Bug 985679 (CVE-2015-8928) - VUL-1: CVE-2015-8928: bsdtar,libarchive: Heap out of bounds read in mtree parser
Summary: VUL-1: CVE-2015-8928: bsdtar,libarchive: Heap out of bounds read in mtree parser
Status: RESOLVED FIXED
Alias: CVE-2015-8928
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Frederic Crozat
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170283/
Whiteboard: CVSSv2:SUSE:CVE-2015-8928:4.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-20 14:26 UTC by Marcus Meissner
Modified: 2022-06-10 12:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
libarchive-oob-process_add_entry.txt (12 bytes, text/plain)
2016-06-20 14:28 UTC, Marcus Meissner 		Details
64d5628.patch (2.96 KB, patch)
2016-06-20 14:30 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-20 14:26:10 UTC 
CVE-2015-8928

> https://github.com/libarchive/libarchive/issues/550
> Heap out of bounds read in mtree parser

Use CVE-2015-8928.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8928
http://seclists.org/oss-sec/2016/q2/566
Comment 1 Marcus Meissner 2016-06-20 14:28:13 UTC 
Created attachment 681351 [details]
libarchive-oob-process_add_entry.txt

QA REPRODUCER:

valgrind bsdtar xf libarchive-oob-process_add_entry.txt

==20464== Invalid read of size 1
==20464==    at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20464==    by 0x4E760CB: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x4E545DA: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x4E5470B: ??? (in /usr/lib64/libarchive.so.13.1.2)
==20464==    by 0x405FD6: ??? (in /usr/bin/bsdtar)
==20464==    by 0x406976: ??? (in /usr/bin/bsdtar)
==20464==    by 0x404C19: ??? (in /usr/bin/bsdtar)
==20464==    by 0x50FBB04: (below main) (libc-start.c:285)

should not happen after update
Comment 2 Marcus Meissner 2016-06-20 14:30:05 UTC 
Created attachment 681354 [details]
64d5628.patch

64d5628 commit that fix the issue
Comment 3 Swamp Workflow Management 2016-06-20 22:01:35 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2016-07-29 12:10:19 UTC 
SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1
Comment 5 Swamp Workflow Management 2016-08-11 15:14:51 UTC 
openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2
Comment 6 Adrian Schröter 2018-10-10 13:30:53 UTC 
is done
Comment 10 Carlos López 2022-05-10 09:52:45 UTC 
bsdtar still not fixed, libarchive done.
Comment 11 Frederic Crozat 2022-06-10 12:43:04 UTC 
(In reply to Carlos López from comment #10)
> bsdtar still not fixed, libarchive done.

I'm not sure why I'm flagged as bugowner for bsdtar, but anyway ;)

the specfile for bsdtar (in SLE-11) is stating : "
# Issues which do not affect this version
# CVE-2019-18408: no rar support
# CVE-2016-5418: no posix write support
# CVE-2016-6250: no iso9660 write support
# CVE-2016-8687: no mtree format support
# CVE-2016-8689: no 7zip format support
# CVE-2016-7166
# CVE-2015-8930, CVE-2016-5844: no support for iso joliet format
# CVE-2015-8919, CVE-2017-14503: no LHA format support
# CVE-2015-8931, CVE-2015-8928, CVE-2015-8925.patch, CVE-2016-4301, \
#   CVE-2016-4301.patch : no mtree format support
# CVE-2015-8933: tar format has no support for sparse files
# CVE-2015-8922, CVE-2016-4300.patch: no 7zip format support
# CVE-2015-8934, CVE-2015-8926, CVE-2016-4302, CVE-2015-8916: no RAR format support
# CVE-2016-1541: zip format does not handle Mac extensions
# CVE-2015-8923: zip format does not handle Info-Zip Unix Extra Field (type 3)
#

Therefore, I would suggest to update our vulnerability DB.

Closing bug as FIXED
Comment 12 Carlos López 2022-06-10 12:52:43 UTC 
(In reply to Frederic Crozat from comment #11)
> the specfile for bsdtar (in SLE-11) is stating : "
> # CVE-2015-8931, CVE-2015-8928, CVE-2015-8925.patch, CVE-2016-4301, \
> #   CVE-2016-4301.patch : no mtree format support

I've updated our tracking, thanks.