[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 661-1] libarchive security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libarchive
Version        : 3.0.4-3+wheezy5
CVE ID         : CVE-2016-8687 CVE-2016-8688 CVE-2016-8689
Debian Bug     : 840934 840935 840936


Agostino Sarubbo of Gentoo discovered several security vulnerabilities
in libarchive, a multi-format archive and compression library. An
attacker could take advantage of these flaws to cause a buffer overflow
or an out of bounds read using a carefully crafted input file.

CVE-2016-8687

    Agostino Sarubbo of Gentoo discovered a possible stack-based buffer
    overflow when printing a filename in bsdtar_expand_char() of util.c.

CVE-2016-8688

    Agostino Sarubbo of Gentoo discovered a possible out of bounds read
    when parsing multiple long lines in bid_entry() and detect_form() of
    archive_read_support_format_mtree.c.

CVE-2016-8689

    Agostino Sarubbo of Gentoo discovered a possible heap-based buffer
    overflow when reading corrupted 7z files in read_Header() of
    archive_read_support_format_7zip.c.

For Debian 7 "Wheezy", these problems have been fixed in version
3.0.4-3+wheezy5.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -- 
Jonas Meurer

-----BEGIN PGP SIGNATURE-----

iQItBAEBCAAXBQJYBToPEBxtZWpvQGRlYmlhbi5vcmcACgkQUmLn/0kQSf5+9Q/+
LvvEStOEJs+IpRUWZ6GwhSH4Bd4JtqaOsEKy3X32dpJjKbnLEfOWjHM0McGQBPxb
nW2L6TemP0dNQHOGkHFKJo0R+4qaOqyLx5krtcxh55BzQOSvIjum1/ebwiR3U5QQ
inuESm0pEl0Z+9kVXamVoNHOjtWW+LDim+yQ7bP/9Ajvx7wyuV0rcAqXqebNqvaS
RCnFp+63ML0K/TuYCnlyoJRqAVX7G5RKmsveqLtBdD/fBLvFb6BIMEXA6UEhW1OH
rLkuMRxPSB5u19rJFIbme8CqoXqrYx9YKB+6n9++whNuLQVMcuCuue5LtwvqTIbP
BzIn5r7ex03AK8j4R7AQF49goG7EEO+TFcgtS4RNrarT6HRPS6FQLMCPGCvEpSS3
gomdvjTEOK5PXX9bf3k65USDyg0Jf+Sx3p6yUiArp5Sh8pIyA3BaiscrxAlUh2cL
mJ0tJ/A2izR2HJc8tCAH5pTKVjrwf8FtpkoMrkWpCz4NuYaIZvCsMZbtyxhc6tlt
FINHAkkC31+Wy5T3sG29SK8jV56cmfnS2yDnaX1lqXZCkrHX3sQw19WoBQF38a3A
54RlAl0P2IosAfdLRM35b9ZqIr9nOPq9iGOojK1lQw+QGLeEiBiA531s90L+wgPh
iUVVsmj2m4MP7oL6FdPrWHIJXwj4oxhz/Heq39MT9kI=
=OjHJ
-----END PGP SIGNATURE-----


Reply to: