Hi,
On Wed, May 11, 2016 at 09:50:31AM +0200, Andreas Henriksson wrote:
> Hello Vincent Lefevre.
>
> On Wed, May 11, 2016 at 09:34:56AM +0200, Vincent Lefevre wrote:
> > On 2016-05-11 06:41:43 +0200, Salvatore Bonaccorso wrote:
> > > Please see #823893 for why this has not yet seen as well an update in
> > > unstable.
> >
> > OK, but a decision should be made quickly. If 3.2.0 is not ready yet
> > for unstable due to potential regressions, then a patched 3.1.2 should
> > be uploaded to unstable (basically with the same as patch as stable,
> > since the current version is exactly the same as the stable version
> > before the security update). IMHO, this latter solution is probably
> > better for testing; and if users see a regression in 3.2.0, they will
> > be able to downgrade to the patched 3.1.2.
>
> The decision to support multiple architectures and treat them all
> equally (meaning all users will have to suffer if there is problem on
> only one of them) has already been made long ago in the Debian project
> and I don't see it up for discussion, no matter how much I'd also like
> to see it change.
> See the infamous Vancouver meeting for the results of the discussion
> when this came up last time!
>
> The only way to get this more quickly resolved is getting your hands
> dirty by helping out the kfreebsd porters and dig into investigating
> the issue there.
> See https://lists.debian.org/debian-bsd/2016/05/msg00032.html
>
> It might be so that we simply ignore the problem on kfreebsd
> and moves on without them, given that kfreebsd-* hasn't
> qualified for being a release architecture.... but I'd like
> feedback on the above from porters if possible first.
>
> Now get busy solving the problem instead of annoying people
> via the bts!
Attached is the debdiff for completeness, based on 3.1.2 in case we
want to go that route.
Regards,
Salvatore
diff -Nru libarchive-3.1.2/debian/changelog libarchive-3.1.2/debian/changelog
--- libarchive-3.1.2/debian/changelog 2015-03-05 14:54:44.000000000 +0100
+++ libarchive-3.1.2/debian/changelog 2016-05-11 09:45:45.000000000 +0200
@@ -1,3 +1,11 @@
+libarchive (3.1.2-11.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2016-1541: heap-based buffer overflow due to improper input
+ validation (Closes: #823893)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 11 May 2016 09:45:09 +0200
+
libarchive (3.1.2-11) unstable; urgency=medium
* Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
diff -Nru
libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
--- libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
1970-01-01 01:00:00.000000000 +0100
+++ libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch
2016-05-11 09:45:45.000000000 +0200
@@ -0,0 +1,65 @@
+From d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kient...@acm.org>
+Date: Sun, 24 Apr 2016 17:13:45 -0700
+Subject: [PATCH] Issue #656: Fix CVE-2016-1541, VU#862384
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer. Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+ abort the entire archive if the compressed and uncompressed
+ data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+ abort this entry if either the compressed or uncompressed
+ size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+ size against both the compressed entry size and uncompressed
+ entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -560,6 +560,11 @@ zip_read_mac_metadata(struct archive_rea
+
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if (rsrc->uncompressed_size != rsrc->compressed_size) {
++ archive_set_error(&a->archive,
ARCHIVE_ERRNO_FILE_FORMAT,
++ "Malformed OS X metadata entry: inconsistent size");
++ return (ARCHIVE_FATAL);
++ }
+ #ifdef HAVE_ZLIB_H
+ case 8: /* Deflate compression. */
+ #endif
+@@ -580,6 +585,12 @@ zip_read_mac_metadata(struct archive_rea
+ (intmax_t)rsrc->uncompressed_size);
+ return (ARCHIVE_WARN);
+ }
++ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Mac metadata is too large: %jd > 4M bytes",
++ (intmax_t)rsrc->compressed_size);
++ return (ARCHIVE_WARN);
++ }
+
+ metadata = malloc((size_t)rsrc->uncompressed_size);
+ if (metadata == NULL) {
+@@ -619,6 +630,8 @@ zip_read_mac_metadata(struct archive_rea
+ bytes_avail = remaining_bytes;
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if ((size_t)bytes_avail > metadata_bytes)
++ bytes_avail = metadata_bytes;
+ memcpy(mp, p, bytes_avail);
+ bytes_used = (size_t)bytes_avail;
+ metadata_bytes -= bytes_used;
diff -Nru libarchive-3.1.2/debian/patches/series
libarchive-3.1.2/debian/patches/series
--- libarchive-3.1.2/debian/patches/series 2015-03-05 14:51:11.000000000
+0100
+++ libarchive-3.1.2/debian/patches/series 2016-05-11 09:45:45.000000000
+0200
@@ -8,3 +8,4 @@
fix-CVE-2013-0211.patch
Do-not-overwrite-file-size-if-the-local-file-header-.patch
Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
+Issue-656-Fix-CVE-2016-1541-VU-862384.patch
