Debian Bug report logs -
#875966
libarchive: CVE-2017-14501: out-of-bounds read in archive_read_format_iso9660_read_header()
Reported by: Jakub Wilk <jwilk@jwilk.net>
Date: Sat, 16 Sep 2017 16:09:04 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in versions libarchive/3.2.2-3.1, libarchive/3.2.2-2
Fixed in version libarchive/3.2.2-4.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/libarchive/libarchive/issues/949
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Peter Pentchev <roam@ringlet.net>:
Bug#875966; Package libarchive13.
(Sat, 16 Sep 2017 16:09:07 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libarchive13
Version: 3.2.2-3.1
$ gzip -d oob.iso.gz
$ valgrind --quiet -- bsdtar -xOf oob.iso
==2945== Invalid read of size 1
==2945== at 0x4891EAA: parse_file_info (archive_read_support_format_iso9660.c:1767)
==2945== by 0x48934D7: choose_volume (archive_read_support_format_iso9660.c:1115)
==2945== by 0x48934D7: archive_read_format_iso9660_read_header (archive_read_support_format_iso9660.c:1181)
==2945== by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==2945== by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==2945== by 0x10D384: read_archive (read.c:261)
==2945== by 0x10DCAC: tar_mode_x (read.c:112)
==2945== by 0x10C2BB: main (bsdtar.c:809)
==2945== Address 0x6ca56c8 is 0 bytes after a block of size 65,536 alloc'd
==2945== at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2945== by 0x487ABEC: file_open (archive_read_open_filename.c:358)
==2945== by 0x4874DE9: archive_read_open1 (archive_read.c:479)
==2945== by 0x487B0F6: archive_read_open_filenames (archive_read_open_filename.c:152)
==2945== by 0x487B18C: archive_read_open_filename (archive_read_open_filename.c:109)
==2945== by 0x10D321: read_archive (read.c:223)
==2945== by 0x10DCAC: tar_mode_x (read.c:112)
==2945== by 0x10C2BB: main (bsdtar.c:809)
...
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages libarchive13 depends on:
ii libacl1 2.2.52-3+b1
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-17
ii liblz4-1 0.0~r131-2+b1
ii liblzma5 5.2.2-1.3
ii liblzo2-2 2.08-1.2+b2
ii libnettle6 3.3-2
ii libxml2 2.9.4+dfsg1-4
ii zlib1g 1:1.2.8.dfsg-5
--
Jakub Wilk
[oob.iso.gz (application/gzip, attachment)]
No longer marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:27:03 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.2.2-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:27:04 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive13: out-of-bounds read in archive_read_format_iso9660_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:27:04 GMT) (full text, mbox, link).
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:27:05 GMT) (full text, mbox, link).
Marked as found in versions libarchive/3.2.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:27:06 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:36:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 19:36:05 GMT) (full text, mbox, link).
Removed tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 20:00:03 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 16 Sep 2017 20:00:03 GMT) (full text, mbox, link).
Changed Bug title to 'libarchive: CVE-2017-14501: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 17 Sep 2017 18:27:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Aug 2018 06:03:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Pentchev <roam@ringlet.net>:
Bug#875966; Package src:libarchive.
(Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Pentchev <roam@ringlet.net>.
(Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).
Message #34 received at 875966@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 875966 + patch
Control: tags 875966 + pending
Dear maintainer,
I've prepared an NMU for libarchive (versioned as 3.2.2-4.2) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libarchive-3.2.2-4.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 875966-submit@bugs.debian.org.
(Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 875966-submit@bugs.debian.org.
(Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 15 Aug 2018 07:06:06 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@jwilk.net>:
Bug acknowledged by developer.
(Wed, 15 Aug 2018 07:06:06 GMT) (full text, mbox, link).
Message #43 received at 875966-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.2.2-4.2
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Aug 2018 08:18:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875966
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-4.2) unstable; urgency=medium
.
* Non-maintainer upload.
* iso9660: validate directory record length (CVE-2017-14501)
(Closes: #875966)
Checksums-Sha1:
2aa384dfdb7945ba2404f36e6d5b8435172c2a89 2490 libarchive_3.2.2-4.2.dsc
5446a895c67f6c563b863bf696fb6428ded4fd25 18340 libarchive_3.2.2-4.2.debian.tar.xz
Checksums-Sha256:
8f57f076ab2f0d85e8444cf04981a8c73e3ab3b28babce7cec714b7e730cd55e 2490 libarchive_3.2.2-4.2.dsc
a09db82943ab3b408aad5279c1efa3ec21b884abec73fef86321e07edf9426fb 18340 libarchive_3.2.2-4.2.debian.tar.xz
Files:
966edc84ca86d880f05bf63761afd870 2490 libs optional libarchive_3.2.2-4.2.dsc
183fd957265ecc2051f6f67e72f52ad9 18340 libs optional libarchive_3.2.2-4.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltmmKxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAfgP/08/EXJ8MovBja5fng5lJRzae9BfExTC
iCQ2+1EIVTY7686BZgIQZUtgDykbSZwK+UpdZMNzsEPGB6oZqMxjptP3E1ZtN/kQ
KFSruRjQLCeFlvNYVrnGqJ6lpf+IjWSNyARI5Asr14nIftm8RhBvMQuvBS1WVJbk
Ueo0IdU/Ez10KL3USxYsBifbVKJ3q0+Qs0oJ/mMXaQi3v3izNmw/P95gB9IZo/qs
VxZ5YRtWHc1s3HBlqHx9Dx4Lj9U7ib6o3L3ihP3YSOPhqXQMmcbq0o09TXqv1Z1d
UxZtnNTAJXzJr5foIewHVD1G90Jpz2aPsMQmwki1Pc1+sUYvvpVFt0Z6ldMQPmjY
wkOf6rVB6eQsnOPUxW0wwDbHg3nEBUZfqLUJqHT/fNWd2M/qIUai5guDhzeMnQAG
IkdLsmSS0n/WRu18IfPXA8K6XhXtSD63DQwu7XLQn/4AKpFWMhGKyhReSlVk/U+3
La7EtPjRHDBYdxRhkcEpazbWEOjtkJQY3AR98Wq/2GRqYRPgi9WXP+qseHifQX9q
P5IxTJLmgGsP7oJ/sYeivMPm0GZ8zWLFA6Q+iqsNGrDnNxUeBPHe/QJEdHMWKxy6
OXpNhkg8dmDjZhhpSk/98eBvqu3qfusPtF4BddXaMTOEQsAYWOdNdaKmQm7hjCYh
9x0h++UWj6gN
=ORYy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 25 Sep 2018 07:28:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 1 23:26:14 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.