984990 – (CVE-2016-4809) VUL-1: CVE-2016-4809: libarchive,bsdtar: Memory allocate error with symbolic links in cpio archives

Bug 984990 (CVE-2016-4809) - VUL-1: CVE-2016-4809: libarchive,bsdtar: Memory allocate error with symbolic links in cpio archives

Summary: VUL-1: CVE-2016-4809: libarchive,bsdtar: Memory allocate error with symbolic ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-4809

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170131/
Whiteboard:	CVSSv2:SUSE:CVE-2016-4809:1.9:(AV:L/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-16 08:56 UTC by Marcus Meissner
Modified:	2019-05-22 01:05 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
c014d4b4-1833-11e6-8ccf-b00bfbedb16c.cpio (965 bytes, application/octet-stream) 2016-07-07 08:37 UTC, Marcus Meissner	Details
cc6569ea-1833-11e6-88fd-132060c69647.cpio (852 bytes, application/octet-stream) 2016-07-07 08:38 UTC, Marcus Meissner	Details
d522f84a-1833-11e6-90cc-a1b97770bf9e.cpio (565 bytes, application/octet-stream) 2016-07-07 08:38 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-16 08:56:59 UTC

A cpio archive with a ridiculously large symlink can cause memory allocation
to fail, resulting in any attempt to view or extract the archive crashing.
The failed allocation appears to be handled correctly within libarchive and
not lead to further issues.

External references:
    https://github.com/libarchive/libarchive/issues/705

Upstream fix:
    https://github.com/libarchive/libarchive/commit/fd7e0c02

Comment 1 Marcus Meissner 2016-06-16 09:04:20 UTC

code looks affected in both bsdtar in SLE11 and libarchive in SLE12.

Comment 3 Adrian Schröter 2016-06-16 10:01:42 UTC

IBS maintenance request 116648
OBS maintenance request 402701
OBS Factory request 402700

Comment 4 Bernhard Wiedemann 2016-06-16 12:00:16 UTC

This is an autogenerated message for OBS integration:
This bug (984990) was mentioned in
https://build.opensuse.org/request/show/402701 13.2+42.1 / libarchive

Comment 5 Swamp Workflow Management 2016-06-16 22:00:12 UTC

bugbot adjusting priority

Comment 6 Swamp Workflow Management 2016-06-24 14:32:15 UTC

openSUSE-SU-2016:1679-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 984990
CVE References: CVE-2016-4809
Sources used:
openSUSE 13.2 (src):    libarchive-3.1.2-7.11.1

Comment 7 Marcus Meissner 2016-07-07 08:37:25 UTC

Created attachment 683347 [details]
c014d4b4-1833-11e6-8ccf-b00bfbedb16c.cpio

QA REPRODUCER

bsdtar -tf c014d4b4-1833-11e6-8ccf-b00bfbedb16c.cpio

Comment 8 Marcus Meissner 2016-07-07 08:38:07 UTC

Created attachment 683348 [details]
cc6569ea-1833-11e6-88fd-132060c69647.cpio

QA REPRODUCER:

bsdtar -tf cc6569ea-1833-11e6-88fd-132060c69647.cpio

Comment 9 Marcus Meissner 2016-07-07 08:38:48 UTC

Created attachment 683349 [details]
d522f84a-1833-11e6-90cc-a1b97770bf9e.cpio

QA REPRODUCER:

bsdtar -tf d522f84a-1833-11e6-90cc-a1b97770bf9e.cpio

Comment 10 Andrej Semen 2016-07-18 11:12:15 UTC

reproducer for c8 worked

reproducer for c7 and c9 dose show any change in output


before:
-------
sol:/tmp # export LANG=

#c7
sol:/tmp # bsdtar -tf c014d4b4-1833-11e6-8ccf-b00bfbedb16c.cpio
bsdtar: (Empty error message)
bsdtar: Error exit delayed from previous errors.

#c8
sol:/tmp # bsdtar -tf cc6569ea-1833-11e6-88fd-132060c69647.cpio
bsdtar: (Empty error message)
bsdtar: Error exit delayed from previous errors.

#c9
sol:/tmp # bsdtar -tf d522f84a-1833-11e6-90cc-a1b97770bf9e.cpio
\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350
Speicherzugriffsfehler


after:
------
mgr-srv-21-scc-pgl:/tmp # export LANG=
#c7
mgr-srv-21-scc-pgl:/tmp # bsdtar -tf c014d4b4-1833-11e6-8ccf-b00bfbedb16c.cpio
bsdtar: (Empty error message)
bsdtar: Error exit delayed from previous errors.

#c8
mgr-srv-21-scc-pgl:/tmp # bsdtar -tf cc6569ea-1833-11e6-88fd-132060c69647.cpio
bsdtar: Rejecting malformed cpio archive: symlink contents exceed 1 megabyte:
Cannot allocate memory
bsdtar: Error exit delayed from previous errors.

#c9
mgr-srv-21-scc-pgl:/tmp # bsdtar -tf d522f84a-1833-11e6-90cc-a1b97770bf9e.cpio
\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350\350
Speicherzugriffsfehler

Comment 11 Swamp Workflow Management 2016-07-29 12:09:14 UTC

SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1

Comment 12 Swamp Workflow Management 2016-08-02 15:09:20 UTC

SUSE-SU-2016:1939-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 920870,984990,985609,985669,985675,985682,985698
CVE References: CVE-2015-2304,CVE-2015-8918,CVE-2015-8920,CVE-2015-8921,CVE-2015-8924,CVE-2015-8929,CVE-2016-4809
Sources used:
SUSE Studio Onsite 1.3 (src):    bsdtar-2.5.5-9.1
SUSE OpenStack Cloud 5 (src):    bsdtar-2.5.5-9.1
SUSE Manager Proxy 2.1 (src):    bsdtar-2.5.5-9.1
SUSE Manager 2.1 (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Server 11-SP4 (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bsdtar-2.5.5-9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bsdtar-2.5.5-9.1

Comment 13 Swamp Workflow Management 2016-08-11 15:13:48 UTC

openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2

Comment 16 Marcus Meissner 2017-10-26 06:11:52 UTC

released