libarchive: CVE-2017-14166: heap-based buffer overflow in xml_data (archive_read_support_format_xar.c)

Debian Bug report logs - #874539
libarchive: CVE-2017-14166: heap-based buffer overflow in xml_data (archive_read_support_format_xar.c)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libarchive: CVE-2017-14166: heap-based buffer overflow in xml_data (archive_read_support_format_xar.c)

Date: Thu, 07 Sep 2017 08:00:41 +0200

Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: upstream patch security
Forwarded: https://github.com/libarchive/libarchive/issues/935

Hi,

the following vulnerability was published for libarchive.

CVE-2017-14166[0]:
| libarchive 3.3.2 allows remote attackers to cause a denial of service
| (xml_data heap-based buffer over-read and application crash) via a
| crafted xar archive, related to the mishandling of empty strings in the
| atol8 function in archive_read_support_format_xar.c.

Although not directly reproducible, the check for char_cnt is missing
as well in our versions.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14166
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
[1] https://github.com/libarchive/libarchive/issues/935

Regards,
Salvatore

Message #10 received at 874539@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 874539@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: libarchive: CVE-2017-14166: heap-based buffer overflow in xml_data (archive_read_support_format_xar.c)

Date: Fri, 08 Sep 2017 09:59:55 +0100

[Message part 1 (text/plain, inline)]

Hi,

Curiously I can't reproduce this on sid. autopkgtest attached, but the
result is:

  archive_read_open_filename() failed: Unrecognized archive format
  ASSERT:Status code expected:<226> but was:<0>

ie. not a crash.

(Maintainers, please consider adding this test to your package!)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[libarchive.diff.txt (text/plain, attachment)]

Message #17 received at 874539@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 859456@bugs.debian.org, 861609@bugs.debian.org, 874539@bugs.debian.org

Subject: libarchive: diff for NMU version 3.2.2-2.1

Date: Sat, 9 Sep 2017 09:32:28 +0200

[Message part 1 (text/plain, inline)]

Control: tags 859456 + patch
Control: tags 859456 + pending
Control: tags 861609 + pending
Control: tags 874539 + pending

Dear maintainer,

I've prepared an NMU for libarchive (versioned as 3.2.2-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[libarchive-3.2.2-2.1-nmu.diff (text/x-diff, attachment)]

Message #22 received at 874539-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 874539-close@bugs.debian.org

Subject: Bug#874539: fixed in libarchive 3.2.2-2.1

Date: Thu, 14 Sep 2017 09:17:20 +0000

Source: libarchive
Source-Version: 3.2.2-2.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Sep 2017 09:09:35 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 859456 861609 874539
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * archive_strncat_l(): allocate and do not convert if length == 0
     (CVE-2016-10209) (Closes: #859456)
   * Reread the CAB header skipping the self-extracting binary code
     (CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
   * Do something sensible for empty strings to make fuzzers happy
     (CVE-2017-14166)
     Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1: 
 89f4afa40c5bb51e18412ef04817c2e723e63e2b 2620 libarchive_3.2.2-2.1.dsc
 479bf75dc60cf08dec7ccc72d828b6f6d13732c1 16824 libarchive_3.2.2-2.1.debian.tar.xz
Checksums-Sha256: 
 b8a6cff72d6f64064e5e42889fceffb725e45076194886b041c5ad166fbc6fe9 2620 libarchive_3.2.2-2.1.dsc
 a0d60627d96b07919a7513e3b878c5bdf360c0b425fe35426f39f3f2934960cc 16824 libarchive_3.2.2-2.1.debian.tar.xz
Files: 
 da2db98b3d9493cd75f9512fc8147871 2620 libs optional libarchive_3.2.2-2.1.dsc
 011b8fde2ede67a797a9dade9a1ecb6b 16824 libs optional libarchive_3.2.2-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmzmHFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0YMP+gP3uW68D8BSdrxMiFWax9PVII+Pp+KM
sHn1dx3ikscyn9Ec93xfMInOmGOVSjiY47IRtbCYaFwsiUEhb0Dm8lQxcCezSPhy
D3L41vbv5z8LXlE96OM0sLLObeSgz9p/dOFuTib8vokAXdSbAiqX21F7ozLfnDyB
9ToKzXDNW7L4viJGC4ienQ79w/OTVpAPAdiNw6gQvnJrqDBoVZbd8szF4VufHmEG
n9KFdVGiC1NFPjVsSlCUCQKo81I0r8GVRVidT6T7amY4F6PVcLkvgq3w2oiu8GkX
NgioPoX95NaXz/rLk1T7KrNlDeyKtH5ZaaFaQLZXZlc+mc+5AhsSo3na8A+tYyiZ
DHHoLKTS5RHf/90UU2RCTW9K8UQAtUI3YOWS0XSbyHpK/fN6jczRPjnVYDXbX/NB
/tuOG+XUiIQJar1BmTFKZPR7dAjIGUmhJA7hQdGMy24HlGcsqLWoVMogsa0YhfV0
jscj9v3pS5UUay7FFZOYCwZV+hpI0eJLtxRZhSH2xOsIneLYFHCLrQyOaZNEoqJt
0EsoQE7uSz1IcXYzRd2UqtYRunCSmiBRbgkjEloXGb+YNUR+gVLZAJ3lyTOx6k75
qNORk5Mj4V0ecPYdB3xZTEXozhwe4U7TGXsqbRbVt5WMM+jZf9ir1dJUajhjLKEu
DiB0e5V6543c
=ywSy
-----END PGP SIGNATURE-----

