985689 – (CVE-2015-8931) VUL-1: CVE-2015-8931: bsdtar,libarchive: Undefined behavior / signed integer overflow in mtree parser

Bug 985689 (CVE-2015-8931) - VUL-1: CVE-2015-8931: bsdtar,libarchive: Undefined behavior / signed integer overflow in mtree parser

Summary: VUL-1: CVE-2015-8931: bsdtar,libarchive: Undefined behavior / signed integer ...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8931

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Adrian Schröter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170296/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8931:4.3:(AV:N/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-20 14:52 UTC by Marcus Meissner
Modified:	2022-05-10 10:19 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
b31744d.patch (1.88 KB, patch) 2016-06-20 14:54 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-20 14:52:59 UTC

CVE-2015-8931

> https://github.com/libarchive/libarchive/issues/539
> Undefined behavior / signed integer overflow in mtree parser

>> We run on a lot of platforms that don't use glibc

Use CVE-2015-8931.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8931
http://seclists.org/oss-sec/2016/q2/566

Comment 1 Marcus Meissner 2016-06-20 14:54:53 UTC

Created attachment 681362 [details]
b31744d.patch

b31744d commit

Comment 2 Marcus Meissner 2016-06-20 14:55:23 UTC

no reproducer specified, might not be able to get one

Comment 3 Swamp Workflow Management 2016-06-20 22:02:09 UTC

bugbot adjusting priority

Comment 4 Swamp Workflow Management 2016-07-29 12:10:56 UTC

SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1

Comment 5 Swamp Workflow Management 2016-08-11 15:15:30 UTC

openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2

Comment 6 Adrian Schröter 2018-10-10 13:33:29 UTC

is done

Comment 10 Carlos López 2022-05-10 10:19:48 UTC

bsdtar not affected, libarchive done. Closing.