Debian Bug report logs -
#916963
libarchive: CVE-2018-1000878
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 20 Dec 2018 20:42:02 UTC
Severity: grave
Tags: security, upstream
Found in versions libarchive/3.2.2-2, libarchive/3.3.3-1
Fixed in versions libarchive/3.3.3-2, libarchive/3.2.2-2+deb9u1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>:
Bug#916963; Package src:libarchive.
(Thu, 20 Dec 2018 20:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>.
(Thu, 20 Dec 2018 20:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Version: 3.3.3-1
Severity: important
Tags: security upstream
Control: found -1 3.2.2-2
Hi,
The following vulnerability was published for libarchive.
CVE-2018-1000878[0]:
| libarchive version commit 416694915449219d505531b1096384f3237dd6cc
| onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free
| vulnerability in RAR decoder -
| libarchive/archive_read_support_format_rar.c that can result in
| Crash/DoS - it is unknown if RCE is possible. This attack appear to be
| exploitable via the victim must open a specially crafted RAR archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878
[1] https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
[2] https://github.com/libarchive/libarchive/pull/1105
[3] https://github.com/libarchive/libarchive/pull/1105/commits/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28
Regards,
Salvatore
Marked as found in versions libarchive/3.2.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 20 Dec 2018 20:42:04 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 21 Dec 2018 05:15:03 GMT) (full text, mbox, link).
Reply sent
to Peter Pentchev <roam@debian.org>:
You have taken responsibility.
(Fri, 21 Dec 2018 16:39:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 21 Dec 2018 16:39:08 GMT) (full text, mbox, link).
Message #14 received at 916963-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.3.3-2
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 916963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <roam@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Dec 2018 18:01:29 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 916960 916962 916963 916964
Changes:
libarchive (3.3.3-2) unstable; urgency=medium
.
* Add Daniel Axtens's security and reliability patches:
- CVE-2018-1000877.patch: Closes: #916964
- CVE-2018-1000878.patch: Closes: #916963
- CVE-2018-1000879.patch: Closes: #916962
- CVE-2018-1000880.patch: Closes: #916960
- all merged upstream in https://github.com/libarchive/libarchive/pull/1105
Thanks to Salvatore Bonaccorso for filing the Debian bugs!
Checksums-Sha1:
1458c3bed4dbfdc5f0ac7a1376287f1e96f576ad 2356 libarchive_3.3.3-2.dsc
2e2de7d85ed3d69e25697624336e9c38b92e7694 18460 libarchive_3.3.3-2.debian.tar.xz
bed2c5d4bf0c174a92942bb4404f5968648a3c0e 7617 libarchive_3.3.3-2_amd64.buildinfo
Checksums-Sha256:
8bedc724c6d7250c93e112b35bd7e2a2e92e03bd74b64bfe495e384caf9f5751 2356 libarchive_3.3.3-2.dsc
5f9c11e19c428a3b98657b3643d04802e728bbc48f333fee3bfc41f441c140af 18460 libarchive_3.3.3-2.debian.tar.xz
463cf49e06e07440293a27dd3204b911dcb55369f1e5fda3bc23f736e8c87019 7617 libarchive_3.3.3-2_amd64.buildinfo
Files:
ed565ad2f49ee60059bb43c208c915a6 2356 libs optional libarchive_3.3.3-2.dsc
f27f3687f7ea2c31299594df586b05f2 18460 libs optional libarchive_3.3.3-2.debian.tar.xz
7c5e181637fc8d4ae6d3e224f498e93f 7617 libs optional libarchive_3.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAlwdD4sACgkQZR7vsCUn
3xO7SxAA0MeHAu6PEriRFiXG6+7OMv4HJcckJgjtndqX5D0BfdDk5wcdiJEJ2KzU
g/xBqRnsYFezmb42stCYZPCyRzilxquaLNSrDuOAfjhIH91GBZVkrGoE/Jq1JN/h
oavURWmoO6f0rwXdxQD0SS2p7yEjLVKwFvDYHIbEKk27AdEks0D1/F69fBOi8vC6
8R854qY+qJSHxx9vquf2cam4E0zj3v+f6RMdGWSZoc7+LRn0+ZVdHZ/9MZugQel0
/0VDq8bFXwJsu6MdNklq2ve3inXw6wXjUlA60u98G7esMdRIjt4Wvk39wdxAakFs
eskXIalk6FcWsR7p25XoVg4VZtOIbHiHsScTPlgcTbSpz3W63YP8r9vAEuaaxVDm
6JHsBir+Ac0w2WTGWCeFL5ikYzOT2HEyWuVW13+F9DFHlLssnrO2nGZVzku81oOh
rlvLUbfCEZUZx3L3pBbaIYxMEkVCUf2RUF8c8u3aqCmsHU0uLStI1QPIubLS2ine
9SOIipDU99rgP//FyMV+RMesEPwkHi1CfsdH7uygIEMV/VslvbKGpayurDb0KBfp
ocZarnveU2WQwDUoIW8ReWLFNR3EmNi8EGmjoPy0p8jA1ZWFeQOSQrOh0hdDM8mZ
tk+5QF9okaWmgkrikUslcWbHK1ZhGckMAKbBpMWmn6FP+jS/X1w=
=E811
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 30 Dec 2018 22:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 30 Dec 2018 22:06:07 GMT) (full text, mbox, link).
