Hi,

On Tue, May 10, 2016 at 06:34:05AM +0200, Salvatore Bonaccorso wrote:
> Source: libarchive
> Version: 3.1.2-11
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> Control: fixed -1 3.2.0-1
> 
> Hi,
> 
> the following vulnerability was published for libarchive.
> 
> CVE-2016-1541[0]:
> | Heap-based buffer overflow in the zip_read_mac_metadata function in
> | archive_read_support_format_zip.c in libarchive before 3.2.0 allows
> | remote attackers to execute arbitrary code via crafted entry-size
> | values in a ZIP archive.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-1541
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541
> [1] https://www.kb.cert.org/vuls/id/862384
> 
> Please adjust the affected versions in the BTS as needed.

Attached is the debdiff I prepared for jessie-security, but the same
patch would apply for unstable as well unless planning to move to
3.2.0-1 anyway.

Regards,
Salvatore
diff -Nru libarchive-3.1.2/debian/changelog libarchive-3.1.2/debian/changelog
--- libarchive-3.1.2/debian/changelog   2015-03-05 14:54:44.000000000 +0100
+++ libarchive-3.1.2/debian/changelog   2016-05-10 07:00:54.000000000 +0200
@@ -1,3 +1,11 @@
+libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-1541: heap-based buffer overflow due to improper input
+    validation (Closes: #823893)
+
+ -- Salvatore Bonaccorso <[email protected]>  Tue, 10 May 2016 07:00:10 +0200
+
 libarchive (3.1.2-11) unstable; urgency=medium
 
   * Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
diff -Nru 
libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 
libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
--- libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 
1970-01-01 01:00:00.000000000 +0100
+++ libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 
2016-05-10 07:00:54.000000000 +0200
@@ -0,0 +1,65 @@
+From d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <[email protected]>
+Date: Sun, 24 Apr 2016 17:13:45 -0700
+Subject: [PATCH] Issue #656:  Fix CVE-2016-1541, VU#862384
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer.  Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+    abort the entire archive if the compressed and uncompressed
+    data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+    abort this entry if either the compressed or uncompressed
+    size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+    size against both the compressed entry size and uncompressed
+    entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -560,6 +560,11 @@ zip_read_mac_metadata(struct archive_rea
+ 
+       switch(rsrc->compression) {
+       case 0:  /* No compression. */
++              if (rsrc->uncompressed_size != rsrc->compressed_size) {
++                      archive_set_error(&a->archive, 
ARCHIVE_ERRNO_FILE_FORMAT,
++                          "Malformed OS X metadata entry: inconsistent size");
++                      return (ARCHIVE_FATAL);
++              }
+ #ifdef HAVE_ZLIB_H
+       case 8: /* Deflate compression. */
+ #endif
+@@ -580,6 +585,12 @@ zip_read_mac_metadata(struct archive_rea
+                   (intmax_t)rsrc->uncompressed_size);
+               return (ARCHIVE_WARN);
+       }
++      if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++              archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                  "Mac metadata is too large: %jd > 4M bytes",
++                  (intmax_t)rsrc->compressed_size);
++              return (ARCHIVE_WARN);
++      }
+ 
+       metadata = malloc((size_t)rsrc->uncompressed_size);
+       if (metadata == NULL) {
+@@ -619,6 +630,8 @@ zip_read_mac_metadata(struct archive_rea
+                       bytes_avail = remaining_bytes;
+               switch(rsrc->compression) {
+               case 0:  /* No compression. */
++                      if ((size_t)bytes_avail > metadata_bytes)
++                              bytes_avail = metadata_bytes;
+                       memcpy(mp, p, bytes_avail);
+                       bytes_used = (size_t)bytes_avail;
+                       metadata_bytes -= bytes_used;
diff -Nru libarchive-3.1.2/debian/patches/series 
libarchive-3.1.2/debian/patches/series
--- libarchive-3.1.2/debian/patches/series      2015-03-05 14:51:11.000000000 
+0100
+++ libarchive-3.1.2/debian/patches/series      2016-05-10 07:00:54.000000000 
+0200
@@ -8,3 +8,4 @@
 fix-CVE-2013-0211.patch
 Do-not-overwrite-file-size-if-the-local-file-header-.patch
 Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
+Issue-656-Fix-CVE-2016-1541-VU-862384.patch

Reply via email to