copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0524 -- [UNIX/Linux][FreeBSD] -- Errors handling corrupt tar files in libarchive(3)

Date: 13 July 2007
References: ESB-2008.0026  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2007.0524 -- [UNIX/Linux][FreeBSD]
            Errors handling corrupt tar files in libarchive(3)
                               13 July 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              libarchive
Publisher:            FreeBSD
Operating System:     FreeBSD
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-3645 CVE-2007-3644 CVE-2007-3641

Original Bulletin:
http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc

Comment: This advisory references vulnerabilities in products which run on
         platforms other than FreeBSD. It is recommended that administrators
         running libarchive check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:05.libarchive                                 Security Advisory
                                                          The FreeBSD Project

Topic:          Errors handling corrupt tar files in libarchive(3)

Category:       core
Module:         libarchive
Announced:      2007-07-12
Credits:        CPNI, CERT-FI, Tim Kientzle, Colin Percival
Affects:        FreeBSD 5.3 and later.
Corrected:      2007-07-12 15:00:44 UTC (RELENG_6, 6.2-STABLE)
                2007-07-12 15:01:14 UTC (RELENG_6_2, 6.2-RELEASE-p6)
                2007-07-12 15:01:32 UTC (RELENG_6_1, 6.1-RELEASE-p18)
                2007-07-12 15:01:42 UTC (RELENG_5, 5.5-STABLE)
                2007-07-12 15:01:56 UTC (RELENG_5_5, 5.5-RELEASE-p14)
CVE Name:       CVE-2007-3641, CVE-2007-3644, CVE-2007-3645

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The libarchive library provides a flexible interface for reading and
writing streaming archive files such as tar and cpio, and has been the
basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3.

II.  Problem Description

Several problems have been found in the code used to parse the tar and
pax interchange formats.  These include entering an infinite loop if an
archive prematurely ends within a pax extension header or if certain
types of corruption occur in pax extension headers [CVE-2007-3644];
dereferencing a NULL pointer if an archive prematurely ends within a
tar header immediately following a pax extension header or if certain
other types of corruption occur in pax extension headers [CVE-2007-3645];
and miscomputing the length of a buffer resulting in a buffer overflow
if yet another type of corruption occurs in a pax extension header
[CVE-2007-3641].

III. Impact

An attacker who can cause a corrupt archive of his choice to be parsed
by libarchive, including by having "tar -x" (extract) or "tar -t" (list
entries) run on it, can cause libarchive to enter an infinite loop, to
core dump, or possibly to execute arbitrary code provided by the
attacker.

IV.  Workaround

No workaround is available, but systems which do not read tar or pax
extension archives provided by untrusted sources are not vulnerable.
Note that while these issues do not affect libarchive's ability to
parse cpio, ISO9660, or zip format archives, libarchive automatically
detects the format of an archive, so external metadata (e.g., a file
name) is not sufficient to ensure that a file will not be parsed using
the vulnerable tar/pax format parser.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch
# fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libarchive
# make obj && make depend && make && make install
# cd /usr/src/rescue
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.freebsd.org/handbook/makeworld.html>

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- - -------------------------------------------------------------------------
RELENG_5
  src/lib/libarchive/archive_read_support_format_tar.c           1.26.2.8
RELENG_5_5
  src/UPDATING                                            1.342.2.35.2.14
  src/sys/conf/newvers.sh                                  1.62.2.21.2.16
  src/lib/libarchive/archive_read_support_format_tar.c       1.26.2.7.2.1
RELENG_6
  src/lib/libarchive/archive_read_support_format_tar.c           1.32.2.5
RELENG_6_2
  src/UPDATING                                             1.416.2.29.2.9
  src/sys/conf/newvers.sh                                   1.69.2.13.2.9
  src/lib/libarchive/archive_read_support_format_tar.c       1.32.2.2.2.1
RELENG_6_1
  src/UPDATING                                            1.416.2.22.2.20
  src/sys/conf/newvers.sh                                  1.69.2.11.2.20
  src/lib/libarchive/archive_read_support_format_tar.c           1.32.6.1
- - -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3644
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3645

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:05.libarchive.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD4DBQFGlkN5FdaIBMps37IRAl/vAJ4vKkZ9eXBW4PPljvbgALUlAPdxCQCXRMzY
4hKO09Xhj1akwPufFXJS2w==
=sRGA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRpbBmSh9+71yA2DNAQJqCQP/cuiy1GrcqMkPsDGSCS4JOSjTeRynxUMk
r8hDJRLfn1H05aunNvwEMlbkENwGJS6mAJDghDgPbCaGL6HwanETxLJ58N+k3LrQ
Guh/mon7T4kEzuKGUA6M91rN/Cfv5zX7BIEQD/VIkdlm8CCGFxi6ZOOyCpNNzCmi
MMvWX5tQazw=
=XDOp
-----END PGP SIGNATURE-----