Hi, On Tue, May 10, 2016 at 06:34:05AM +0200, Salvatore Bonaccorso wrote: > Source: libarchive > Version: 3.1.2-11 > Severity: grave > Tags: security upstream fixed-upstream > Justification: user security hole > Control: fixed -1 3.2.0-1 > > Hi, > > the following vulnerability was published for libarchive. > > CVE-2016-1541[0]: > | Heap-based buffer overflow in the zip_read_mac_metadata function in > | archive_read_support_format_zip.c in libarchive before 3.2.0 allows > | remote attackers to execute arbitrary code via crafted entry-size > | values in a ZIP archive. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-1541 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541 > [1] https://www.kb.cert.org/vuls/id/862384 > > Please adjust the affected versions in the BTS as needed.
Attached is the debdiff I prepared for jessie-security, but the same patch would apply for unstable as well unless planning to move to 3.2.0-1 anyway. Regards, Salvatore
diff -Nru libarchive-3.1.2/debian/changelog libarchive-3.1.2/debian/changelog --- libarchive-3.1.2/debian/changelog 2015-03-05 14:54:44.000000000 +0100 +++ libarchive-3.1.2/debian/changelog 2016-05-10 07:00:54.000000000 +0200 @@ -1,3 +1,11 @@ +libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2016-1541: heap-based buffer overflow due to improper input + validation (Closes: #823893) + + -- Salvatore Bonaccorso <[email protected]> Tue, 10 May 2016 07:00:10 +0200 + libarchive (3.1.2-11) unstable; urgency=medium * Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch diff -Nru libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch --- libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 2016-05-10 07:00:54.000000000 +0200 @@ -0,0 +1,65 @@ +From d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <[email protected]> +Date: Sun, 24 Apr 2016 17:13:45 -0700 +Subject: [PATCH] Issue #656: Fix CVE-2016-1541, VU#862384 + +When reading OS X metadata entries in Zip archives that were stored +without compression, libarchive would use the uncompressed entry size +to allocate a buffer but would use the compressed entry size to limit +the amount of data copied into that buffer. Since the compressed +and uncompressed sizes are provided by data in the archive itself, +an attacker could manipulate these values to write data beyond +the end of the allocated buffer. + +This fix provides three new checks to guard against such +manipulation and to make libarchive generally more robust when +handling this type of entry: + 1. If an OS X metadata entry is stored without compression, + abort the entire archive if the compressed and uncompressed + data sizes do not match. + 2. When sanity-checking the size of an OS X metadata entry, + abort this entry if either the compressed or uncompressed + size is larger than 4MB. + 3. When copying data into the allocated buffer, check the copy + size against both the compressed entry size and uncompressed + entry size. +--- + libarchive/archive_read_support_format_zip.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -560,6 +560,11 @@ zip_read_mac_metadata(struct archive_rea + + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if (rsrc->uncompressed_size != rsrc->compressed_size) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Malformed OS X metadata entry: inconsistent size"); ++ return (ARCHIVE_FATAL); ++ } + #ifdef HAVE_ZLIB_H + case 8: /* Deflate compression. */ + #endif +@@ -580,6 +585,12 @@ zip_read_mac_metadata(struct archive_rea + (intmax_t)rsrc->uncompressed_size); + return (ARCHIVE_WARN); + } ++ if (rsrc->compressed_size > (4 * 1024 * 1024)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mac metadata is too large: %jd > 4M bytes", ++ (intmax_t)rsrc->compressed_size); ++ return (ARCHIVE_WARN); ++ } + + metadata = malloc((size_t)rsrc->uncompressed_size); + if (metadata == NULL) { +@@ -619,6 +630,8 @@ zip_read_mac_metadata(struct archive_rea + bytes_avail = remaining_bytes; + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if ((size_t)bytes_avail > metadata_bytes) ++ bytes_avail = metadata_bytes; + memcpy(mp, p, bytes_avail); + bytes_used = (size_t)bytes_avail; + metadata_bytes -= bytes_used; diff -Nru libarchive-3.1.2/debian/patches/series libarchive-3.1.2/debian/patches/series --- libarchive-3.1.2/debian/patches/series 2015-03-05 14:51:11.000000000 +0100 +++ libarchive-3.1.2/debian/patches/series 2016-05-10 07:00:54.000000000 +0200 @@ -8,3 +8,4 @@ fix-CVE-2013-0211.patch Do-not-overwrite-file-size-if-the-local-file-header-.patch Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch +Issue-656-Fix-CVE-2016-1541-VU-862384.patch

