Created attachment 171710 [details] update libarchive to 3.2.1 https://github.com/libarchive/libarchive/blob/master/NEWS http://blog.talosintel.com/2016/06/the-poisoned-archives.html https://groups.google.com/forum/#!topic/libarchive-announce/lyaOLoBI1Fs libarchive 3.2.1 fixes several vulnerabilities including memory corruption and code execution. I'm attaching the update patch, poudriere log and vuln.xml fragment.
Created attachment 171711 [details] poudriere testport
Created attachment 171712 [details] vuln.xml fragment ready for pasting
Great, I was just wondering what's up with that. There are also some new discoveries, it seems, should include in VuXML: http://openwall.com/lists/oss-security/2016/06/23/6 CC ports-secteam@. Removing redundant maintainer-feedback(?) request (bugzilla adds one automatically)
A commit references this bug: Author: feld Date: Thu Jun 23 16:25:47 UTC 2016 New revision: 417384 URL: https://svnweb.freebsd.org/changeset/ports/417384 Log: Document libarchive vulnerabilities PR: 210493 Security: CVE-2015-8934 Security: CVE-2016-4300 Security: CVE-2016-4301 Security: CVE-2016-4302 Changes: head/security/vuxml/vuln.xml
my build is failing, interestingly enough libtool: link: `libarchive/archive_write_add_filter_xz.lo' is not a valid libtool object *** [libarchive.la] Error code 1
Yes, this fails to build on 9.3-RELEASE and 10.1-RELEASE. I always do my test builds on the oldest supported RELEASE in a train. Testing to confirm on 10.2-RELEASE as well.
well duh, they added stuff using the multithreaded lzma functions and looks like they messed up the check for that in configure. I'm investigating.
Created attachment 171719 [details] libarchive 3.2.1, with workaround for non-multithreaded xz Turns out libarchive configure has special hacks to detect wether xz has multithread support - but they're to clever by half and fail to detect that "our" xz before xz 5.2.2 does not have multithread support. I added a workaround for that based on OSVERSION according to the table in the porters handbook. Builds on 9.3 and 10.3 now.
(In reply to Christoph Moench-Tegeder from comment #8) Great work! Verifying...
A commit references this bug: Author: feld Date: Thu Jun 23 21:11:10 UTC 2016 New revision: 417400 URL: https://svnweb.freebsd.org/changeset/ports/417400 Log: archivers/libarchive: Update to 3.2.1 This release resolves several vulnerabilities. PR: 210493 MFH: 2016Q2 Security: CVE-2015-8934 Security: CVE-2016-4300 Security: CVE-2016-4301 Security: CVE-2016-4302 Changes: head/archivers/libarchive/Makefile head/archivers/libarchive/distinfo
A commit references this bug: Author: feld Date: Thu Jun 23 21:14:35 UTC 2016 New revision: 417401 URL: https://svnweb.freebsd.org/changeset/ports/417401 Log: MFH: r417400 archivers/libarchive: Update to 3.2.1 This release resolves several vulnerabilities. PR: 210493 Security: CVE-2015-8934 Security: CVE-2016-4300 Security: CVE-2016-4301 Security: CVE-2016-4302 Approved by: ports-secteam (with hat) Changes: _U branches/2016Q2/ branches/2016Q2/archivers/libarchive/Makefile branches/2016Q2/archivers/libarchive/distinfo