Bug 1348780 (CVE-2015-8932) - CVE-2015-8932 libarchive: Undefined behavior / invalid shiftleft in TAR parser
Summary: CVE-2015-8932 libarchive: Undefined behavior / invalid shiftleft in TAR parser
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8932
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1352775 1352776 1353065 1353066 1353067 1353068
Blocks: 1334215
TreeView+ depends on / blocked
 
Reported: 2016-06-22 04:21 UTC by Doran Moppert
Modified: 2019-09-29 13:51 UTC (History)
5 users (show)

Fixed In Version: libarchive 3.2.0
Doc Type: If docs needed, set a value
Doc Text:
Undefined behavior (invalid left shift) was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:55:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1844 normal SHIPPED_LIVE Important: libarchive security update 2016-09-13 00:11:35 UTC
Red Hat Product Errata RHSA-2016:1850 normal SHIPPED_LIVE Important: libarchive security update 2016-09-12 23:54:24 UTC

Description Doran Moppert 2016-06-22 04:21:40 UTC
Undefined behaviour (invalid left shift) was discovered in libarchive,
in how Compress streams are identified.  This could cause certain
files to be mistakenly identified as Compress archives and fail to read.

Upstream bug:
    https://github.com/libarchive/libarchive/issues/547

Upstream fix:
    https://github.com/libarchive/libarchive/commit/f0b1dbb

Comment 2 Doran Moppert 2016-07-05 04:38:17 UTC
Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 1352776]
Affects: epel-5 [bug 1352775]

Comment 9 errata-xmlrpc 2016-09-12 19:56:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1850 https://rhn.redhat.com/errata/RHSA-2016-1850.html

Comment 10 errata-xmlrpc 2016-09-12 20:14:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html


Note You need to log in before you can comment on or make changes to this bug.