Control: tags 823893 + pending
Control: tags 823984 + pending
On Tue, 10 May 2016 at 09:18:26 +0200, Andreas Henriksson wrote:
> I'm torn on uploading 3.2.0 to unstable now because of regressing on
> kfreebsd where we now have test failures because of FTBFS. Feel free to
> NMU to unstable as well if you think it's urgent to get it fixed and
> don't want to wait for giving kfreebsd porters time to look at the
> regression.
I think it would have been better to upload *something* with the security
fix immediately, if not 3.2.0 then a patched 3.1.2; either way, if it
had been high or medium urgency and had no new RC bugs, then testing
would not be vulnerable by now.
libarchive/stable is uninstallable in unstable due to the libnettle
transition, so to keep this moving, I've prepared an NMU which I have
uploaded to DELAYED/5. Diff attached, or available here:
ssh://alioth.debian.org/srv/home/users/smcv/public_git/libarchive.git
If you would like it accelerated or cancelled, please let me know; or
if you decide to go ahead with 3.2.0 or a 3.1.2-12 maintainer upload
in unstable so that my NMU is superseded and rejected, that's also fine
of course.
I'll open a separate bug for the test failure. Since you are the
libarchive maintainer, you get to decide whether you consider failures on
the non-release kFreeBSD architectures to be RC. Because the kFreeBSD
architectures aren't release architectures, I believe out-of-date
binaries on those architectures don't slow down testing migration,
so fixing the security vulnerability on Linux doesn't need to block on
fixing the tests on kFreeBSD.
S
>From 8be0f04dc6f9e8955e99346f234d1188b43ecf9b Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Mon, 16 May 2016 09:46:56 +0100
Subject: [PATCH] Make libarchive/unstable catch up with libarchive/stable
(Closes: #823984)
* CVE-2016-1541: heap-based buffer overflow due to improper input
validation (Closes: #823893)
---
debian/changelog | 12 ++++
.../Issue-656-Fix-CVE-2016-1541-VU-862384.patch | 65 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 78 insertions(+)
create mode 100644 debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
diff --git a/debian/changelog b/debian/changelog
index 2f53cae..a982094 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+libarchive (3.1.2-11.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ - Make libarchive/unstable catch up with libarchive/stable
+ (Closes: #823984)
+
+ [ Salvatore Bonaccorso ]
+ * CVE-2016-1541: heap-based buffer overflow due to improper input
+ validation (Closes: #823893)
+
+ -- Simon McVittie <s...@debian.org> Mon, 16 May 2016 09:46:05 +0100
+
libarchive (3.1.2-11) unstable; urgency=medium
* Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
diff --git a/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch b/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
new file mode 100644
index 0000000..22a1bb2
--- /dev/null
+++ b/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
@@ -0,0 +1,65 @@
+From d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kient...@acm.org>
+Date: Sun, 24 Apr 2016 17:13:45 -0700
+Subject: [PATCH] Issue #656: Fix CVE-2016-1541, VU#862384
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer. Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+ abort the entire archive if the compressed and uncompressed
+ data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+ abort this entry if either the compressed or uncompressed
+ size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+ size against both the compressed entry size and uncompressed
+ entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -560,6 +560,11 @@ zip_read_mac_metadata(struct archive_rea
+
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if (rsrc->uncompressed_size != rsrc->compressed_size) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Malformed OS X metadata entry: inconsistent size");
++ return (ARCHIVE_FATAL);
++ }
+ #ifdef HAVE_ZLIB_H
+ case 8: /* Deflate compression. */
+ #endif
+@@ -580,6 +585,12 @@ zip_read_mac_metadata(struct archive_rea
+ (intmax_t)rsrc->uncompressed_size);
+ return (ARCHIVE_WARN);
+ }
++ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Mac metadata is too large: %jd > 4M bytes",
++ (intmax_t)rsrc->compressed_size);
++ return (ARCHIVE_WARN);
++ }
+
+ metadata = malloc((size_t)rsrc->uncompressed_size);
+ if (metadata == NULL) {
+@@ -619,6 +630,8 @@ zip_read_mac_metadata(struct archive_rea
+ bytes_avail = remaining_bytes;
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if ((size_t)bytes_avail > metadata_bytes)
++ bytes_avail = metadata_bytes;
+ memcpy(mp, p, bytes_avail);
+ bytes_used = (size_t)bytes_avail;
+ metadata_bytes -= bytes_used;
diff --git a/debian/patches/series b/debian/patches/series
index 8265fe7..eb5ecf5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ Fix-test_archive_write_add_filter_by_name_lrzip-test.patch
fix-CVE-2013-0211.patch
Do-not-overwrite-file-size-if-the-local-file-header-.patch
Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
+Issue-656-Fix-CVE-2016-1541-VU-862384.patch
--
2.8.1
