Debian Security Advisory

DLA-661-1 libarchive -- LTS security update

Date Reported:
17 Oct 2016
Affected Packages:
libarchive
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 840934, Bug 840935, Bug 840936.
In Mitre's CVE dictionary: CVE-2016-8687, CVE-2016-8688, CVE-2016-8689.
More information:

Agostino Sarubbo of Gentoo discovered several security vulnerabilities in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause a buffer overflow or an out of bounds read using a carefully crafted input file.

  • CVE-2016-8687

    Agostino Sarubbo of Gentoo discovered a possible stack-based buffer overflow when printing a filename in bsdtar_expand_char() of util.c.

  • CVE-2016-8688

    Agostino Sarubbo of Gentoo discovered a possible out of bounds read when parsing multiple long lines in bid_entry() and detect_form() of archive_read_support_format_mtree.c.

  • CVE-2016-8689

    Agostino Sarubbo of Gentoo discovered a possible heap-based buffer overflow when reading corrupted 7z files in read_Header() of archive_read_support_format_7zip.c.

For Debian 7 Wheezy, these problems have been fixed in version 3.0.4-3+wheezy5.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS