Debian Bug report logs - #432924
[CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

version graph

Package: libarchive1; Maintainer for libarchive1 is Andreas Henriksson <andreas@fatal.se>;

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Fri, 13 Jul 2007 05:18:01 UTC

Severity: grave

Tags: security

Found in version libarchive/2.2.3-1

Fixed in version libarchive/2.2.4-1

Done: John Goerzen <jgoerzen@complete.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, John Goerzen <jgoerzen@complete.org>:
Bug#432924; Package libarchive1. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to John Goerzen <jgoerzen@complete.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs
Date: Fri, 13 Jul 2007 07:11:39 +0200
Package: libarchive1
Version: 2.2.3-1
Tags: security
Severity: grave

FreeBSD has disclosed several security problems in libarchive:

| Several problems have been found in the code used to parse the tar and
| pax interchange formats.  These include entering an infinite loop if an
| archive prematurely ends within a pax extension header or if certain
| types of corruption occur in pax extension headers [CVE-2007-3644];
| dereferencing a NULL pointer if an archive prematurely ends within a
| tar header immediately following a pax extension header or if certain
| other types of corruption occur in pax extension headers [CVE-2007-3645];
| and miscomputing the length of a buffer resulting in a buffer overflow
| if yet another type of corruption occurs in a pax extension header
| [CVE-2007-3641].

Please mention the CVE names when fixing these bugs.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#432924; Package libarchive1. Full text and rfc822 format available.

Acknowledgement sent to John Goerzen <jgoerzen@complete.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 432924@bugs.debian.org (full text, mbox):

From: John Goerzen <jgoerzen@complete.org>
To: Florian Weimer <fw@deneb.enyo.de>, 432924@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs
Date: Fri, 13 Jul 2007 08:16:07 -0500
I will upload a fix to unstable shortly.  However, it sounds like this could 
also impact the version in stable, so CCing security@debian.org.

On Fri July 13 2007 12:11:39 am Florian Weimer wrote:
> Package: libarchive1
> Version: 2.2.3-1
> Tags: security
> Severity: grave
>
> FreeBSD has disclosed several security problems in libarchive:
> | Several problems have been found in the code used to parse the tar and
> | pax interchange formats.  These include entering an infinite loop if an
> | archive prematurely ends within a pax extension header or if certain
> | types of corruption occur in pax extension headers [CVE-2007-3644];
> | dereferencing a NULL pointer if an archive prematurely ends within a
> | tar header immediately following a pax extension header or if certain
> | other types of corruption occur in pax extension headers
> | [CVE-2007-3645]; and miscomputing the length of a buffer resulting in a
> | buffer overflow if yet another type of corruption occurs in a pax
> | extension header [CVE-2007-3641].
>
> Please mention the CVE names when fixing these bugs.





Information forwarded to debian-bugs-dist@lists.debian.org, John Goerzen <jgoerzen@complete.org>:
Bug#432924; Package libarchive1. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to John Goerzen <jgoerzen@complete.org>. Full text and rfc822 format available.

Message #15 received at 432924@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: John Goerzen <jgoerzen@complete.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, 432924@bugs.debian.org, security@debian.org
Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs
Date: Fri, 13 Jul 2007 14:28:08 +0100
On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote:
> I will upload a fix to unstable shortly.  However, it sounds like this could 
> also impact the version in stable, so CCing security@debian.org.

  Yes that looks to be the case.

  If you had a patch that would apply to the version in Stable that
 would be appreciated.  I applied the FreeBSd patch but that failed
 more than it succeeded ..

  I'll have a few hours tomorrow to look at it, so don't worry too
 much if you can't supply it.

Steve
-- 



Reply sent to John Goerzen <jgoerzen@complete.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 432924-close@bugs.debian.org (full text, mbox):

From: John Goerzen <jgoerzen@complete.org>
To: 432924-close@bugs.debian.org
Subject: Bug#432924: fixed in libarchive 2.2.4-1
Date: Fri, 13 Jul 2007 13:32:02 +0000
Source: libarchive
Source-Version: 2.2.4-1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive:

bsdtar_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/bsdtar_2.2.4-1_i386.deb
libarchive-dev_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/libarchive-dev_2.2.4-1_i386.deb
libarchive1_2.2.4-1_i386.deb
  to pool/main/liba/libarchive/libarchive1_2.2.4-1_i386.deb
libarchive_2.2.4-1.diff.gz
  to pool/main/liba/libarchive/libarchive_2.2.4-1.diff.gz
libarchive_2.2.4-1.dsc
  to pool/main/liba/libarchive/libarchive_2.2.4-1.dsc
libarchive_2.2.4.orig.tar.gz
  to pool/main/liba/libarchive/libarchive_2.2.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 432924@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Goerzen <jgoerzen@complete.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 13 Jul 2007 08:14:00 -0500
Source: libarchive
Binary: libarchive-dev libarchive1 bsdtar
Architecture: source i386
Version: 2.2.4-1
Distribution: unstable
Urgency: high
Maintainer: John Goerzen <jgoerzen@complete.org>
Changed-By: John Goerzen <jgoerzen@complete.org>
Description: 
 bsdtar     - tar(1) from FreeBSD, using libarchive
 libarchive-dev - Single library to read/write tar, cpio, pax, zip, iso9660, etc.
 libarchive1 - Single library to read/write tar, cpio, pax, zip, iso9660, etc.
Closes: 432924
Changes: 
 libarchive (2.2.4-1) unstable; urgency=high
 .
   * New upstream version with security fixes.  Closes: #432924.
     Fixes: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645
Files: 
 c127391c6c9379894545ce6648c05e1f 697 libs optional libarchive_2.2.4-1.dsc
 1dd9d267af446921cf93deb27d1fbe9e 636879 libs optional libarchive_2.2.4.orig.tar.gz
 289fdffab7686eb09c4cf85610eb2929 5048 libs optional libarchive_2.2.4-1.diff.gz
 27771af37903d368f850495a5e1d7e5d 129606 libdevel optional libarchive-dev_2.2.4-1_i386.deb
 a34339f519b000d3b8f415e09eae2332 90998 libs optional libarchive1_2.2.4-1_i386.deb
 b4f5672a6ed2e7ef1758689dd974e686 94418 libs optional bsdtar_2.2.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGl3tt0miF3hOB5ikRAjElAKCYz++33rg8BA6oSlNQF6vDyAJfsACfXvPq
I0hOUlloDUR29Kk0LG0s4bs=
=03bK
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#432924; Package libarchive1. Full text and rfc822 format available.

Acknowledgement sent to John Goerzen <jgoerzen@complete.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 432924@bugs.debian.org (full text, mbox):

From: John Goerzen <jgoerzen@complete.org>
To: Steve Kemp <skx@debian.org>, 432924@bugs.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, security@debian.org
Subject: Re: Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs
Date: Fri, 13 Jul 2007 11:40:37 -0500
On Fri July 13 2007 8:28:08 am Steve Kemp wrote:
> On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote:
> > I will upload a fix to unstable shortly.  However, it sounds like this
> > could also impact the version in stable, so CCing security@debian.org.
>
>   Yes that looks to be the case.
>
>   If you had a patch that would apply to the version in Stable that
>  would be appreciated.  I applied the FreeBSd patch but that failed
>  more than it succeeded ..
>
>   I'll have a few hours tomorrow to look at it, so don't worry too
>  much if you can't supply it.

I'm afraid I don't have anything other than that same FreeBSD patch, and am 
going to be pretty much tied up until next week.  Thanks for your help, 
Steve.

-- John




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 15 Aug 2007 07:27:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:13:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.