https://github.com/libarchive/libarchive/issues/502 fix: https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008
Created attachment 157628 [details] libarchive updates to address Sevan's reported issue Tested on: 8.4-RELEASE-p28 amd64 8.4-RELEASE-p28 i386 9.3-RELEASE-p14 amd64 9.3-RELEASE-p14 i386 10.1-RELEASE-p10 amd64 10.1-RELEASE-p10 i386 11.0-CURRENT r284104 amd64 11.0-CURRENT r284104 i386 Buildtime: Fix warning on INSTALL_STRIP usage Runtime: No tests performed. Validate the fix works and introduces no regressions. Other comments: https://github.com/libarchive/libarchive/issues?q=is%3Aissue+is%3Aclosed There are a bunch of issues that look like they could be security related in the Github issue tracker and it's too soon to tell if they are all actually viable at doing something nefarious. It's too soon to tell if a vuxml is warranted and if more patches are actually needed. Unfortunately upstream hasn't released anything since 2013 so further investigation is going to be needed into what the best way ahead is. Until then, post the work in progress so far.
assigning to Jason who is a committer now and can finish this up :-)
Set in progress. This is a bit frustrating that there hasn't been a libarchive release since 2013. The burden of these fixes are all being shifted to the end users. I see that there are some additional patches in Debian: http://anonscm.debian.org/cgit/collab-maint/libarchive.git I see that we also need to apply an earlier patch that Debian added on 2015-03-05: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2304 Sevan, that is not in pkgsrc as far as I can tell. I'm going to need some additional time to make sure everything is covered as well as voice my concern on upstream needing an official release.
CVE-2015-2304 reported as being unfixed outside of a release: https://github.com/libarchive/libarchive/issues/646
A commit references this bug: Author: junovitch Date: Mon Jan 18 23:50:10 UTC 2016 New revision: 406623 URL: https://svnweb.freebsd.org/changeset/ports/406623 Log: Document several vulnerabilities in libarchive PR: 200176 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Security: CVE-2013-0211 Security: CVE-2015-2304 Security: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Mon Jan 18 23:51:28 UTC 2016 New revision: 406624 URL: https://svnweb.freebsd.org/changeset/ports/406624 Log: archivers/libarchive: apply patches for multiple security vulnerablities - Add patch for denial of service via unspecified vectors [1] - Add patch for directory traveral via absolute paths [2] - Add patch for crash/infinite loop on malformed CPIO archives (base r282932) [3] PR: 200176 [3] Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Approved by: maintainer timeout (glewis, 8 months) Obtained from: https://github.com/libarchive/libarchive Commits 2253154 [1], 5935715 [2], 3865cf2, e6c9668, 24f5de6 [3] Security: CVE-2013-0211 [1] Security: CVE-2015-2304 [2] Security: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html MFH: 2016Q1 Changes: head/archivers/libarchive/Makefile head/archivers/libarchive/files/ head/archivers/libarchive/files/patch-CVE-2013-0211 head/archivers/libarchive/files/patch-CVE-2015-2304 head/archivers/libarchive/files/patch-cpio1-3865cf2 head/archivers/libarchive/files/patch-cpio2-e6c9668 head/archivers/libarchive/files/patch-cpio3-24f5de6
(In reply to Jason Unovitch from comment #3) Indeed, CVE-2015-2304 is not patched in pkgsrc, but it turns out that cpio support is explicitly disabled by default. Still waiting to hear back if the change should be committed or not.
(In reply to Jason Unovitch from comment #3) Thanks for the pointer btw :)
(In reply to Sevan Janiyan from comment #8) No problem. Thanks for your ongoing efforts. I just set merge-quarterly? and I am awaiting feedback for the MFH. With the MFH things should be all done here for the ports archivers/libarchive. Regarding base, I also opened bug 206386 with patches and tagged secteam@ for the equivalent updates in vendor/libarchive and the various FreeBSD branches it impacts.
(In reply to Sevan Janiyan from comment #8) Last pointer, delphij@ committed three fixes from upstream in https://svnweb.FreeBSD.org/base?view=revision&revision=282932. Since 11.0-CURRENT and 10.2-RELEASE have been shipped with all three commits I just pulled all of those to the port. I noticed pkgsrc just had the one patch. I'm unsure if there are still any lingering issues however I would advise a sanity check with the malformed example file in https://github.com/libarchive/libarchive/issues/502.
A commit references this bug: Author: junovitch Date: Tue Jan 19 00:37:25 UTC 2016 New revision: 406626 URL: https://svnweb.freebsd.org/changeset/ports/406626 Log: MFH: r406624 archivers/libarchive: apply patches for multiple security vulnerablities - Add patch for denial of service via unspecified vectors [1] - Add patch for directory traveral via absolute paths [2] - Add patch for crash/infinite loop on malformed CPIO archives (base r282932) [3] PR: 200176 [3] Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Approved by: maintainer timeout (glewis, 8 months) Approved by: ports-secteam (miwi) Obtained from: https://github.com/libarchive/libarchive Commits 2253154 [1], 5935715 [2], 3865cf2, e6c9668, 24f5de6 [3] Security: CVE-2013-0211 [1] Security: CVE-2015-2304 [2] Security: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html Changes: _U branches/2016Q1/ branches/2016Q1/archivers/libarchive/Makefile branches/2016Q1/archivers/libarchive/files/
- Set maintainer-feedback- due to maintainer timeout - Set merge-quarterly+ due to MFH approved by ports-secteam (miwi) - Close PR I'll continue to keep an eye on the upstream report that they have CVE's that really should be fixed in an officially released version but I don't feel the need to keep the PR open solely for that purpose.