libarchive security vulnerabiity, FreeBSD affected?

[Maelstorm]

According to this article dated June 22 2016, http://www.infoworld.com/article/30...source-library-put-many-projects-at-risk.html. So is FreeBSD affected by this? I ask because the article says that the library originated on FreeBSD and was ported to other platforms and is used in many projects.

 

[SirDice]

These?

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:23.libarchive.asc

There's also a port: https://svnweb.freebsd.org/ports?view=revision&revision=417400

 

[Murph]

Well, a quick check says to me that the issues are not those fixed by the 2 recent security patches:

• FreeBSD-SA-16:23.libarchive [CVE-2013-0211] Buffer overflow in libarchive(3)
• FreeBSD-SA-16:22.libarchive [CVE-2015-2304] Directory traversal in cpio(1)

Here are the vulnerability IDs in the Talos blog post:

• TALOS-2016-0152 [CVE-2016-4300]:7-Zip read_SubStreamsInfo Integer Overflow
• TALOS-2016-0153 [CVE-2016-4301]:mtree parse_device Stack Based Buffer Overflow
• TALOS-2016-0154 [CVE-2016-4302]:Libarchive Rar RestartModel Heap Overflow

I'd guess that until someone confirms the specific cases for FreeBSD, you should probably assume that the vulnerabilities do exist here.

Edit: It looks like the fix has already been added to base/head/contrib/libarchive in revision 302075, and is awaiting MFC. My personal guess is that you will probably see it land in supported versions of FreeBSD very soon, as long as nothing breaks when they try to merge it.