Bug 783375

Summary: CVE-2011-1777 Libarchive multiple security issues (Regression) [rhel-6.3]
Product: Red Hat Enterprise Linux 6 Reporter: Ramon de C Valle <rcvalle>
Component: libarchiveAssignee: Tomáš Bžatek <tbzatek>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: anssi.hannula, azelinka, bressers, ndevos, rcvalle, tbzatek, tsmetana, vdanen
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libarchive-2.8.3-4.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 782008 Environment:
Last Closed: 2012-10-09 12:42:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 782008    
Bug Blocks:    

Comment 1 Ramon de C Valle 2012-01-20 07:14:59 UTC 
This is a regression from Bug 705849 in latest version of libarchive package
released via RHSA-2011:1507. The CVE-2011-1777.patch attached to Bug 705849
breaks ISO support. This regression was found by Mageia QA:
https://bugs.mageia.org/show_bug.cgi?id=3941.

The original Security, SecurityTracking, ZStream is Bug 739940.
Comment 2 Tomáš Bžatek 2012-03-26 10:17:52 UTC 
This bugreport only tracks a regression in ISO9660 reader, created by a fix of one of the CVEs in libarchive-2.8.3-3.el6. Other formats are untouched.

Reproduced with Fedora-16-x86_64-Live-Desktop.iso - the old (-3) build fails to list contents of this ISO image, the new build (-4) works fine. Can be reproduced using gvfsd-archive (automatically spawned by Nautilus by opening an ISO archive).
Comment 3 Jiri Pallich 2012-10-09 12:42:41 UTC 
Since this is a parent bug of an issue that has already been released via Z-Stream (e.g. rhel-6.3.z), this bug is going to be CLOSED as CURRENTRELEASE.