Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2007 > FreeBSD Security Advisory - libarchive

July 2007

FreeBSD Security Advisory - libarchive

ID: 3264
Date: 23 July 2007 12:30
Title: FreeBSD Security Advisory - libarchive
Abstract: Errors handling corrupt tar files in libarchive
Vendors affected:FreeBSD
Availability of fix: Available
Type of fix: Patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:05.libarchive Security Advisory
The FreeBSD Project

Topic: Errors handling corrupt tar files in libarchive(3)

Category: core
Module: libarchive
Announced: 2007-07-12
Credits: CPNI, CERT-FI, Tim Kientzle, Colin Percival
Affects: FreeBSD 5.3 and later.
Corrected: 2007-07-12 15:00:44 UTC (RELENG_6, 6.2-STABLE)
2007-07-12 15:01:14 UTC (RELENG_6_2, 6.2-RELEASE-p6)
2007-07-12 15:01:32 UTC (RELENG_6_1, 6.1-RELEASE-p18)
2007-07-12 15:01:42 UTC (RELENG_5, 5.5-STABLE)
2007-07-12 15:01:56 UTC (RELENG_5_5, 5.5-RELEASE-p14)
CVE Name: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645

For general information regarding FreeBSD Security Advisories, including
descriptions of the fields above, security branches, and the following
sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The libarchive library provides a flexible interface for reading and writing
streaming archive files such as tar and cpio, and has been the basis for
FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3.

II. Problem Description

Several problems have been found in the code used to parse the tar and pax
interchange formats. These include entering an infinite loop if an archive
prematurely ends within a pax extension header or if certain types of
corruption occur in pax extension headers [CVE-2007-3644]; dereferencing a
NULL pointer if an archive prematurely ends within a tar header immediately
following a pax extension header or if certain other types of corruption occur
in pax extension headers [CVE-2007-3645]; and miscomputing the length of a
buffer resulting in a buffer overflow if yet another type of corruption occurs
in a pax extension header [CVE-2007-3641].

III. Impact

An attacker who can cause a corrupt archive of his choice to be parsed by
libarchive, including by having "tar -x" (extract) or "tar -t" (list
entries) run on it, can cause libarchive to enter an infinite loop, to core
dump, or possibly to execute arbitrary code provided by the attacker.

IV. Workaround

No workaround is available, but systems which do not read tar or pax extension
archives provided by untrusted sources are not vulnerable.
Note that while these issues do not affect libarchive's ability to parse cpio,
ISO9660, or zip format archives, libarchive automatically detects the format
of an archive, so external metadata (e.g., a file
name) is not sufficient to ensure that a file will not be parsed using the
vulnerable tar/pax format parser.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch
# fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libarchive
# make obj && make depend && make && make install # cd /usr/src/rescue # make
obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead be
recompiled as described in
<URL:http://www.freebsd.org/handbook/makeworld.html>

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.8
RELENG_5_5
src/UPDATING 1.342.2.35.2.14
src/sys/conf/newvers.sh 1.62.2.21.2.16
src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.7.2.1
RELENG_6
src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.5
RELENG_6_2
src/UPDATING 1.416.2.29.2.9
src/sys/conf/newvers.sh 1.69.2.13.2.9
src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.2.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.20
src/sys/conf/newvers.sh 1.69.2.11.2.20
src/lib/libarchive/archive_read_support_format_tar.c 1.32.6.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3644
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3645

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:05.libarchive.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD4DBQFGlkN5FdaIBMps37IRAl/vAJ4vKkZ9eXBW4PPljvbgALUlAPdxCQCXRMzY
4hKO09Xhj1akwPufFXJS2w==
=sRGA
-----END PGP SIGNATURE-----
___________________________________________________________________________

CPNI wishes to acknowledge the contributions of FreeBSD
for the information contained in this advisory.

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |