),
                    aes->aes_mbs.s, aes->aes_mbs.length);
                if (r == 0) {
                        aes->aes_set |= AES_SET_WCS;
                        *wp = aes->aes_wcs.s;
                } else
                        ret = -1;/* failure. */
        }
        return (ret);
}
----cut---------cut---------cut---------cut---------cut---------cut-----

The upstream commit
https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
now enforces that, "This ensures e.g. that
archive_mstring_copy_mbs_len_l() does not set aes_set = AES_SET_MBS
with aes_mbs.s == NULL."

If it can be proven that the situation for Debian binary packages this
is never ever possible (why?), then I'm fine to mark the issue in the
security-tracker to unimportant, since the vulnerable source is still
there.

Regards,
Salvatore

Message #22 received at 859456@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 859456@bugs.debian.org, 861609@bugs.debian.org, 874539@bugs.debian.org

Subject: libarchive: diff for NMU version 3.2.2-2.1

Date: Sat, 9 Sep 2017 09:32:28 +0200

[Message part 1 (text/plain, inline)]

Control: tags 859456 + patch
Control: tags 859456 + pending
Control: tags 861609 + pending
Control: tags 874539 + pending

Dear maintainer,

I've prepared an NMU for libarchive (versioned as 3.2.2-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[libarchive-3.2.2-2.1-nmu.diff (text/x-diff, attachment)]

Message #31 received at 859456-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 859456-close@bugs.debian.org

Subject: Bug#859456: fixed in libarchive 3.2.2-2.1

Date: Thu, 14 Sep 2017 09:17:20 +0000

Source: libarchive
Source-Version: 3.2.2-2.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859456@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Sep 2017 09:09:35 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 859456 861609 874539
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * archive_strncat_l(): allocate and do not convert if length == 0
     (CVE-2016-10209) (Closes: #859456)
   * Reread the CAB header skipping the self-extracting binary code
     (CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
   * Do something sensible for empty strings to make fuzzers happy
     (CVE-2017-14166)
     Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1: 
 89f4afa40c5bb51e18412ef04817c2e723e63e2b 2620 libarchive_3.2.2-2.1.dsc
 479bf75dc60cf08dec7ccc72d828b6f6d13732c1 16824 libarchive_3.2.2-2.1.debian.tar.xz
Checksums-Sha256: 
 b8a6cff72d6f64064e5e42889fceffb725e45076194886b041c5ad166fbc6fe9 2620 libarchive_3.2.2-2.1.dsc
 a0d60627d96b07919a7513e3b878c5bdf360c0b425fe35426f39f3f2934960cc 16824 libarchive_3.2.2-2.1.debian.tar.xz
Files: 
 da2db98b3d9493cd75f9512fc8147871 2620 libs optional libarchive_3.2.2-2.1.dsc
 011b8fde2ede67a797a9dade9a1ecb6b 16824 libs optional libarchive_3.2.2-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmzmHFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0YMP+gP3uW68D8BSdrxMiFWax9PVII+Pp+KM
sHn1dx3ikscyn9Ec93xfMInOmGOVSjiY47IRtbCYaFwsiUEhb0Dm8lQxcCezSPhy
D3L41vbv5z8LXlE96OM0sLLObeSgz9p/dOFuTib8vokAXdSbAiqX21F7ozLfnDyB
9ToKzXDNW7L4viJGC4ienQ79w/OTVpAPAdiNw6gQvnJrqDBoVZbd8szF4VufHmEG
n9KFdVGiC1NFPjVsSlCUCQKo81I0r8GVRVidT6T7amY4F6PVcLkvgq3w2oiu8GkX
NgioPoX95NaXz/rLk1T7KrNlDeyKtH5ZaaFaQLZXZlc+mc+5AhsSo3na8A+tYyiZ
DHHoLKTS5RHf/90UU2RCTW9K8UQAtUI3YOWS0XSbyHpK/fN6jczRPjnVYDXbX/NB
/tuOG+XUiIQJar1BmTFKZPR7dAjIGUmhJA7hQdGMy24HlGcsqLWoVMogsa0YhfV0
jscj9v3pS5UUay7FFZOYCwZV+hpI0eJLtxRZhSH2xOsIneLYFHCLrQyOaZNEoqJt
0EsoQE7uSz1IcXYzRd2UqtYRunCSmiBRbgkjEloXGb+YNUR+gVLZAJ3lyTOx6k75
qNORk5Mj4V0ecPYdB3xZTEXozhwe4U7TGXsqbRbVt5WMM+jZf9ir1dJUajhjLKEu
DiB0e5V6543c
=ywSy
-----END PGP SIGNATURE-----

