From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: libarchive security fixes (was Re: Core-updates timeline) Date: Mon, 3 Oct 2016 14:14:01 -0400 Message-ID: <20161003181401.GA1830@jasmine> References: <20160920045607.18936-1-donttrustben@gmail.com> <20160920045607.18936-3-donttrustben@gmail.com> <87fuopriox.fsf@gnu.org> <61f55931-6fd2-2fd1-9f61-e52b7302d3b8@uq.edu.au> <8760pci4pv.fsf@gnu.org> <20161001164049.GD1499@jasmine> <87mvimg9al.fsf@gnu.org> <20161002185034.GA32485@jasmine> <20161002201404.GA9126@jasmine> <871szx9zx9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34367) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1br7kq-0007h5-Ck for guix-devel@gnu.org; Mon, 03 Oct 2016 14:14:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1br7km-00060L-A7 for guix-devel@gnu.org; Mon, 03 Oct 2016 14:14:20 -0400 Content-Disposition: inline In-Reply-To: <871szx9zx9.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org On Mon, Oct 03, 2016 at 06:10:10PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > I understand if this approach of cherry-picking a handful of commits is > > not acceptable. It's hard to judge the full impact of taking only these > > changes, some of which a quite significant, without being familiar with > > the libarchive code. > > > > That's the reason why I've been waiting for a new upstream release. But > > I figured I should at least try to get these bug fixes into the next > > release of Guix :) > > Sounds reasonable. :-) Okay, as long as the patch itself is reasonable :) > > Subject: [PATCH] gnu: libarchive: Fix several security issues. > > > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > > (libarchive/fixed): New variable. > > * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, > > gnu/packages/patches/libarchive-fix-symlink-check.patch, > > gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, > > gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files. > > * gnu/local.mk (dist_patch_DATA): Add them. > > Don’t they have a CVE assigned? If so, please make sure to name them > accordingly. Otherwise LGTM. Not AFAICT, despite the fact that they have all been sent to the oss-sec mailing list. Both of the overflow bugs were reported here: http://seclists.org/oss-sec/2016/q3/516 And the filesystem attacks: http://seclists.org/oss-sec/2016/q3/255 > I won’t pretend to have a precise understanding of the impact of these > bugs, but clearly they can be triggered with specially-crafted input, > which sounds bad. So better have these fixes. My understand is the the filesystem and symlink bugs allow the creator of the archive being parsed by libarchive to overwrite any file on the target system due to a set of bugs related to symlink checking, via a variety of mechanisms (detailed explanations are linked to from the patch files). The "safe_printf" patch corrects a stack overflow triggered by very large multibyte characters in filenames to-be-printed. This is under the control of whoever creates the archive file. And the 7zip patch corrects a heap overflow when reading crafted 7zip archives. Again, this is something the attacker can trigger. I don't know if these two overflows are "exploitable" or not.