Security fix for CVE-2019-18408
RAR reader: fix use after free
If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed to continue with next archive headers. We need to set rar->start_new_table after the ppmd7_context got freed, otherwise it won't be allocated again.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-71b2273a9f
Please login to add feedback.
This update has been submitted for testing by odubaj.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
Works
This update can be pushed to stable now if the maintainer wishes
This update's test gating status has been changed to 'greenwave_failed'.
This update's test gating status has been changed to 'ignored'.
The Fedora 30 package update is proposed to fix CVE-2019-18408 which is fixed in Red Hat products only after libarchive 3.4.1 is available at December 30, 2019: https://access.redhat.com/security/cve/CVE-2019-18408. This version features important security bugfixes including one in RAR5 reader according to https://github.com/libarchive/libarchive/wiki/ReleaseNotes. This Fedora 30 package update supplies version 3.3.3 which fixes no such security problems.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
@dgrigorev
It's OK to point out , if something seems wrong. But I consider it as bad manner to claim things based on FUD. If you're unsure, why not just ask? In that case, it's a matter of back porting patches.
Please do a little research on that topic and than look here: https://src.fedoraproject.org/rpms/libarchive/tree/f30
@samoht0
I see your point. The actual CVE-2019-18408 vulnerability was fixed in 3.4.0 according to https://nvd.nist.gov/vuln/detail/CVE-2019-18408 and I cannot actually tell if the patch libarchive-3.3.3-CVE-2019-18408.patch fixes it or not (I am not any good with gdb). I also don't know what is meant by "Important bugfixes -> security fixes in RAR5 reader" in the release notes for libarchive 3.4.1 released on December 30, 2019. I also don't know why RHEL fixes for this CVE are released only in January, 2020 as mentioned here https://access.redhat.com/security/cve/CVE-2019-18408. The CVE-2019-19221 published on 11/21/2019 has only medium severity instead of high for CVE-2019-18408 as seen here https://nvd.nist.gov/vuln/detail/CVE-2019-19221 and the patched 3.3.3 version may as well be unaffected by it. I could not find it in the bugzilla so I got messed up. Sorry about that.
CVE-2019-18408 is fixed with commit
https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
as referenced here
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408
which is exactly libarchive-3.3.3-CVE-2019-18408.patch
@odubaj I think, this should be pushed stable and CVE-2019-19221 addressed in another build.
This update's test gating status has been changed to 'greenwave_failed'.
This update's test gating status has been changed to 'ignored'.
working fine
This update has been submitted for stable by mooninite.
This update has been pushed to stable.