Message #19 received at 916963-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.2.2-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 916963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Dec 2018 21:11:50 +0100
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source all amd64
Version: 3.2.2-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 859456 861609 874539 875960 875966 875974 916960 916963 916964
Changes:
libarchive (3.2.2-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload.
* Fix the following security vulnerabilities:
CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-14166,
CVE-2017-14501, CVE-2017-14502, CVE-2017-14503, CVE-2018-1000877,
CVE-2018-1000878, CVE-2018-1000879 and CVE-2018-1000880.
Multiple security vulnerabilities were found in libarchive, a multi-format
archive and compression library. Heap-based buffer over-reads, NULL pointer
dereferences, use-after-frees and out-of-bounds reads allow remote
attackers to cause a denial-of-service (application crash) via specially
crafted archive files.
(Closes: #859456, #861609, #874539, #875966, #875974, #875960, #916964,
#916963, #916960)
Checksums-Sha1:
b2997ca00c9ac54446c64d8d3b0062556bd24af8 2636 libarchive_3.2.2-2+deb9u1.dsc
ccf14e3b4ec7c6b242cf07062dd40e82a17485a5 5458241 libarchive_3.2.2.orig.tar.gz
a08f6e142f958d188cc140540bf90cd837d9ead9 18624 libarchive_3.2.2-2+deb9u1.debian.tar.xz
d01c5408989704feae3236e002645663ff3a4eb7 11856 bsdcpio_3.2.2-2+deb9u1_all.deb
5bd4b176f6101446d8c50e9e4bba479794aa0ddb 11846 bsdtar_3.2.2-2+deb9u1_all.deb
f60cb977dc380f58f1014634e1fb6689cf6acfa5 478360 libarchive-dev_3.2.2-2+deb9u1_amd64.deb
f32ed132da17aafe7d0c9b0e71cfb7b5d8116331 90702 libarchive-tools-dbgsym_3.2.2-2+deb9u1_amd64.deb
56610b7b8e57224e58896c0576f04fd1da531002 73202 libarchive-tools_3.2.2-2+deb9u1_amd64.deb
73abbeb274e54800fdd689395d18410801658af0 840928 libarchive13-dbgsym_3.2.2-2+deb9u1_amd64.deb
f6758c213a8b65327e793f82f8e932f042b31cb0 294378 libarchive13_3.2.2-2+deb9u1_amd64.deb
a77af031249098e8b05511a9a089e0f378e31db9 8340 libarchive_3.2.2-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
aca78d3d03fd5ef9ab4ec3e42a701ec8f767ab7757c459c168c56229165bb5a5 2636 libarchive_3.2.2-2+deb9u1.dsc
691c194ee132d1f0f7a42541f091db811bc2e56f7107e9121be2bc8c04f1060f 5458241 libarchive_3.2.2.orig.tar.gz
0e22308dbacd841ab4c2a0f04ad343afa24d398e69c31064df84c70f4589307c 18624 libarchive_3.2.2-2+deb9u1.debian.tar.xz
de19e6e99cc6c3af48d411f43ad075d891aad168b4844095fe13db992f39a532 11856 bsdcpio_3.2.2-2+deb9u1_all.deb
9b8e55fff603c47f5fd0e552428c2dd74abf37eb50448d1ef7457072c88d2fb9 11846 bsdtar_3.2.2-2+deb9u1_all.deb
