Your message dated Thu, 14 Sep 2017 09:17:20 +0000
with message-id <[email protected]>
and subject line Bug#861609: fixed in libarchive 3.2.2-2.1
has caused the Debian Bug report #861609,
regarding libarchive: CVE-2016-10349 CVE-2016-10350
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: security patch upstream
Hi,
the following vulnerabilities were published for libarchive.
CVE-2016-10349[0]:
| The archive_le32dec function in archive_endian.h in libarchive 3.2.2
| allows remote attackers to cause a denial of service (heap-based buffer
| over-read and application crash) via a crafted file.
CVE-2016-10350[1]:
| The archive_read_format_cab_read_header function in
| archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via a crafted file.
The issue is found back to 3.1.2, and verifiable with an ASAN build,
the upstream reports [2] and [3] contain details, and fixed with [4].
I did bisect the upstream repo to try confirm that:
I'm yet unsure if we want a DSA for those, please check back with
[email protected], it defintively would be great to see the fix
for stretch.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349
[1] https://security-tracker.debian.org/tracker/CVE-2016-10350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350
[2] https://github.com/libarchive/libarchive/issues/834
[3] https://github.com/libarchive/libarchive/issues/835
[4]
https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.2.2-2.1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libarchive
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Sep 2017 09:09:35 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 859456 861609 874539
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other
archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* archive_strncat_l(): allocate and do not convert if length == 0
(CVE-2016-10209) (Closes: #859456)
* Reread the CAB header skipping the self-extracting binary code
(CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
* Do something sensible for empty strings to make fuzzers happy
(CVE-2017-14166)
Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1:
89f4afa40c5bb51e18412ef04817c2e723e63e2b 2620 libarchive_3.2.2-2.1.dsc
479bf75dc60cf08dec7ccc72d828b6f6d13732c1 16824
libarchive_3.2.2-2.1.debian.tar.xz
Checksums-Sha256:
b8a6cff72d6f64064e5e42889fceffb725e45076194886b041c5ad166fbc6fe9 2620
libarchive_3.2.2-2.1.dsc
a0d60627d96b07919a7513e3b878c5bdf360c0b425fe35426f39f3f2934960cc 16824
libarchive_3.2.2-2.1.debian.tar.xz
Files:
da2db98b3d9493cd75f9512fc8147871 2620 libs optional libarchive_3.2.2-2.1.dsc
011b8fde2ede67a797a9dade9a1ecb6b 16824 libs optional
libarchive_3.2.2-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmzmHFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0YMP+gP3uW68D8BSdrxMiFWax9PVII+Pp+KM
sHn1dx3ikscyn9Ec93xfMInOmGOVSjiY47IRtbCYaFwsiUEhb0Dm8lQxcCezSPhy
D3L41vbv5z8LXlE96OM0sLLObeSgz9p/dOFuTib8vokAXdSbAiqX21F7ozLfnDyB
9ToKzXDNW7L4viJGC4ienQ79w/OTVpAPAdiNw6gQvnJrqDBoVZbd8szF4VufHmEG
n9KFdVGiC1NFPjVsSlCUCQKo81I0r8GVRVidT6T7amY4F6PVcLkvgq3w2oiu8GkX
NgioPoX95NaXz/rLk1T7KrNlDeyKtH5ZaaFaQLZXZlc+mc+5AhsSo3na8A+tYyiZ
DHHoLKTS5RHf/90UU2RCTW9K8UQAtUI3YOWS0XSbyHpK/fN6jczRPjnVYDXbX/NB
/tuOG+XUiIQJar1BmTFKZPR7dAjIGUmhJA7hQdGMy24HlGcsqLWoVMogsa0YhfV0
jscj9v3pS5UUay7FFZOYCwZV+hpI0eJLtxRZhSH2xOsIneLYFHCLrQyOaZNEoqJt
0EsoQE7uSz1IcXYzRd2UqtYRunCSmiBRbgkjEloXGb+YNUR+gVLZAJ3lyTOx6k75
qNORk5Mj4V0ecPYdB3xZTEXozhwe4U7TGXsqbRbVt5WMM+jZf9ir1dJUajhjLKEu
DiB0e5V6543c
=ywSy
-----END PGP SIGNATURE-----
--- End Message ---
