Bug 200176

Summary: [security] archivers/libarchive out of bounds read vulnerability
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Only Me CC: feld, junovitch
Priority: --- Flags: junovitch: maintainer-feedback-
junovitch: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
libarchive updates to address Sevan's reported issue none

Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-06-11 03:07:07 UTC
Created attachment 157628 [details]
libarchive updates to address Sevan's reported issue

Tested on:
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r284104 amd64
11.0-CURRENT r284104 i386

Buildtime:
Fix warning on INSTALL_STRIP usage

Runtime:
No tests performed.  Validate the fix works and introduces no regressions.

Other comments:
https://github.com/libarchive/libarchive/issues?q=is%3Aissue+is%3Aclosed

There are a bunch of issues that look like they could be security related in the Github issue tracker and it's too soon to tell if they are all actually viable at doing something nefarious.  It's too soon to tell if a vuxml is warranted and if more patches are actually needed.  Unfortunately upstream hasn't released anything since 2013 so further investigation is going to be needed into what the best way ahead is.  Until then, post the work in progress so far.
Comment 2 Mark Felder freebsd_committer freebsd_triage 2016-01-08 17:58:37 UTC
assigning to Jason who is a committer now and can finish this up :-)
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2016-01-18 14:14:45 UTC
Set in progress.

This is a bit frustrating that there hasn't been a libarchive release since 2013.  The burden of these fixes are all being shifted to the end users.

I see that there are some additional patches in Debian: http://anonscm.debian.org/cgit/collab-maint/libarchive.git

I see that we also need to apply an earlier patch that Debian added on 2015-03-05: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2304

Sevan, that is not in pkgsrc as far as I can tell.  I'm going to need some additional time to make sure everything is covered as well as voice my concern on upstream needing an official release.
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2016-01-18 14:19:51 UTC
CVE-2015-2304 reported as being unfixed outside of a release: https://github.com/libarchive/libarchive/issues/646
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-01-18 23:51:12 UTC
A commit references this bug:

Author: junovitch
Date: Mon Jan 18 23:50:10 UTC 2016
New revision: 406623
URL: https://svnweb.freebsd.org/changeset/ports/406623

Log:
  Document several vulnerabilities in libarchive

  PR:		200176
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Security:	CVE-2013-0211
  Security:	CVE-2015-2304
  Security:	https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-01-18 23:52:14 UTC
A commit references this bug:

Author: junovitch
Date: Mon Jan 18 23:51:28 UTC 2016
New revision: 406624
URL: https://svnweb.freebsd.org/changeset/ports/406624

Log:
  archivers/libarchive: apply patches for multiple security vulnerablities

  - Add patch for denial of service via unspecified vectors [1]
  - Add patch for directory traveral via absolute paths [2]
  - Add patch for crash/infinite loop on malformed CPIO archives (base r282932) [3]

  PR:		200176 [3]
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Approved by:	maintainer timeout (glewis, 8 months)
  Obtained from:	https://github.com/libarchive/libarchive
  		Commits 2253154 [1], 5935715 [2], 3865cf2, e6c9668, 24f5de6 [3]
  Security:	CVE-2013-0211 [1]
  Security:	CVE-2015-2304 [2]
  Security:	https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html
  MFH:		2016Q1

Changes:
  head/archivers/libarchive/Makefile
  head/archivers/libarchive/files/
  head/archivers/libarchive/files/patch-CVE-2013-0211
  head/archivers/libarchive/files/patch-CVE-2015-2304
  head/archivers/libarchive/files/patch-cpio1-3865cf2
  head/archivers/libarchive/files/patch-cpio2-e6c9668
  head/archivers/libarchive/files/patch-cpio3-24f5de6
Comment 7 Sevan Janiyan 2016-01-19 00:00:51 UTC
(In reply to Jason Unovitch from comment #3)
Indeed, CVE-2015-2304 is not patched in pkgsrc, but it turns out that cpio support is explicitly disabled by default. Still waiting to hear back if the change should be committed or not.
Comment 8 Sevan Janiyan 2016-01-19 00:01:24 UTC
(In reply to Jason Unovitch from comment #3)
Thanks for the pointer btw :)
Comment 9 Jason Unovitch freebsd_committer freebsd_triage 2016-01-19 00:23:33 UTC
(In reply to Sevan Janiyan from comment #8)
No problem. Thanks for your ongoing efforts.

I just set merge-quarterly? and I am awaiting feedback for the MFH.  With the MFH things should be all done here for the ports archivers/libarchive.

Regarding base, I also opened bug 206386 with patches and tagged secteam@ for the equivalent updates in vendor/libarchive and the various FreeBSD branches it impacts.
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2016-01-19 00:26:22 UTC
(In reply to Sevan Janiyan from comment #8)
Last pointer, delphij@ committed three fixes from upstream in https://svnweb.FreeBSD.org/base?view=revision&revision=282932.  Since 11.0-CURRENT and 10.2-RELEASE have been shipped with all three commits I just pulled all of those to the port.  I noticed pkgsrc just had the one patch.  I'm unsure if there are still any lingering issues however I would advise a sanity check with the malformed example file in https://github.com/libarchive/libarchive/issues/502.
Comment 11 commit-hook freebsd_committer freebsd_triage 2016-01-19 00:38:20 UTC
A commit references this bug:

Author: junovitch
Date: Tue Jan 19 00:37:25 UTC 2016
New revision: 406626
URL: https://svnweb.freebsd.org/changeset/ports/406626

Log:
  MFH: r406624

  archivers/libarchive: apply patches for multiple security vulnerablities

  - Add patch for denial of service via unspecified vectors [1]
  - Add patch for directory traveral via absolute paths [2]
  - Add patch for crash/infinite loop on malformed CPIO archives (base r282932) [3]

  PR:		200176 [3]
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Approved by:	maintainer timeout (glewis, 8 months)
  Approved by:	ports-secteam (miwi)
  Obtained from:	https://github.com/libarchive/libarchive
  		Commits 2253154 [1], 5935715 [2], 3865cf2, e6c9668, 24f5de6 [3]
  Security:	CVE-2013-0211 [1]
  Security:	CVE-2015-2304 [2]
  Security:	https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/archivers/libarchive/Makefile
  branches/2016Q1/archivers/libarchive/files/
Comment 12 Jason Unovitch freebsd_committer freebsd_triage 2016-01-19 00:40:18 UTC
- Set maintainer-feedback- due to maintainer timeout
- Set merge-quarterly+ due to MFH approved by ports-secteam (miwi)
- Close PR

I'll continue to keep an eye on the upstream report that they have CVE's that really should be fixed in an officially released version but I don't feel the need to keep the PR open solely for that purpose.