Message #27 received at 874539-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 874539-close@bugs.debian.org

Subject: Bug#874539: fixed in libarchive 3.2.2-3.1

Date: Thu, 14 Sep 2017 15:15:48 +0000

Source: libarchive
Source-Version: 3.2.2-3.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 Sep 2017 16:02:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-3.1
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 859456 861609 874539
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Reupload 3.2.2-2.1 on top of 3.2.2-3
   * archive_strncat_l(): allocate and do not convert if length == 0
     (CVE-2016-10209) (Closes: #859456)
   * Reread the CAB header skipping the self-extracting binary code
     (CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
   * Do something sensible for empty strings to make fuzzers happy
     (CVE-2017-14166)
     Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1: 
 9baa983a4914b8cae22cbf2cba9c03985dcb0c97 2513 libarchive_3.2.2-3.1.dsc
 6d5d43352c9a01c51392116a3c05594cbd887d63 16860 libarchive_3.2.2-3.1.debian.tar.xz
Checksums-Sha256: 
 4905764794d3010a56ad9cd91d24be078a99aac3e3761bd9c4e20396c5e664d3 2513 libarchive_3.2.2-3.1.dsc
 8de2c8b2be12b483af4f2ccde9679c603634f2be5f84706965c61d916031645b 16860 libarchive_3.2.2-3.1.debian.tar.xz
Files: 
 322111513c724ecde6e9c12b807ba39a 2513 libs optional libarchive_3.2.2-3.1.dsc
 8d01ed6151bb8b7274cdd2a0b9ac5e09 16860 libs optional libarchive_3.2.2-3.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm6jNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbOMP/RAvIUOQmSLqxmJYRdlCEH6CkXjivdrU
KqWO8Ol0VsXWzVWuMIvz4LGrh4ghIxFadf0GlRc4DaRkdoIP2NlwffoDR6wgWyxQ
2C/DtDJPFTo23y62wm1pCTHGDsWcKhy7SBFrc+GRRQntXzuASJQvTuioYrgnVkS2
KkDKuiY1diRzXdGznlM4PsnQb5ToMNv+KzGYrC2Yv5Igaz5FG8XKDTeFofmTgUEx
WIhJMZz0ynsfbL3K/8Nfh+XD0PWJIsQ3GptOXVUXJCudOl8UW+PU1mfHCisNPfrc
eNQF/GeVSRg57MxbKMeCYTmay/Idkc6PfOp3IselFNhs8DJjoUGJf+vbbGIVErti
fGoDpRo1khJqbEBSfyU+vsc9YUcLIX8i3e5opgW8/6X4BI8SXr5Ar8pNlYhXNuLH
Rqb27H0ZwOBo7Nl1LfCmFBlDgA4Yjg3EKsBHbS+8Yh8FmQY6ZSKkYpWuiYnx1YlM
T8IaGKUuisE/E0T+OtBGPV0+9N3+kSBC7G47YodPUZE1m4CfabIdbONZq5MgmqTv
4ClTBecKKLCFak+bKf8WRH+4PQ4hpFgS3vQ9Cc3dN+D9/m2Up5MK/nqDfHVgeoV2
q9wXiE8OksghuDPwFmYHaWeTBK5PoTXkt/we99MpwBa9pWPB3AW6SNDWQWoRhkel
Sz45BQyFQ8e+
=3113
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.