Security update for libarchive SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2615-1 Final 1 1 2019-12-03T14:47:57Z current 2019-12-03T14:47:57Z 2019-12-03T14:47:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: Security issues fixed: - CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653). - CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654). - CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341). - CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342). - CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2615 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html E-Mail link for openSUSE-SU-2019:2615-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1120653 SUSE Bug 1120653 https://bugzilla.suse.com/1120654 SUSE Bug 1120654 https://bugzilla.suse.com/1124341 SUSE Bug 1124341 https://bugzilla.suse.com/1124342 SUSE Bug 1124342 https://bugzilla.suse.com/1155079 SUSE Bug 1155079 https://www.suse.com/security/cve/CVE-2018-1000877/ SUSE CVE CVE-2018-1000877 page https://www.suse.com/security/cve/CVE-2018-1000878/ SUSE CVE CVE-2018-1000878 page https://www.suse.com/security/cve/CVE-2019-1000019/ SUSE CVE CVE-2019-1000019 page https://www.suse.com/security/cve/CVE-2019-1000020/ SUSE CVE CVE-2019-1000020 page https://www.suse.com/security/cve/CVE-2019-18408/ SUSE CVE CVE-2019-18408 page openSUSE Leap 15.0 bsdtar-3.3.2-lp150.10.1 libarchive-devel-3.3.2-lp150.10.1 libarchive13-3.3.2-lp150.10.1 libarchive13-32bit-3.3.2-lp150.10.1 bsdtar-3.3.2-lp150.10.1 as a component of openSUSE Leap 15.0 libarchive-devel-3.3.2-lp150.10.1 as a component of openSUSE Leap 15.0 libarchive13-3.3.2-lp150.10.1 as a component of openSUSE Leap 15.0 libarchive13-32bit-3.3.2-lp150.10.1 as a component of openSUSE Leap 15.0 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive. CVE-2018-1000877 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html https://www.suse.com/security/cve/CVE-2018-1000877.html CVE-2018-1000877 https://bugzilla.suse.com/1120653 SUSE Bug 1120653 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive. CVE-2018-1000878 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html https://www.suse.com/security/cve/CVE-2018-1000878.html CVE-2018-1000878 https://bugzilla.suse.com/1120654 SUSE Bug 1120654 libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file. CVE-2019-1000019 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.10.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html https://www.suse.com/security/cve/CVE-2019-1000019.html CVE-2019-1000019 https://bugzilla.suse.com/1124341 SUSE Bug 1124341 libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file. CVE-2019-1000020 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.10.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html https://www.suse.com/security/cve/CVE-2019-1000020.html CVE-2019-1000020 https://bugzilla.suse.com/1124342 SUSE Bug 1124342 archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. CVE-2019-18408 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.10.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html https://www.suse.com/security/cve/CVE-2019-18408.html CVE-2019-18408 https://bugzilla.suse.com/1155079 SUSE Bug 1155079