stable

libarchive

FEDORA-2019-71b2273a9f created by odubaj 4 years ago for Fedora 30

Security fix for CVE-2019-18408

RAR reader: fix use after free

If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed to continue with next archive headers. We need to set rar->start_new_table after the ppmd7_context got freed, otherwise it won't be allocated again.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-71b2273a9f

This update has been submitted for testing by odubaj.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon pwalter commented & provided feedback 4 years ago
karma

Works

User Icon samoht0 provided feedback 4 years ago
karma

This update can be pushed to stable now if the maintainer wishes

4 years ago

This update's test gating status has been changed to 'greenwave_failed'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon dgrigorev commented & provided feedback 4 years ago
karma

The Fedora 30 package update is proposed to fix CVE-2019-18408 which is fixed in Red Hat products only after libarchive 3.4.1 is available at December 30, 2019: https://access.redhat.com/security/cve/CVE-2019-18408. This version features important security bugfixes including one in RAR5 reader according to https://github.com/libarchive/libarchive/wiki/ReleaseNotes. This Fedora 30 package update supplies version 3.3.3 which fixes no such security problems.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 years ago
User Icon samoht0 commented & provided feedback 4 years ago
karma

@dgrigorev

It's OK to point out , if something seems wrong. But I consider it as bad manner to claim things based on FUD. If you're unsure, why not just ask? In that case, it's a matter of back porting patches.

Please do a little research on that topic and than look here: https://src.fedoraproject.org/rpms/libarchive/tree/f30

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]
User Icon dgrigorev commented & provided feedback 4 years ago

@samoht0
I see your point. The actual CVE-2019-18408 vulnerability was fixed in 3.4.0 according to https://nvd.nist.gov/vuln/detail/CVE-2019-18408 and I cannot actually tell if the patch libarchive-3.3.3-CVE-2019-18408.patch fixes it or not (I am not any good with gdb). I also don't know what is meant by "Important bugfixes -> security fixes in RAR5 reader" in the release notes for libarchive 3.4.1 released on December 30, 2019. I also don't know why RHEL fixes for this CVE are released only in January, 2020 as mentioned here https://access.redhat.com/security/cve/CVE-2019-18408. The CVE-2019-19221 published on 11/21/2019 has only medium severity instead of high for CVE-2019-18408 as seen here https://nvd.nist.gov/vuln/detail/CVE-2019-19221 and the patched 3.3.3 version may as well be unaffected by it. I could not find it in the bugzilla so I got messed up. Sorry about that.

User Icon samoht0 commented & provided feedback 4 years ago
karma

CVE-2019-18408 is fixed with commit

https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60

as referenced here

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408

which is exactly libarchive-3.3.3-CVE-2019-18408.patch

@odubaj I think, this should be pushed stable and CVE-2019-19221 addressed in another build.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]

This update's test gating status has been changed to 'greenwave_failed'.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago
User Icon kuosmanen commented & provided feedback 4 years ago
karma

working fine

This update has been submitted for stable by mooninite.

4 years ago

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry [fedora-all]
0
1

Automated Test Results