Bug 985706 (CVE-2015-8925) - VUL-1: CVE-2015-8925: bsdtar,libarchive: Unclear invalid memory read in mtree parser
Summary: VUL-1: CVE-2015-8925: bsdtar,libarchive: Unclear invalid memory read in mtree...
Status: RESOLVED FIXED
Alias: CVE-2015-8925
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170291/
Whiteboard: CVSSv2:RedHat:CVE-2015-8925:3.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-20 15:39 UTC by Marcus Meissner
Modified: 2020-07-10 13:33 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
read_mtree.mtree (65 bytes, text/plain)
2016-06-20 15:40 UTC, Marcus Meissner 		Details
1e18cbb.patch (5.99 KB, patch)
2016-06-20 15:40 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-20 15:39:14 UTC 
CVE-2015-8925

> https://github.com/libarchive/libarchive/issues/516
> Unclear invalid memory read in mtree parser

>> Fix escaped newline parsing

Use CVE-2015-8925.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8925
http://seclists.org/oss-sec/2016/q2/566
Comment 1 Marcus Meissner 2016-06-20 15:40:09 UTC 
Created attachment 681385 [details]
read_mtree.mtree

QA REPRODUCER:

valgrind bsdtar xf ~/Downloads/read_mtree.mtree

will report invalid reads before.
Comment 2 Marcus Meissner 2016-06-20 15:40:57 UTC 
Created attachment 681386 [details]
1e18cbb.patch

commit 1e18cbb
Comment 3 Swamp Workflow Management 2016-06-20 22:03:21 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2016-07-29 12:12:01 UTC 
SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1
Comment 5 Swamp Workflow Management 2016-08-11 15:16:25 UTC 
openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2
Comment 6 Adrian Schröter 2018-10-10 13:37:15 UTC 
already done
Comment 12 Swamp Workflow Management 2019-11-27 17:17:47 UTC 
SUSE-SU-2019:14233-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1005070,1059139,985601,985706
CVE References: CVE-2015-8915,CVE-2015-8925,CVE-2016-8687,CVE-2017-14503
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bsdtar-2.5.5-10.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Alexandros Toptsoglou 2020-07-10 13:33:33 UTC 
Done