Errors when extracting ZIP files. It can not differentiate between files and directories

Bug #1830629 reported by Alejandro Claro on 2019-05-27
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libarchive (Ubuntu)
High
Unassigned
Bionic
Undecided
Unassigned

Bug Description

* Impact
The bionic version has a known problem when reading file entries in ZIP files, where it incorrectly identifies directories and files entries.

* Test case
$ wget https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1830629/+attachment/5268728/+files/example.zip
$ bsdtar -vxf example.zip
$ ls -l

The 'ABCD_1234' and 'empty' entries should be directories

* Regression potential
Check that extracting zips from bsdtar or nautilus work without issue

--------------------------------

It has been confirmed that the previous and following versions (3.3.1+) do not have this problem and the library handles the ZIP files correctly.

Is it possible to include a newer version of libarchive (3.3.1+) in Bionic?

This problem is seriously affecting some of our systems.

Alejandro Claro (aclaro) wrote :

Here are the references to the related issues reported previously in libarchive GitHub:

https://github.com/libarchive/libarchive/issues/822

https://github.com/libarchive/libarchive/issues/853

And the pull request that solves the issue:

https://github.com/libarchive/libarchive/pull/850

Alex Murray (alexmurray) wrote :

Thanks for reporting this issue - this would appear to have potential security implications, however as it is already public I see no reason to keep this private - if a CVE were to be assigned then this could be fixed via a security update by the security team, otherwise this would be fixed via the normal SRU process[1]. As such, please feel free to file a CVE request with MITRE[2] and if one is assigned, please update this bug report with the CVE ID and we can fix it via the security team.

[1] https://wiki.ubuntu.com/StableReleaseUpdates
[2] https://cve.mitre.org/cve/request_id.html

information type: Private Security → Public Security
Sebastien Bacher (seb128) wrote :

The commit seems reasonable for a SRU. Could you maybe add an example/testcase to the bug that could be used for the SRU process? (we need to be able to verify the problem and the solution)

Alejandro Claro (aclaro) wrote :

HI Sebastien,

Sure. Here is a zip file that it's very easy to use to reproduce the defect. The defect s not in the bsdtar, it's in libarchive. However, since bsdtar depends on libarchive, this can be used to demonstrate the problem as someone reports in the GitHub issue report:

https://github.com/libarchive/libarchive/issues/822

If you try to extract the content with bsdtar:

# bsdtar -vxf example.zip

You will see and error, and if you look to the result in the filesystem, that 'ABCD_1234' and 'empty' are created as files instead of directories. If you try the same operation using unzip in other directory (or after cleaning the previous operation):

# unzip example.zip

You will see the right result (ABCD_1234 and empty directories).

Thanks for take care of this,
Alejandro

Alejandro Claro (aclaro) wrote :

One important note here,

The defect is only present in version 3.2.2 (Bionic official version now). Previous and next version do work properly.

Sebastien Bacher (seb128) wrote :

Thank you for your bug report, marking the bug as fixed since the issue is resolved in the current version.

We are doing a SRU backport to Bionic as well (the corresponding line will be added to the report)

Changed in libarchive (Ubuntu):
importance: Undecided → High
status: New → Fix Released
description: updated

An upload of libarchive to bionic-proposed has been rejected from the upload queue for the following reason: "reuploading with sru-appropriate version numbering".

Hello Alejandro, or anyone else affected,

Accepted libarchive into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libarchive/3.2.2-3.1ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libarchive (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Alejandro Claro (aclaro) wrote :

Thank you Brian,

We are going to be testing it during this week. I will let you know the results.

Alejandro Claro (aclaro) wrote :

Good morning Murray,

we performed some test and everything looks fine.

Thank you very much.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.