Univention Bugzilla – Bug 38171
libarchive: Multiple issues (4.1)
Last modified: 2017-10-26 13:53:56 CEST
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive (CVE-2015-2304)
Fixed in upstream Debian package version 3.0.4-3+wheezy1
The following additional issues have been reported as fixed in Ubuntu: * NULL pointer access in CAB parser (CVE-2015-8917) * Heap out of bounds read in LHA/LZH parser (CVE-2015-8919) * Stack out of bounds read in ar parser (CVE-2015-8920) * Global out of bounds read in mtree parser (CVE-2015-8921) * NULL pointer access in 7z parser (CVE-2015-8922) * Unclear crashes in ZIP parser (CVE-2015-8923) * Heap out of bounds read in TAR parser (CVE-2015-8924) * Unclear invalid memory read in mtree parser (CVE-2015-8925) * NULL pointer access in RAR parser (CVE-2015-8926) * Heap out of bounds read in mtree parser (CVE-2015-8928) * Endless loop in ISO parser (CVE-2015-8930) * Undefined behavior (signed integer overflow) in mtree parser (CVE-2015-8931) * Undefined behavior / invalid shiftleft in TAR parser (CVE-2015-8932) * undefined behaviour / signed integer overflow in archive_read_format_tar_skip() (CVE-2015-8933) * out of bounds heap read in RAR parser (CVE-2015-8934) * 7-Zip read_SubStreamsInfo Integer Overflow (CVE-2016-4300) * Libarchive Rar RestartModel Heap Overflow (CVE-2016-4302) * Memory allocate error with symbolic links in cpio archives (CVE-2016-4809) * undefined behaviour (integer overflow) in iso parser (CVE-2016-5844) Of all of the above CVE-2016-4300 and CVE-2016-4302 have the highest impact: CVSS v2 Base score 6 AV:N/AC:M/Au:S/C:P/I:P/A:P
Upstream Debian package version 3.0.4-3+wheezy2 fixes: CVE ID : CVE-2015-8917 CVE-2015-8919 CVE-2015-8920 CVE-2015-8921 CVE-2015-8922 CVE-2015-8923 CVE-2015-8924 CVE-2015-8925 CVE-2015-8926 CVE-2015-8930 CVE-2015-8931 CVE-2015-8932 CVE-2015-8933 CVE-2015-8934 CVE-2016-4300 CVE-2016-4302 CVE-2016-4809 CVE-2016-5844
Highest CVSS scores: CVE-2016-4300: CVSS v2 base score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) CVE-2016-4302: CVSS v2 base score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
libarchive (3.0.4-3+wheezy3) wheezy-security; urgency=high * Fix CVE-2015-8915, a out of bounds read using malformed cpio archive. * Fix CVE-2016-7166, a denial of service bug with gzip quine.
Another one reported as fixed in the Debian Jessie package version: * The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. (CVE-2016-5418)
Fixed in upstream Debian package version 3.0.4-3+wheezy4.
additional issues fixed currently in Debian experimental only: * Stack based buffer overflow in bsdtar_expand_char (CVE-2016-8687) * Out of bounds heap read when parsing multiple long lines by mtree parser (CVE-2016-8688) * Heap buffer overflow in read_Header (CVE-2016-8689)
Fixed in upstream Debian package version 3.0.4-3+wheezy5. Advisory: libarchive.yaml
Tests (amd64): OK Advisory: Reformatted, OK
<http://errata.software-univention.de/ucs/4.1/312.html>