Message #36 received at 859456-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 859456-close@bugs.debian.org

Subject: Bug#859456: fixed in libarchive 3.2.2-3.1

Date: Thu, 14 Sep 2017 15:15:48 +0000

Source: libarchive
Source-Version: 3.2.2-3.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859456@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Sep 2017 16:02:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-3.1
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 859456 861609 874539
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Reupload 3.2.2-2.1 on top of 3.2.2-3
   * archive_strncat_l(): allocate and do not convert if length == 0
     (CVE-2016-10209) (Closes: #859456)
   * Reread the CAB header skipping the self-extracting binary code
     (CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
   * Do something sensible for empty strings to make fuzzers happy
     (CVE-2017-14166)
     Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1: 
 9baa983a4914b8cae22cbf2cba9c03985dcb0c97 2513 libarchive_3.2.2-3.1.dsc
 6d5d43352c9a01c51392116a3c05594cbd887d63 16860 libarchive_3.2.2-3.1.debian.tar.xz
Checksums-Sha256: 
 4905764794d3010a56ad9cd91d24be078a99aac3e3761bd9c4e20396c5e664d3 2513 libarchive_3.2.2-3.1.dsc
 8de2c8b2be12b483af4f2ccde9679c603634f2be5f84706965c61d916031645b 16860 libarchive_3.2.2-3.1.debian.tar.xz
Files: 
 322111513c724ecde6e9c12b807ba39a 2513 libs optional libarchive_3.2.2-3.1.dsc
 8d01ed6151bb8b7274cdd2a0b9ac5e09 16860 libs optional libarchive_3.2.2-3.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm6jNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbOMP/RAvIUOQmSLqxmJYRdlCEH6CkXjivdrU
KqWO8Ol0VsXWzVWuMIvz4LGrh4ghIxFadf0GlRc4DaRkdoIP2NlwffoDR6wgWyxQ
2C/DtDJPFTo23y62wm1pCTHGDsWcKhy7SBFrc+GRRQntXzuASJQvTuioYrgnVkS2
KkDKuiY1diRzXdGznlM4PsnQb5ToMNv+KzGYrC2Yv5Igaz5FG8XKDTeFofmTgUEx
WIhJMZz0ynsfbL3K/8Nfh+XD0PWJIsQ3GptOXVUXJCudOl8UW+PU1mfHCisNPfrc
eNQF/GeVSRg57MxbKMeCYTmay/Idkc6PfOp3IselFNhs8DJjoUGJf+vbbGIVErti
fGoDpRo1khJqbEBSfyU+vsc9YUcLIX8i3e5opgW8/6X4BI8SXr5Ar8pNlYhXNuLH
Rqb27H0ZwOBo7Nl1LfCmFBlDgA4Yjg3EKsBHbS+8Yh8FmQY6ZSKkYpWuiYnx1YlM
T8IaGKUuisE/E0T+OtBGPV0+9N3+kSBC7G47YodPUZE1m4CfabIdbONZq5MgmqTv
4ClTBecKKLCFak+bKf8WRH+4PQ4hpFgS3vQ9Cc3dN+D9/m2Up5MK/nqDfHVgeoV2
q9wXiE8OksghuDPwFmYHaWeTBK5PoTXkt/we99MpwBa9pWPB3AW6SNDWQWoRhkel
Sz45BQyFQ8e+
=3113
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.