Hi, On Mon, 03 Apr 2017, Salvatore Bonaccorso wrote: > CVE-2016-10209[0]: > | The archive_wstring_append_from_mbs function in archive_string.c in > | libarchive 3.2.2 allows remote attackers to cause a denial of service > | (NULL pointer dereference and application crash) via a crafted archive > | file. > > It was reported upstream at [1] and if I'm correct the fix should be > [2]. Can you confirm that? > > [1] https://github.com/libarchive/libarchive/issues/842 > [2] > https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
I tried to reproduce the issue on all Debian versions and using "bsdtar" from "libarchive-tools" (in stretch 3.2.1-6 and sid 3.2.2-2) or from "bsdtar" (in jessie 3.1.2-11+deb8u3 / wheezy 3.0.4-3+wheezy5+deb7u1), I always get the same error: $ wget https://frankowicz.me/storage/crashes/la_segv_archive_wstring_append_from_mbs -O CVE-2016-10209-la_segv_archive_wstring_append_from_mbs $ bsdtar -t -f CVE-2016-10209-la_segv_archive_wstring_append_from_mbs bsdtar: Archive entry has empty or unreadable filename ... skipping. bsdtar: (null) bsdtar: Error exit delayed from previous errors. Thus I don't have any segfault similar to what is reported in [1]. I'm not sure what conclusion I should draw from this... My tests have been made on amd64. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
