Hi Security Team, The links to libarchive.patch and libarchive.patch.asc are broken. Looking at https://www.freebsd.org/security/patches/SA-16:31/ suggests that they should be versioned.
Thanks, Alexander On Mon, Oct 10, 2016 at 9:52 AM, FreeBSD Security Advisories < security-advisor...@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================ > ================= > FreeBSD-SA-16:31.libarchive Security > Advisory > The FreeBSD > Project > > Topic: Multiple libarchive vulnerabilities > > Category: core > Module: portsnap > Announced: 2016-10-05 > Affects: All supported versions of FreeBSD. > Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE) > 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) > 2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE) > 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) > 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) > 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > The libarchive(3) library provides a flexible interface for reading and > writing streaming archive files such as tar(1) and cpio(1), and has been > the > basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities > since FreeBSD 5.3. > > II. Problem Description > > Flaws in libarchive's handling of symlinks and hard links allow overwriting > files outside the extraction directory, or permission changes to a > directory > outside the extraction directory. > > III. Impact > > An attacker who can control freebsd-update's or portsnap's input to tar can > change file content or permisssions on files outside of the update tool's > working sandbox. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > No reboot is needed. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility. > > This advisory is released concurrently with FreeBSD-SA-16:29.bspatch > which contains special instructions for using freebsd-update. Following > the instructions in that advisory will safely apply updates for > FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and > FreeBSD-SA-16:31.libarchive. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch > # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc > # gpg --verify libarchive.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------ > ------------- > stable/10/ r306322 > releng/10.1/ r306941 > releng/10.2/ r306941 > releng/10.3/ r306941 > stable/11/ r306321 > releng/11.0/ r306379 > - ------------------------------------------------------------ > ------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> > > VII. References > > <URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f> > <URL:https://github.com/libarchive/libarchive/issues/743> > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:3 > 1.libarchive.asc> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.13 (FreeBSD) > > iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA > AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF > 7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ > guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn > myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+ > /qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj > OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt > 7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2 > prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k > Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C > 6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1 > JguXI1tZdrjfSZisAI+l > =vqSJ > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-annou...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscr...@freebsd.org > " > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
