Debian Bug report logs - #875966
libarchive: CVE-2017-14501: out-of-bounds read in archive_read_format_iso9660_read_header()

version graph

Package: src:libarchive; Maintainer for src:libarchive is Peter Pentchev <roam@debian.org>;

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Sat, 16 Sep 2017 16:09:04 UTC

Severity: normal

Tags: fixed-upstream, patch, security, upstream

Found in versions libarchive/3.2.2-3.1, libarchive/3.2.2-2

Fixed in version libarchive/3.2.2-4.2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/libarchive/libarchive/issues/949

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, Peter Pentchev <roam@ringlet.net>:
Bug#875966; Package libarchive13. (Sat, 16 Sep 2017 16:09:07 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: submit@bugs.debian.org
Subject: libarchive13: out-of-bounds read in archive_read_format_iso9660_read_header()
Date: Sat, 16 Sep 2017 18:06:00 +0200
[Message part 1 (text/plain, inline)]
Package: libarchive13
Version: 3.2.2-3.1

$ gzip -d oob.iso.gz
$ valgrind --quiet -- bsdtar -xOf oob.iso
==2945== Invalid read of size 1
==2945==    at 0x4891EAA: parse_file_info (archive_read_support_format_iso9660.c:1767)
==2945==    by 0x48934D7: choose_volume (archive_read_support_format_iso9660.c:1115)
==2945==    by 0x48934D7: archive_read_format_iso9660_read_header (archive_read_support_format_iso9660.c:1181)
==2945==    by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==2945==    by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==2945==    by 0x10D384: read_archive (read.c:261)
==2945==    by 0x10DCAC: tar_mode_x (read.c:112)
==2945==    by 0x10C2BB: main (bsdtar.c:809)
==2945==  Address 0x6ca56c8 is 0 bytes after a block of size 65,536 alloc'd
==2945==    at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2945==    by 0x487ABEC: file_open (archive_read_open_filename.c:358)
==2945==    by 0x4874DE9: archive_read_open1 (archive_read.c:479)
==2945==    by 0x487B0F6: archive_read_open_filenames (archive_read_open_filename.c:152)
==2945==    by 0x487B18C: archive_read_open_filename (archive_read_open_filename.c:109)
==2945==    by 0x10D321: read_archive (read.c:223)
==2945==    by 0x10DCAC: tar_mode_x (read.c:112)
==2945==    by 0x10C2BB: main (bsdtar.c:809)
...


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Architecture: i386

Versions of packages libarchive13 depends on:
ii  libacl1     2.2.52-3+b1
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-17
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.3
ii  liblzo2-2   2.08-1.2+b2
ii  libnettle6  3.3-2
ii  libxml2     2.9.4+dfsg1-4
ii  zlib1g      1:1.2.8.dfsg-5

-- 
Jakub Wilk
[oob.iso.gz (application/gzip, attachment)]

Bug reassigned from package 'libarchive13' to 'src:libarchive'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:03 GMT) (full text, mbox, link).


No longer marked as found in versions libarchive/3.2.2-3.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:03 GMT) (full text, mbox, link).


Marked as found in versions libarchive/3.2.2-3.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:04 GMT) (full text, mbox, link).


Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive13: out-of-bounds read in archive_read_format_iso9660_read_header()'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:04 GMT) (full text, mbox, link).


Added tag(s) security and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:05 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'https://github.com/libarchive/libarchive/issues/949'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:05 GMT) (full text, mbox, link).


Marked as found in versions libarchive/3.2.2-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:27:06 GMT) (full text, mbox, link).


Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:36:04 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 19:36:05 GMT) (full text, mbox, link).


Removed tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 20:00:03 GMT) (full text, mbox, link).


Changed Bug title to 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_rar_read_header()'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Sep 2017 20:00:03 GMT) (full text, mbox, link).


Changed Bug title to 'libarchive: CVE-2017-14501: out-of-bounds read in archive_read_format_iso9660_read_header()' from 'libarchive: out-of-bounds read in archive_read_format_iso9660_read_header()'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 17 Sep 2017 18:27:03 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Aug 2018 06:03:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Peter Pentchev <roam@ringlet.net>:
Bug#875966; Package src:libarchive. (Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Pentchev <roam@ringlet.net>. (Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).