a704963e911b7a5fd18ad53c03c7d9083e852cb94ccfb49cbf6094e93ced4795 478360 libarchive-dev_3.2.2-2+deb9u1_amd64.deb
470bc59216e160af679759dc4636ae961470a0519aaa6d2d5a1aa065cbb0a651 90702 libarchive-tools-dbgsym_3.2.2-2+deb9u1_amd64.deb
4c757277b08061eb04da5c9ddd2df0372c44a4ddfa33d9f4a006f1ecd2175783 73202 libarchive-tools_3.2.2-2+deb9u1_amd64.deb
06a2ef3f8cc2bc62d0c1901b1e8ed2895ab9e966dcffbdcb58be160960b6edec 840928 libarchive13-dbgsym_3.2.2-2+deb9u1_amd64.deb
2c960654e25a43880bf59cb3d2a097daef7ba2a3a7e79e6d60120ae1dc88ff43 294378 libarchive13_3.2.2-2+deb9u1_amd64.deb
69a89f2f79cfd13d79399aae9c7d35d19c6517a00e88b98b3b8282c724739db3 8340 libarchive_3.2.2-2+deb9u1_amd64.buildinfo
Files:
369a5ea65168e5da18426f2b4ba3cc8b 2636 libs optional libarchive_3.2.2-2+deb9u1.dsc
1ec00b7dcaf969dd2a5712f85f23c764 5458241 libs optional libarchive_3.2.2.orig.tar.gz
0863fb3ba054276e72cd887c6e4fae69 18624 libs optional libarchive_3.2.2-2+deb9u1.debian.tar.xz
704a13c2380aba6872afc5aad98d3234 11856 oldlibs extra bsdcpio_3.2.2-2+deb9u1_all.deb
02ae3ac57a49710f81f529679037091c 11846 oldlibs extra bsdtar_3.2.2-2+deb9u1_all.deb
4e5abc89de748ab1e865d30f29d0acd7 478360 libdevel optional libarchive-dev_3.2.2-2+deb9u1_amd64.deb
5432deca1cee518184a33a293317485b 90702 debug extra libarchive-tools-dbgsym_3.2.2-2+deb9u1_amd64.deb
ef9b1547307d5972bce08b722fb7b256 73202 utils optional libarchive-tools_3.2.2-2+deb9u1_amd64.deb
5aa3835304790b323133f8670d7c3214 840928 debug extra libarchive13-dbgsym_3.2.2-2+deb9u1_amd64.deb
45ac01dc6dae9cd64574d154efabc496 294378 libs optional libarchive13_3.2.2-2+deb9u1_amd64.deb
5581a8875982c628f4571b93c18efb80 8340 libs optional libarchive_3.2.2-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwkBLBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkEisP/0a9DrUaafcD1Z/+LM2t9SYZb5iDdapsf3l0
o3hAk6M7jSJtDrbsSJoGVku3i+y47ltKdilP0QWTVGKt7VlwGM5XJ+Est1MMIGgl
HHPSCFKODT2A3VO8Po31jMX1r5CEwvUtILhTFLfAP3jxdXRaYCYK/EHSSfQ/aTNB
3aoVGIyNi+yII0uKdaaNsC7KyZWG/V6gCtTdSP51ZpPm5O5Q7o3sULYusbcbj6yd
tV0rQgcOnJ6tsU4bjQtmiK9TFrtHfH9FK4QRnvYrQDqzqBW31rCNJjoxh8bE/Tis
inqSYfq2t4lHAQafgLROA2irMLIVOCrslJyCDQk2OLMZ120deEZRmKoORSqd+vOY
kzNXCspvFpR3J3eY29Ay9GyQ7Hb6UTxOi9lEHwNa+2lu0KctF0T9fYEiC4kEugza
w4UTDyiSUCSj/qz9pCtatcskCvpJEdgE8CuGGOxRFxsFJUNRnpnK+qBvtdoVpjnZ
7Ca2/U5hcuWMk8/ul3iYuskr1yHzCLQsNRoMjQZ5TK6IPTkhOXkFvZIbEmMQOQva
YFZXVjPNYFyxY6ZzKk0cS6OeYikAlosY8bGd+HJLWCwmbwl+JAAN8QAykHVUwmf/
3WxefDSn1she++IwxU6la90sZ0eccG3jVlozRWMWu/qfpltlTAsDZNhT6Cew2Ryw
JWXowAZC
=O32P
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 08 Mar 2019 07:31:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon