Bug 985679 - (CVE-2015-8928) VUL-1: CVE-2015-8928: bsdtar,libarchive: Heap out of bounds read in mtree parser
(CVE-2015-8928)
VUL-1: CVE-2015-8928: bsdtar,libarchive: Heap out of bounds read in mtree parser
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Frederic Crozat
Security Team bot
https://smash.suse.de/issue/170283/
CVSSv2:SUSE:CVE-2015-8928:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-20 14:26 UTC by Marcus Meissner
Modified: 2022-06-10 12:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
libarchive-oob-process_add_entry.txt (12 bytes, text/plain)
2016-06-20 14:28 UTC, Marcus Meissner
Details
64d5628.patch (2.96 KB, patch)
2016-06-20 14:30 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-20 14:26:10 UTC
CVE-2015-8928

> https://github.com/libarchive/libarchive/issues/550
> Heap out of bounds read in mtree parser

Use CVE-2015-8928.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8928
http://seclists.org/oss-sec/2016/q2/566
Comment 1 Marcus Meissner 2016-06-20 14:28:13 UTC
Created attachment 681351 [details]
libarchive-oob-process_add_entry.txt

QA REPRODUCER:

valgrind bsdtar xf libarchive-oob-process_add_entry.txt

==20464== Invalid read of size 1
==20464==    at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20464==    by 0x4E760CB: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x4E545DA: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x4E5470B: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x405FD6: ??? (in /usr/bin/bsdtar)
==20464==    by 0x406976: ??? (in /usr/bin/bsdtar)
==20464==    by 0x404C19: ??? (in /usr/bin/bsdtar)
==20464==    by 0x50FBB04: (below main) (libc-start.c:285)

should not happen after update
Comment 2 Marcus Meissner 2016-06-20 14:30:05 UTC
Created attachment 681354 [details]
64d5628.patch

64d5628 commit that fix the issue
Comment 3 Swamp Workflow Management 2016-06-20 22:01:35 UTC
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2016-07-29 12:10:19 UTC
SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1
Comment 5 Swamp Workflow Management 2016-08-11 15:14:51 UTC
openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2
Comment 6 Adrian Schröter 2018-10-10 13:30:53 UTC
is done
Comment 10 Carlos López 2022-05-10 09:52:45 UTC
bsdtar still not fixed, libarchive done.
Comment 11 Frederic Crozat 2022-06-10 12:43:04 UTC
(In reply to Carlos López from comment #10)
> bsdtar still not fixed, libarchive done.

I'm not sure why I'm flagged as bugowner for bsdtar, but anyway ;)

the specfile for bsdtar (in SLE-11) is stating : "
# Issues which do not affect this version
# CVE-2019-18408: no rar support
# CVE-2016-5418: no posix write support
# CVE-2016-6250: no iso9660 write support
# CVE-2016-8687: no mtree format support
# CVE-2016-8689: no 7zip format support
# CVE-2016-7166
# CVE-2015-8930, CVE-2016-5844: no support for iso joliet format
# CVE-2015-8919, CVE-2017-14503: no LHA format support
# CVE-2015-8931, CVE-2015-8928, CVE-2015-8925.patch, CVE-2016-4301, \
#   CVE-2016-4301.patch : no mtree format support
# CVE-2015-8933: tar format has no support for sparse files
# CVE-2015-8922, CVE-2016-4300.patch: no 7zip format support
# CVE-2015-8934, CVE-2015-8926, CVE-2016-4302, CVE-2015-8916: no RAR format support
# CVE-2016-1541: zip format does not handle Mac extensions
# CVE-2015-8923: zip format does not handle Info-Zip Unix Extra Field (type 3)
#

Therefore, I would suggest to update our vulnerability DB.

Closing bug as FIXED
Comment 12 Carlos López 2022-06-10 12:52:43 UTC
(In reply to Frederic Crozat from comment #11)
> the specfile for bsdtar (in SLE-11) is stating : "
> # CVE-2015-8931, CVE-2015-8928, CVE-2015-8925.patch, CVE-2016-4301, \
> #   CVE-2016-4301.patch : no mtree format support

I've updated our tracking, thanks.