From owner-freebsd-security@FreeBSD.ORG  Wed Nov  8 15:36:12 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0718216A415
	for <freebsd-security@freebsd.org>;
	Wed,  8 Nov 2006 15:36:12 +0000 (UTC) (envelope-from josh@tcbug.org)
Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.154])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CB34A43D45
	for <freebsd-security@freebsd.org>;
	Wed,  8 Nov 2006 15:36:11 +0000 (GMT) (envelope-from josh@tcbug.org)
Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219])
	by comcast.net (rwcrmhc14) with ESMTP
	id <20061108153611m1400jg7u8e>; Wed, 8 Nov 2006 15:36:11 +0000
From: Josh Paetzel <josh@tcbug.org>
To: freebsd-security@freebsd.org
Date: Wed, 8 Nov 2006 10:36:02 -0500
User-Agent: KMail/1.9.3
References: <200611081413.kA8EDtA7011912@freefall.freebsd.org>
In-Reply-To: <200611081413.kA8EDtA7011912@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200611080936.03101.josh@tcbug.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2006 15:36:12 -0000

On Wednesday 08 November 2006 08:13, FreeBSD Security Advisories 
wrote:
> ===================================================================
>========== FreeBSD-SA-06:24.libarchive                              
>   Security Advisory The FreeBSD Project
>
> Topic:          Infinite loop in corrupt archives handling in
> libarchive(3)
>
> Category:       core
> Module:         libarchive
> Announced:      2006-11-08
> Credits:        Rink Springer
> Affects:        FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC
> Corrected:      2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1)
> CVE Name:       CVE-2006-5680
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and
> the following sections, please visit
> <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> The libarchive library provides a flexible interface for reading
> and writing streaming archive files such as tar and cpio, and has
> been the basis for FreeBSD's implementation of the tar(1) utility
> since FreeBSD 5.3.
>
> II.  Problem Description
>
> If the end of an archive is reached while attempting to "skip" past
> a region of an archive, libarchive will enter an infinite loop
> wherein it repeatedly attempts (and fails) to read further data.
>
> III. Impact
>
> An attacker able to cause a system to extract (via "tar -x" or
> another application which uses libarchive) or list the contents
> (via "tar -t" or another libarchive-using application) of an
> archive provided by the attacker can cause libarchive to enter an
> infinite loop and use all available CPU time.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE dated after the
> correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to affected
> systems.
>
> a) Download the relevant patch from the location below, and verify
> the detached PGP signature using your PGP utility.
>
> # fetch
> http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch #
> fetch
> http://security.FreeBSD.org/patches/SA-06:24/libarchive.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/libarchive
> # make obj && make depend && make && make install
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that
> was corrected in FreeBSD.
>
> Branch                                                          
> Revision Path
> -------------------------------------------------------------------
>------ RELENG_6
>   src/lib/libarchive/archive_read_support_compression_none.c     
> 1.6.2.2
> -------------------------------------------------------------------
>------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5680
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-06:24.libarchive.

Maybe this is an obvious question, but libarchive has been in the 
system since 5.3, but this issue only affects RELENG_6?  So anyone 
tracking RELENG_6_1 isn't affected?

-- 
Thanks,

Josh Paetzel