985688 – (CVE-2015-8933) VUL-1: CVE-2015-8933: bsdtar,libarchive: Undefined behavior / signed integer overflow in TAR parser

Bug 985688 (CVE-2015-8933) - VUL-1: CVE-2015-8933: bsdtar,libarchive: Undefined behavior / signed integer overflow in TAR parser

Summary: VUL-1: CVE-2015-8933: bsdtar,libarchive: Undefined behavior / signed integer ...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8933

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Adrian Schröter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170294/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8933:4.3:(AV:N/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-20 14:49 UTC by Marcus Meissner
Modified:	2022-05-10 10:13 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
libarchive-undefined-signed-overflow.tar (512 bytes, application/octet-stream) 2016-06-20 14:50 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-20 14:49:02 UTC

CVE-2015-8933

> https://github.com/libarchive/libarchive/issues/548
> Undefined behavior / signed integer overflow in TAR parser

Use CVE-2015-8933.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8933
http://seclists.org/oss-sec/2016/q2/566

Comment 1 Marcus Meissner 2016-06-20 14:50:24 UTC

Created attachment 681361 [details]
libarchive-undefined-signed-overflow.tar

QA REPRODUCER:

bsdtar xf ~/Downloads/libarchive-undefined-signed-overflow.tar

(but nothing could happen)

Comment 2 Swamp Workflow Management 2016-06-20 22:02:00 UTC

bugbot adjusting priority

Comment 3 Swamp Workflow Management 2016-07-29 12:10:47 UTC

SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1

Comment 4 Swamp Workflow Management 2016-08-11 15:15:21 UTC

openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2

Comment 5 Adrian Schröter 2018-10-10 13:33:02 UTC

is done

Comment 9 Carlos López 2022-05-10 10:13:51 UTC

bsdtar not affected, libarchive done. Closing.