First Last Prev Next    This bug is not in your last search results.
Bug 38171 - libarchive: Multiple issues (4.1)
libarchive: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Arvid Requate
Janek Walkenhorst
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-31 15:17 CEST by Arvid Requate
Modified: 2017-10-26 13:53 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-03-31 15:17:05 CEST 
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive (CVE-2015-2304)
Comment 1 Arvid Requate univentionstaff 2015-05-06 16:43:39 CEST 
Fixed in upstream Debian package version 3.0.4-3+wheezy1
Comment 2 Arvid Requate univentionstaff 2016-07-18 15:53:40 CEST 
The following additional issues have been reported as fixed in Ubuntu:

* NULL pointer access in CAB parser (CVE-2015-8917)
* Heap out of bounds read in LHA/LZH parser (CVE-2015-8919)
* Stack out of bounds read in ar parser (CVE-2015-8920)
* Global out of bounds read in mtree parser (CVE-2015-8921)
* NULL pointer access in 7z parser (CVE-2015-8922)
* Unclear crashes in ZIP parser (CVE-2015-8923)
* Heap out of bounds read in TAR parser (CVE-2015-8924)
* Unclear invalid memory read in mtree parser (CVE-2015-8925)
* NULL pointer access in RAR parser (CVE-2015-8926)
* Heap out of bounds read in mtree parser (CVE-2015-8928)
* Endless loop in ISO parser (CVE-2015-8930)
* Undefined behavior (signed integer overflow) in mtree parser (CVE-2015-8931)
* Undefined behavior / invalid shiftleft in TAR parser (CVE-2015-8932)
* undefined behaviour / signed integer overflow in archive_read_format_tar_skip() (CVE-2015-8933)
* out of bounds heap read in RAR parser (CVE-2015-8934)
* 7-Zip read_SubStreamsInfo Integer Overflow (CVE-2016-4300)
* Libarchive Rar RestartModel Heap Overflow (CVE-2016-4302)
* Memory allocate error with symbolic links in cpio archives (CVE-2016-4809)
* undefined behaviour (integer overflow) in iso parser (CVE-2016-5844)


Of all of the above CVE-2016-4300 and CVE-2016-4302 have the highest impact:
  CVSS v2 Base score 6  AV:N/AC:M/Au:S/C:P/I:P/A:P
Comment 3 Arvid Requate univentionstaff 2016-07-25 16:29:47 CEST 
Upstream Debian package version 3.0.4-3+wheezy2 fixes:

CVE ID         : CVE-2015-8917 CVE-2015-8919 CVE-2015-8920
                 CVE-2015-8921 CVE-2015-8922 CVE-2015-8923
                 CVE-2015-8924 CVE-2015-8925 CVE-2015-8926
                 CVE-2015-8930 CVE-2015-8931 CVE-2015-8932
                 CVE-2015-8933 CVE-2015-8934 CVE-2016-4300
                 CVE-2016-4302 CVE-2016-4809 CVE-2016-5844
Comment 4 Arvid Requate univentionstaff 2016-08-09 23:52:44 CEST 
Highest CVSS scores:

CVE-2016-4300: CVSS v2 base score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CVE-2016-4302: CVSS v2 base score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Comment 5 Janek Walkenhorst univentionstaff 2016-09-21 18:06:08 CEST 
libarchive (3.0.4-3+wheezy3) wheezy-security; urgency=high
   * Fix CVE-2015-8915, a out of bounds read using malformed cpio archive.
   * Fix CVE-2016-7166, a denial of service bug with gzip quine.
Comment 6 Arvid Requate univentionstaff 2016-10-13 14:32:48 CEST 
Another one reported as fixed in the Debian Jessie package version:

* The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. (CVE-2016-5418)
Comment 7 Arvid Requate univentionstaff 2016-10-17 20:34:01 CEST 
Fixed in upstream Debian package version 3.0.4-3+wheezy4.
Comment 8 Arvid Requate univentionstaff 2016-10-17 20:36:00 CEST 
additional issues fixed currently in Debian experimental only:

* Stack based buffer overflow in bsdtar_expand_char (CVE-2016-8687)
* Out of bounds heap read when parsing multiple long lines by mtree parser (CVE-2016-8688)
* Heap buffer overflow in read_Header (CVE-2016-8689)
Comment 9 Arvid Requate univentionstaff 2016-10-18 12:17:00 CEST 
Fixed in upstream Debian package version 3.0.4-3+wheezy5.

Advisory: libarchive.yaml
Comment 10 Janek Walkenhorst univentionstaff 2016-10-19 16:15:03 CEST 
Tests (amd64): OK
Advisory: Reformatted, OK
Comment 11 Janek Walkenhorst univentionstaff 2016-10-20 12:40:00 CEST 
<http://errata.software-univention.de/ucs/4.1/312.html>
First Last Prev Next    This bug is not in your last search results.