Fabian Yamaguchi reported a read buffer overflow flaw in libarchive on 64-bit systems where sizeof(size_t) is equal to 8. In the archive_write_zip_data() function in libarchive/archive_write_set_format_zip.c, the "s" parameter is of type size_t (64 bit, unsigned) and is cast to a 64 bit signed integer. If "s" is larger than MAX_INT, it will not be set to "zip->remaining_data_bytes" even though it is larger than "zip->remaining_data_bytes", which leads to a buffer overflow when calling deflate(). This can lead to a segfault in an application that uses libarchive to create ZIP archives.
Created attachment 685479 [details] proposed upstream patch
This issue is now public via: https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4
Created mingw-libarchive tracking bugs for this issue Affects: fedora-all [bug 927106]
Created libarchive tracking bugs for this issue Affects: fedora-all [bug 927105]
Created libarchive tracking bugs for this issue Affects: epel-5 [bug 927115]
mingw-libarchive-3.0.4-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mingw-libarchive-3.0.4-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libarchive-3.0.4-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libarchive-3.0.4-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libarchive-2.8.4-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2013-0211