FEDORA-2019-71b2273a9f created by odubaj 5 months ago for Fedora 30
stable

Security fix for CVE-2019-18408

RAR reader: fix use after free

If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed to continue with next archive headers. We need to set rar->start_new_table after the ppmd7_context got freed, otherwise it won't be allocated again.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-71b2273a9f

This update has been submitted for testing by odubaj.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago

This update has been pushed to testing.

5 months ago
User Icon pwalter commented & provided feedback 5 months ago
karma

Works

User Icon samoht0 provided feedback 5 months ago
karma

This update can be pushed to stable now if the maintainer wishes

5 months ago

This update's test gating status has been changed to 'greenwave_failed'.

3 months ago

This update's test gating status has been changed to 'ignored'.

3 months ago
User Icon dgrigorev commented & provided feedback 2 months ago
karma

The Fedora 30 package update is proposed to fix CVE-2019-18408 which is fixed in Red Hat products only after libarchive 3.4.1 is available at December 30, 2019: https://access.redhat.com/security/cve/CVE-2019-18408. This version features important security bugfixes including one in RAR5 reader according to https://github.com/libarchive/libarchive/wiki/ReleaseNotes. This Fedora 30 package update supplies version 3.3.3 which fixes no such security problems.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 months ago
User Icon samoht0 commented & provided feedback 2 months ago
karma

@dgrigorev

It's OK to point out , if something seems wrong. But I consider it as bad manner to claim things based on FUD. If you're unsure, why not just ask? In that case, it's a matter of back porting patches.

Please do a little research on that topic and than look here: https://src.fedoraproject.org/rpms/libarchive/tree/f30

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]
User Icon dgrigorev commented & provided feedback 2 months ago

@samoht0
I see your point. The actual CVE-2019-18408 vulnerability was fixed in 3.4.0 according to https://nvd.nist.gov/vuln/detail/CVE-2019-18408 and I cannot actually tell if the patch libarchive-3.3.3-CVE-2019-18408.patch fixes it or not (I am not any good with gdb). I also don't know what is meant by "Important bugfixes -> security fixes in RAR5 reader" in the release notes for libarchive 3.4.1 released on December 30, 2019. I also don't know why RHEL fixes for this CVE are released only in January, 2020 as mentioned here https://access.redhat.com/security/cve/CVE-2019-18408. The CVE-2019-19221 published on 11/21/2019 has only medium severity instead of high for CVE-2019-18408 as seen here https://nvd.nist.gov/vuln/detail/CVE-2019-19221 and the patched 3.3.3 version may as well be unaffected by it. I could not find it in the bugzilla so I got messed up. Sorry about that.

User Icon samoht0 commented & provided feedback 2 months ago
karma

CVE-2019-18408 is fixed with commit

https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60

as referenced here

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408

which is exactly libarchive-3.3.3-CVE-2019-18408.patch

@odubaj I think, this should be pushed stable and CVE-2019-19221 addressed in another build.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]

This update's test gating status has been changed to 'greenwave_failed'.

2 months ago

This update's test gating status has been changed to 'ignored'.

2 months ago
User Icon kuosmanen commented & provided feedback a month ago
karma

working fine

This update has been submitted for stable by mooninite.

2 days ago

This update has been pushed to stable.

a day ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
5 months ago
in testing
5 months ago
in stable
a day ago
BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]
0
1

Automated Test Results