Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-661-1 libarchive

Debian Security Advisory

DLA-661-1 libarchive -- LTS security update

Date Reported:

17 Oct 2016

Affected Packages:

libarchive

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 840934, Bug 840935, Bug 840936.
In Mitre's CVE dictionary: CVE-2016-8687, CVE-2016-8688, CVE-2016-8689.

More information:

Agostino Sarubbo of Gentoo discovered several security vulnerabilities in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause a buffer overflow or an out of bounds read using a carefully crafted input file.

• CVE-2016-8687

  Agostino Sarubbo of Gentoo discovered a possible stack-based buffer overflow when printing a filename in bsdtar_expand_char() of util.c.

• CVE-2016-8688

  Agostino Sarubbo of Gentoo discovered a possible out of bounds read when parsing multiple long lines in bid_entry() and detect_form() of archive_read_support_format_mtree.c.

• CVE-2016-8689

  Agostino Sarubbo of Gentoo discovered a possible heap-based buffer overflow when reading corrupted 7z files in read_Header() of archive_read_support_format_7zip.c.

For Debian 7 Wheezy, these problems have been fixed in version 3.0.4-3+wheezy5.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS