From owner-freebsd-bugs@freebsd.org Tue Jan 19 00:04:42 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDD00A87AFF for ; Tue, 19 Jan 2016 00:04:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DB081ECE for ; Tue, 19 Jan 2016 00:04:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0J04gZ1020639 for ; Tue, 19 Jan 2016 00:04:42 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206386] vendor/libarchive: directory traversal vulnerability/local denial of services Date: Tue, 19 Jan 2016 00:04:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: patch, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: junovitch@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 00:04:42 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206386 --- Comment #1 from Jason Unovitch --- Issue #2 Segfault/infinite loop on malformed CPIO archives. This was patched by delphij@ in head at 282932 [1]. It is in 10.2-RELEASE as part of stable/10= in r283259 [2]. 9.3-RELEASE does not seem to be impacted (too old?).=20 10.1-RELEASE is impacted. I've validated this in a Poudriere 10.1-RELEASE = jail that the base `tar' will spin at 100% CPU while extracting the `crash_dos.t= ar' available at the upstream bug report [3]. I've also noticed Debian has assigned a temporary bug idea on their security page [4]. It feels like while we are here we can address this in 10.1-RELEASE. [1] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D282932 [2] https://svnweb.freebsd.org/base?view=3Drevision&revision=3D283259 [3] https://github.com/libarchive/libarchive/issues/502 [4] https://security-tracker.debian.org/tracker/TEMP-0784213-45868B REPLICATION CASES: ##### FreeBSD 101amd64-default 10.1-RELEASE-p27 FreeBSD 10.1-RELEASE-p27 am= d64 # tar xvf crash_dos.tar x .: Can't replace existing directory with non-directory 3251 root 1 92 0 27804K 2612K RUN 0 1:04 64.36% bs= dtar ##### FreeBSD 101i386-default 10.1-RELEASE-p27 FreeBSD 10.1-RELEASE-p27 i386 # tar xvf crash_dos.tar x .: Can't replace existing directory with non-directory Fatal Internal Error in libarchive: Negative skip requested. ##### Fixed port # /usr/local/bin/bsdtar xvf crash_dos.tar=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20 x .: Can't replace existing directory with non-directory bsdtar: End of file trying to read next cpio header bsdtar: Error exit delayed from previous errors. --=20 You are receiving this mail because: You are the assignee for the bug.=