[SECURITY] [DLA 3202-1] libarchive security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3202-1] libarchive security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 22 Nov 2022 18:32:50 +0100
Message-id: <[🔎] 20221122173250.GA12361@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3202-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 22, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libarchive
Version        : 3.3.3-4+deb10u2
CVE ID         : CVE-2019-19221 CVE-2021-23177 CVE-2021-31566
Debian Bug     : 945287 1001986 1001990

Three issues have been found in libarchive, a multi-format archive and
compression library.

CVE-2019-19221

    out-of-bounds read because of an incorrect mbrtowc or mbtowc call

CVE-2021-23177

    extracting a symlink with ACLs modifies ACLs of target

CVE-2021-31566

    symbolic links incorrectly followed when changing modes, times,
    ACL and flags of a file while extracting an archive


For Debian 10 buster, these problems have been fixed in version
3.3.3-4+deb10u2.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmN9Bu4ACgkQDTl9HeUl
XjDUjQ/+NGbGgjThmyII2G23jsXane7reVJJHfL4kmL1KCduNgJBDvr+Wk6VN3Wv
Sy6YVANQvvec/6+CVGpFwEldQGjgv1ocnspV8mG7/2tccEXtZjSZ40jbTLxa7oP7
j+43AHdUkv+wzYW+RdeMY/lQZn1FzM7lKpKAl1AZTxPhg/5rWpGNnp691W913b5U
byoWUKE9LSB76YrhgjlTFm9S4Hbc7nTLx91YSUw28kLDb5sJ0mPXoNla9ySn3+oh
Q3COKmyP0x9ty+e98jq9SPUSrMHxOp6dY5A5Q0/3tdvMHNDEyXlqW2CZZY/zFlCC
ulfJi+2E5jCfb0uNTQkDDFRoCuLnRTO/akujkSRiVvRkOni0U5LGckkrwW5hfi0u
5Ms1CO91iKx4Gpanv3uRCrKmzvp2FGnnKW/apUEIufPZgqutI+tSBS05Gq/nF4MS
rRpmjngi8vq2XsVuR4ToP0fFV1QL8/9xSx+iTGQCwvN9bq3rmH0CH4hVjfWe8BRU
lEEQcuooxDZjVTLHwES6Xj9zSv8R0W2XgtcpJSIwpep8HLJxO+nMBRa2fNvpnWei
GqhF/EsmfWkqM87VzwbkS3/SgxGAF4Yto/zxGeJR9K+KRegcKS0acDYV7yHE5wAv
Lr/mRNY6gnpVfuRBpY/0jv84gqVArvkPtO0AZl1tt1QRWeOa1y4=
=kmTA
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3201-1] ntfs-3g security update
Next by Date: [SECURITY] [DLA 3203-1] nginx security update
Previous by thread: [SECURITY] [DLA 3201-1] ntfs-3g security update
Next by thread: [SECURITY] [DLA 3203-1] nginx security update
Index(es):
- Date
- Thread