FEDORA-2019-71b2273a9f created by odubaj 3 months ago for Fedora 30
testing

Security fix for CVE-2019-18408

RAR reader: fix use after free

If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed to continue with next archive headers. We need to set rar->start_new_table after the ppmd7_context got freed, otherwise it won't be allocated again.

How to install

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-71b2273a9f

This update has been submitted for testing by odubaj.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'ignored'.

3 months ago

This update has been pushed to testing.

3 months ago
User Icon pwalter commented & provided feedback 3 months ago
karma

Works

User Icon samoht0 provided feedback 3 months ago
karma

This update can be pushed to stable now if the maintainer wishes

3 months ago

This update's test gating status has been changed to 'greenwave_failed'.

a month ago

This update's test gating status has been changed to 'ignored'.

a month ago
User Icon dgrigorev commented & provided feedback 17 days ago
karma

The Fedora 30 package update is proposed to fix CVE-2019-18408 which is fixed in Red Hat products only after libarchive 3.4.1 is available at December 30, 2019: https://access.redhat.com/security/cve/CVE-2019-18408. This version features important security bugfixes including one in RAR5 reader according to https://github.com/libarchive/libarchive/wiki/ReleaseNotes. This Fedora 30 package update supplies version 3.3.3 which fixes no such security problems.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data in archive_read_support_format_rar.c [fedora-all]

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

17 days ago
User Icon samoht0 commented & provided feedback 17 days ago
karma

@dgrigorev

It's OK to point out , if something seems wrong. But I consider it as bad manner to claim things based on FUD. If you're unsure, why not just ask? In that case, it's a matter of back porting patches.

Please do a little research on that topic and than look here: https://src.fedoraproject.org/rpms/libarchive/tree/f30

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data in archive_read_support_format_rar.c [fedora-all]
User Icon dgrigorev commented & provided feedback 16 days ago

@samoht0
I see your point. The actual CVE-2019-18408 vulnerability was fixed in 3.4.0 according to https://nvd.nist.gov/vuln/detail/CVE-2019-18408 and I cannot actually tell if the patch libarchive-3.3.3-CVE-2019-18408.patch fixes it or not (I am not any good with gdb). I also don't know what is meant by "Important bugfixes -> security fixes in RAR5 reader" in the release notes for libarchive 3.4.1 released on December 30, 2019. I also don't know why RHEL fixes for this CVE are released only in January, 2020 as mentioned here https://access.redhat.com/security/cve/CVE-2019-18408. The CVE-2019-19221 published on 11/21/2019 has only medium severity instead of high for CVE-2019-18408 as seen here https://nvd.nist.gov/vuln/detail/CVE-2019-19221 and the patched 3.3.3 version may as well be unaffected by it. I could not find it in the bugzilla so I got messed up. Sorry about that.

User Icon samoht0 commented & provided feedback 16 days ago
karma

CVE-2019-18408 is fixed with commit

https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60

as referenced here

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408

which is exactly libarchive-3.3.3-CVE-2019-18408.patch

@odubaj I think, this should be pushed stable and CVE-2019-19221 addressed in another build.

BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data in archive_read_support_format_rar.c [fedora-all]

This update's test gating status has been changed to 'greenwave_failed'.

11 days ago

This update's test gating status has been changed to 'ignored'.

11 days ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
3 months ago
in testing
3 months ago
BZ#1769980 CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data in archive_read_support_format_rar.c [fedora-all]
0
1

Automated Test Results