Debian Security Advisory
DLA-661-1 libarchive -- LTS security update
- Date Reported:
- 17 Oct 2016
- Affected Packages:
- libarchive
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 840934, Bug 840935, Bug 840936.
In Mitre's CVE dictionary: CVE-2016-8687, CVE-2016-8688, CVE-2016-8689. - More information:
-
Agostino Sarubbo of Gentoo discovered several security vulnerabilities in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause a buffer overflow or an out of bounds read using a carefully crafted input file.
- CVE-2016-8687
Agostino Sarubbo of Gentoo discovered a possible stack-based buffer overflow when printing a filename in bsdtar_expand_char() of util.c.
- CVE-2016-8688
Agostino Sarubbo of Gentoo discovered a possible out of bounds read when parsing multiple long lines in bid_entry() and detect_form() of archive_read_support_format_mtree.c.
- CVE-2016-8689
Agostino Sarubbo of Gentoo discovered a possible heap-based buffer overflow when reading corrupted 7z files in read_Header() of archive_read_support_format_7zip.c.
For Debian 7
Wheezy
, these problems have been fixed in version 3.0.4-3+wheezy5.We recommend that you upgrade your libarchive packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2016-8687