unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: libarchive security fixes (was Re: Core-updates timeline)
Date: Mon, 3 Oct 2016 14:14:01 -0400	[thread overview]
Message-ID: <20161003181401.GA1830@jasmine> (raw)
In-Reply-To: <871szx9zx9.fsf@gnu.org>

On Mon, Oct 03, 2016 at 06:10:10PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > I understand if this approach of cherry-picking a handful of commits is
> > not acceptable. It's hard to judge the full impact of taking only these
> > changes, some of which a quite significant, without being familiar with
> > the libarchive code.
> >
> > That's the reason why I've been waiting for a new upstream release. But
> > I figured I should at least try to get these bug fixes into the next
> > release of Guix :)
> 
> Sounds reasonable.  :-)

Okay, as long as the patch itself is reasonable :)

> > Subject: [PATCH] gnu: libarchive: Fix several security issues.
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive/fixed): New variable.
> > * gnu/packages/patches/libarchive-7zip-heap-overflow.patch,
> > gnu/packages/patches/libarchive-fix-symlink-check.patch,
> > gnu/packages/patches/libarchive-fix-filesystem-attacks.patch,
> > gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> 
> Don’t they have a CVE assigned?  If so, please make sure to name them
> accordingly.  Otherwise LGTM.

Not AFAICT, despite the fact that they have all been sent to the oss-sec
mailing list.

Both of the overflow bugs were reported here:
http://seclists.org/oss-sec/2016/q3/516

And the filesystem attacks:
http://seclists.org/oss-sec/2016/q3/255

> I won’t pretend to have a precise understanding of the impact of these
> bugs, but clearly they can be triggered with specially-crafted input,
> which sounds bad.  So better have these fixes.

My understand is the the filesystem and symlink bugs allow the creator
of the archive being parsed by libarchive to overwrite any file on the
target system due to a set of bugs related to symlink checking, via a
variety of mechanisms (detailed explanations are linked to from the
patch files).

The "safe_printf" patch corrects a stack overflow triggered by very
large multibyte characters in filenames to-be-printed. This is under the
control of whoever creates the archive file.

And the 7zip patch corrects a heap overflow when reading crafted 7zip
archives. Again, this is something the attacker can trigger.

I don't know if these two overflows are "exploitable" or not.

  reply	other threads:[~2016-10-03 18:14 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-20  4:56 [PATCH 0/2] Perl: Enable threading support Ben Woodcroft
2016-09-20  4:56 ` [PATCH 1/2] gnu: perl: Split configure phase Ben Woodcroft
2016-09-24  5:02   ` Ludovic Courtès
2016-09-20  4:56 ` [PATCH 2/2] gnu: perl: Enable threading support Ben Woodcroft
2016-09-24  5:05   ` Ludovic Courtès
2016-09-26 10:03     ` Ben Woodcroft
2016-10-01 13:22       ` Ludovic Courtès
2016-10-01 16:40         ` Core-updates timeline (was: Re: [PATCH 2/2] gnu: perl: Enable threading support.) Leo Famulari
2016-10-02 13:38           ` Core-updates timeline Ludovic Courtès
2016-10-02 18:50             ` Leo Famulari
2016-10-02 20:14               ` libarchive security fixes (was Re: Core-updates timeline) Leo Famulari
2016-10-03 16:10                 ` Ludovic Courtès
2016-10-03 18:14                   ` Leo Famulari [this message]
2016-10-07 20:16             ` Core-updates timeline Ludovic Courtès
2016-09-20 20:58 ` [PATCH 0/2] Perl: Enable threading support Eric Bavier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161003181401.GA1830@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).