Message #34 received at 875966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 875966@bugs.debian.org
Subject: libarchive: diff for NMU version 3.2.2-4.2
Date: Sun, 5 Aug 2018 08:32:28 +0200
[Message part 1 (text/plain, inline)]
Control: tags 875966 + patch
Control: tags 875966 + pending


Dear maintainer,

I've prepared an NMU for libarchive (versioned as 3.2.2-4.2) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[libarchive-3.2.2-4.2-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 875966-submit@bugs.debian.org. (Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 875966-submit@bugs.debian.org. (Sun, 05 Aug 2018 06:36:03 GMT) (full text, mbox, link).


Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 15 Aug 2018 07:06:06 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@jwilk.net>:
Bug acknowledged by developer. (Wed, 15 Aug 2018 07:06:06 GMT) (full text, mbox, link).


Message #43 received at 875966-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 875966-close@bugs.debian.org
Subject: Bug#875966: fixed in libarchive 3.2.2-4.2
Date: Wed, 15 Aug 2018 07:04:21 +0000
Source: libarchive
Source-Version: 3.2.2-4.2

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 875966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Aug 2018 08:18:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875966
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-4.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * iso9660: validate directory record length (CVE-2017-14501)
     (Closes: #875966)
Checksums-Sha1: 
 2aa384dfdb7945ba2404f36e6d5b8435172c2a89 2490 libarchive_3.2.2-4.2.dsc
 5446a895c67f6c563b863bf696fb6428ded4fd25 18340 libarchive_3.2.2-4.2.debian.tar.xz
Checksums-Sha256: 
 8f57f076ab2f0d85e8444cf04981a8c73e3ab3b28babce7cec714b7e730cd55e 2490 libarchive_3.2.2-4.2.dsc
 a09db82943ab3b408aad5279c1efa3ec21b884abec73fef86321e07edf9426fb 18340 libarchive_3.2.2-4.2.debian.tar.xz
Files: 
 966edc84ca86d880f05bf63761afd870 2490 libs optional libarchive_3.2.2-4.2.dsc
 183fd957265ecc2051f6f67e72f52ad9 18340 libs optional libarchive_3.2.2-4.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltmmKxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAfgP/08/EXJ8MovBja5fng5lJRzae9BfExTC
iCQ2+1EIVTY7686BZgIQZUtgDykbSZwK+UpdZMNzsEPGB6oZqMxjptP3E1ZtN/kQ
KFSruRjQLCeFlvNYVrnGqJ6lpf+IjWSNyARI5Asr14nIftm8RhBvMQuvBS1WVJbk
Ueo0IdU/Ez10KL3USxYsBifbVKJ3q0+Qs0oJ/mMXaQi3v3izNmw/P95gB9IZo/qs
VxZ5YRtWHc1s3HBlqHx9Dx4Lj9U7ib6o3L3ihP3YSOPhqXQMmcbq0o09TXqv1Z1d
UxZtnNTAJXzJr5foIewHVD1G90Jpz2aPsMQmwki1Pc1+sUYvvpVFt0Z6ldMQPmjY
wkOf6rVB6eQsnOPUxW0wwDbHg3nEBUZfqLUJqHT/fNWd2M/qIUai5guDhzeMnQAG
IkdLsmSS0n/WRu18IfPXA8K6XhXtSD63DQwu7XLQn/4AKpFWMhGKyhReSlVk/U+3
La7EtPjRHDBYdxRhkcEpazbWEOjtkJQY3AR98Wq/2GRqYRPgi9WXP+qseHifQX9q
P5IxTJLmgGsP7oJ/sYeivMPm0GZ8zWLFA6Q+iqsNGrDnNxUeBPHe/QJEdHMWKxy6
OXpNhkg8dmDjZhhpSk/98eBvqu3qfusPtF4BddXaMTOEQsAYWOdNdaKmQm7hjCYh
9x0h++UWj6gN
=ORYy
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 25 Sep 2018 07:28:59 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 02:52:57 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.