Insomnia Security (as part of a pre-arranged commercial engagement) reports: A vulnerability in libarchive exists that allows an archive Entry with type 1 (hardlink), but has a non-zero data size to cause a file overwrite. This vulnerability can be leveraged in a way that has a significant security impact (this was not clear at first during initial research by upstream).
Upstream bugs: https://github.com/libarchive/libarchive/issues/743 (umbrella report) https://github.com/libarchive/libarchive/issues/744 https://github.com/libarchive/libarchive/issues/745 https://github.com/libarchive/libarchive/issues/746 External reference: http://seclists.org/oss-sec/2016/q3/255
Created attachment 1189473 [details] patch for all issues against libarchive 3.1.2
Created attachment 1189474 [details] patch for all issues against libarchive 2.8.3 Patches against libarchive 3.1.2 (rhel-7) and libarchive 2.8.3 (rhel-6) attached. Upstream have no timeline for fixing at this point. The attached patches mitigate the issues on rhel-7/6 but may not be acceptable to upstream in their current form. We are in contact with the upstream developer and sharing these patches with him, and will attempt to seek a compatible solution which makes rebasing easy against the next upstream release which addresses these flaws.
Hi Petr, great to see the patch go into testing so fast. Is it possible to get PIE enabled in this build? Using the instructions referenced in comment 5, the following seems to work: ~~~~ --- a/libarchive.spec +++ b/libarchive.spec @@ -89,6 +89,7 @@ Requires: %{name} = %{version}-%{release} The bsdcpio package contains standalone bsdcpio utility split off regular libarchive packages. +%global _hardened_build 1 %prep %setup -q -n %{name}-%{version} ~~~~ Checking with commands from sgrubb's rpm-chksec (https://github.com/stevegrubb/security-assessor/): ~~~~ $ readelf -h bsdtar | grep Type: Type: DYN (Shared object file) $ readelf -d bsdtar | grep '(DEBUG)' 0x0000000000000015 (DEBUG) 0x0 ~~~~
Created attachment 1190259 [details] patch for repro-5 (hardlink to ..) against libarchive 3.1.2
Created attachment 1190260 [details] patch for repro-5 (hardlink to ..) against libarchive 2.8.3 Further patches attached (*-patch2.patch). These address a variation on repro-4 which the previous patch did not include. They should be applied after the patches 1189473 and 1189474.
Hi Doran, Sorry I must have missed your previous comment regarding PIE. I will enable it in the next build. The patch you have provided in comment 7 seems to do the trick, thanks.
Acknowledgments: Name: Insomnia Security
Created libarchive tracking bugs for this issue: Affects: epel-5 [bug 1375281] Affects: fedora-all [bug 1375282]
Created libarchive3 tracking bugs for this issue: Affects: epel-6 [bug 1375280]
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.2 Via RHSA-2016:1853 https://access.redhat.com/errata/RHSA-2016:1853
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.1 Via RHSA-2016:1852 https://access.redhat.com/errata/RHSA-2016:1852
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1850 https://rhn.redhat.com/errata/RHSA-2016-1850.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Lifted the private flag from patches since this is now fully public. Upstream has already progressed with committing the forward-ported versions plus further hardening due to Pavel Raiskup to trunk. https://github.com/libarchive/libarchive/commits/master Big kudos to Tim Kientzle (upstream) and Pavel Raiskup (red hat) for being a pleasure to work with on these issues.