Hi, On Wed, May 11, 2016 at 09:50:31AM +0200, Andreas Henriksson wrote: > Hello Vincent Lefevre. > > On Wed, May 11, 2016 at 09:34:56AM +0200, Vincent Lefevre wrote: > > On 2016-05-11 06:41:43 +0200, Salvatore Bonaccorso wrote: > > > Please see #823893 for why this has not yet seen as well an update in > > > unstable. > > > > OK, but a decision should be made quickly. If 3.2.0 is not ready yet > > for unstable due to potential regressions, then a patched 3.1.2 should > > be uploaded to unstable (basically with the same as patch as stable, > > since the current version is exactly the same as the stable version > > before the security update). IMHO, this latter solution is probably > > better for testing; and if users see a regression in 3.2.0, they will > > be able to downgrade to the patched 3.1.2. > > The decision to support multiple architectures and treat them all > equally (meaning all users will have to suffer if there is problem on > only one of them) has already been made long ago in the Debian project > and I don't see it up for discussion, no matter how much I'd also like > to see it change. > See the infamous Vancouver meeting for the results of the discussion > when this came up last time! > > The only way to get this more quickly resolved is getting your hands > dirty by helping out the kfreebsd porters and dig into investigating > the issue there. > See https://lists.debian.org/debian-bsd/2016/05/msg00032.html > > It might be so that we simply ignore the problem on kfreebsd > and moves on without them, given that kfreebsd-* hasn't > qualified for being a release architecture.... but I'd like > feedback on the above from porters if possible first. > > Now get busy solving the problem instead of annoying people > via the bts!
Attached is the debdiff for completeness, based on 3.1.2 in case we want to go that route. Regards, Salvatore
diff -Nru libarchive-3.1.2/debian/changelog libarchive-3.1.2/debian/changelog --- libarchive-3.1.2/debian/changelog 2015-03-05 14:54:44.000000000 +0100 +++ libarchive-3.1.2/debian/changelog 2016-05-11 09:45:45.000000000 +0200 @@ -1,3 +1,11 @@ +libarchive (3.1.2-11.1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2016-1541: heap-based buffer overflow due to improper input + validation (Closes: #823893) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 11 May 2016 09:45:09 +0200 + libarchive (3.1.2-11) unstable; urgency=medium * Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch diff -Nru libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch --- libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.1.2/debian/patches/Issue-656-Fix-CVE-2016-1541-VU-862384.patch 2016-05-11 09:45:45.000000000 +0200 @@ -0,0 +1,65 @@ +From d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kient...@acm.org> +Date: Sun, 24 Apr 2016 17:13:45 -0700 +Subject: [PATCH] Issue #656: Fix CVE-2016-1541, VU#862384 + +When reading OS X metadata entries in Zip archives that were stored +without compression, libarchive would use the uncompressed entry size +to allocate a buffer but would use the compressed entry size to limit +the amount of data copied into that buffer. Since the compressed +and uncompressed sizes are provided by data in the archive itself, +an attacker could manipulate these values to write data beyond +the end of the allocated buffer. + +This fix provides three new checks to guard against such +manipulation and to make libarchive generally more robust when +handling this type of entry: + 1. If an OS X metadata entry is stored without compression, + abort the entire archive if the compressed and uncompressed + data sizes do not match. + 2. When sanity-checking the size of an OS X metadata entry, + abort this entry if either the compressed or uncompressed + size is larger than 4MB. + 3. When copying data into the allocated buffer, check the copy + size against both the compressed entry size and uncompressed + entry size. +--- + libarchive/archive_read_support_format_zip.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -560,6 +560,11 @@ zip_read_mac_metadata(struct archive_rea + + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if (rsrc->uncompressed_size != rsrc->compressed_size) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Malformed OS X metadata entry: inconsistent size"); ++ return (ARCHIVE_FATAL); ++ } + #ifdef HAVE_ZLIB_H + case 8: /* Deflate compression. */ + #endif +@@ -580,6 +585,12 @@ zip_read_mac_metadata(struct archive_rea + (intmax_t)rsrc->uncompressed_size); + return (ARCHIVE_WARN); + } ++ if (rsrc->compressed_size > (4 * 1024 * 1024)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mac metadata is too large: %jd > 4M bytes", ++ (intmax_t)rsrc->compressed_size); ++ return (ARCHIVE_WARN); ++ } + + metadata = malloc((size_t)rsrc->uncompressed_size); + if (metadata == NULL) { +@@ -619,6 +630,8 @@ zip_read_mac_metadata(struct archive_rea + bytes_avail = remaining_bytes; + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if ((size_t)bytes_avail > metadata_bytes) ++ bytes_avail = metadata_bytes; + memcpy(mp, p, bytes_avail); + bytes_used = (size_t)bytes_avail; + metadata_bytes -= bytes_used; diff -Nru libarchive-3.1.2/debian/patches/series libarchive-3.1.2/debian/patches/series --- libarchive-3.1.2/debian/patches/series 2015-03-05 14:51:11.000000000 +0100 +++ libarchive-3.1.2/debian/patches/series 2016-05-11 09:45:45.000000000 +0200 @@ -8,3 +8,4 @@ fix-CVE-2013-0211.patch Do-not-overwrite-file-size-if-the-local-file-header-.patch Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch +Issue-656-Fix-CVE-2016-1541-VU-862384.patch