From owner-freebsd-security@freebsd.org Mon Oct 10 09:32:50 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BCE0C0BDFB for ; Mon, 10 Oct 2016 09:32:50 +0000 (UTC) (envelope-from ah0703@gmail.com) Received: from mail-qk0-x243.google.com (mail-qk0-x243.google.com [IPv6:2607:f8b0:400d:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 259F5CBB for ; Mon, 10 Oct 2016 09:32:50 +0000 (UTC) (envelope-from ah0703@gmail.com) Received: by mail-qk0-x243.google.com with SMTP id n189so6315737qke.1 for ; Mon, 10 Oct 2016 02:32:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=nGxDMhQ9DRHf0xYZCtPU3y7ke9FtyR44zrAnJE+Gujk=; b=bBqa4bEUzAgwSfaw6EcUiMYtFUw2yC3BCfr5JQ1npbXHXTinCp5DfoLQbEPs8aTo77 7SZ1ktAgHHDQzgWTYYadAksw6zxEk5h1hJRMyI7GAL2BAES3eJSvRw5U9BdYr4yvADDi JwySVnVgG90M41LerFV6iKp8CRWn2qZQQ6Wv8PgKMdMPUNjv2aNgpQCMO+DAZDx7ZouI i6luEH+3he4awoZHcdkfI88apJCxuRADZNuODKYgLmWEZX9buG97cspLONCw+XjUuzmA brAzVV40w08YqQ3dUj78zpV213y9geWAesqwbg6J+o5Hcs6z26h6sTsLlh60xj+KN5oK pHMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=nGxDMhQ9DRHf0xYZCtPU3y7ke9FtyR44zrAnJE+Gujk=; b=R4lEKjg9jrDhPuBOBrV+K3s0gTztm+QxVwsOqbpkHiwo9gJ9sB+O/oOtO6jHWXaWr6 0kcPLYTt//JdOjcUwr6ikZ1W3Ht7Q3VIBvoPySXNsotuTBe/haM5I8ehdqJg5CftBhVW AGV5y/2n1wXglITMvxNxpJh//z3Kb20XLlN4WiUWetLMbs0WA60923EVQW3Xx5oMGkG5 ArNaQdtWpal7indFTLq3y0kLwXJqSyAoI3zr6JkUVjmvuf6EL0a+0vbbNE9pvnE+1Udv YyBBal1E+wn0iR0CKB9QyNAMf42smILVuUo3TnntkHb/JI0A+S7+BL7EW06xRUXwgKlX f1Jg== X-Gm-Message-State: AA6/9RnKi2QfYjmFTqlaOLrCrtLMZcapgbddDie3RleZrkCOLEAbz42L4YxBYczLZWSiz0myQ8cKrSRlmqNexQ== X-Received: by 10.194.44.226 with SMTP id h2mr2558955wjm.113.1476091969113; Mon, 10 Oct 2016 02:32:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.152.165 with HTTP; Mon, 10 Oct 2016 02:32:08 -0700 (PDT) In-Reply-To: <20161010075202.04F781853@freefall.freebsd.org> References: <20161010075202.04F781853@freefall.freebsd.org> From: Alexander Hamann Date: Mon, 10 Oct 2016 11:32:08 +0200 Message-ID: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:31.libarchive To: freebsd-security@freebsd.org X-Mailman-Approved-At: Mon, 10 Oct 2016 11:25:18 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 09:32:50 -0000 Hi Security Team, The links to libarchive.patch and libarchive.patch.asc are broken. Looking at https://www.freebsd.org/security/patches/SA-16:31/ suggests that they should be versioned. Thanks, Alexander On Mon, Oct 10, 2016 at 9:52 AM, FreeBSD Security Advisories < security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================ > ================= > FreeBSD-SA-16:31.libarchive Security > Advisory > The FreeBSD > Project > > Topic: Multiple libarchive vulnerabilities > > Category: core > Module: portsnap > Announced: 2016-10-05 > Affects: All supported versions of FreeBSD. > Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE) > 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) > 2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE) > 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) > 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) > 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The libarchive(3) library provides a flexible interface for reading and > writing streaming archive files such as tar(1) and cpio(1), and has been > the > basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities > since FreeBSD 5.3. > > II. Problem Description > > Flaws in libarchive's handling of symlinks and hard links allow overwriting > files outside the extraction directory, or permission changes to a > directory > outside the extraction directory. > > III. Impact > > An attacker who can control freebsd-update's or portsnap's input to tar can > change file content or permisssions on files outside of the update tool's > working sandbox. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > No reboot is needed. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility. > > This advisory is released concurrently with FreeBSD-SA-16:29.bspatch > which contains special instructions for using freebsd-update. Following > the instructions in that advisory will safely apply updates for > FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and > FreeBSD-SA-16:31.libarchive. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch > # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc > # gpg --verify libarchive.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------ > ------------- > stable/10/ r306322 > releng/10.1/ r306941 > releng/10.2/ r306941 > releng/10.3/ r306941 > stable/11/ r306321 > releng/11.0/ r306379 > - ------------------------------------------------------------ > ------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > The latest revision of this advisory is available at > 1.libarchive.asc> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.1.13 (FreeBSD) > > iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA > AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF > 7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ > guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn > myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+ > /qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj > OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt > 7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2 > prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k > Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C > 6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1 > JguXI1tZdrjfSZisAI+l > =vqSJ > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org > " >