Your message dated Thu, 14 Sep 2017 09:17:20 +0000
with message-id <[email protected]>
and subject line Bug#874539: fixed in libarchive 3.2.2-2.1
has caused the Debian Bug report #874539,
regarding libarchive: CVE-2017-14166: heap-based buffer overflow in xml_data
(archive_read_support_format_xar.c)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
874539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874539
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: upstream patch security
Forwarded: https://github.com/libarchive/libarchive/issues/935
Hi,
the following vulnerability was published for libarchive.
CVE-2017-14166[0]:
| libarchive 3.3.2 allows remote attackers to cause a denial of service
| (xml_data heap-based buffer over-read and application crash) via a
| crafted xar archive, related to the mishandling of empty strings in the
| atol8 function in archive_read_support_format_xar.c.
Although not directly reproducible, the check for char_cnt is missing
as well in our versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
[1] https://github.com/libarchive/libarchive/issues/935
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.2.2-2.1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libarchive
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Sep 2017 09:09:35 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 859456 861609 874539
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other
archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* archive_strncat_l(): allocate and do not convert if length == 0
(CVE-2016-10209) (Closes: #859456)
* Reread the CAB header skipping the self-extracting binary code
(CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
* Do something sensible for empty strings to make fuzzers happy
(CVE-2017-14166)
Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1:
89f4afa40c5bb51e18412ef04817c2e723e63e2b 2620 libarchive_3.2.2-2.1.dsc
479bf75dc60cf08dec7ccc72d828b6f6d13732c1 16824
libarchive_3.2.2-2.1.debian.tar.xz
Checksums-Sha256:
b8a6cff72d6f64064e5e42889fceffb725e45076194886b041c5ad166fbc6fe9 2620
libarchive_3.2.2-2.1.dsc
a0d60627d96b07919a7513e3b878c5bdf360c0b425fe35426f39f3f2934960cc 16824
libarchive_3.2.2-2.1.debian.tar.xz
Files:
da2db98b3d9493cd75f9512fc8147871 2620 libs optional libarchive_3.2.2-2.1.dsc
011b8fde2ede67a797a9dade9a1ecb6b 16824 libs optional
libarchive_3.2.2-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmzmHFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0YMP+gP3uW68D8BSdrxMiFWax9PVII+Pp+KM
sHn1dx3ikscyn9Ec93xfMInOmGOVSjiY47IRtbCYaFwsiUEhb0Dm8lQxcCezSPhy
D3L41vbv5z8LXlE96OM0sLLObeSgz9p/dOFuTib8vokAXdSbAiqX21F7ozLfnDyB
9ToKzXDNW7L4viJGC4ienQ79w/OTVpAPAdiNw6gQvnJrqDBoVZbd8szF4VufHmEG
n9KFdVGiC1NFPjVsSlCUCQKo81I0r8GVRVidT6T7amY4F6PVcLkvgq3w2oiu8GkX
NgioPoX95NaXz/rLk1T7KrNlDeyKtH5ZaaFaQLZXZlc+mc+5AhsSo3na8A+tYyiZ
DHHoLKTS5RHf/90UU2RCTW9K8UQAtUI3YOWS0XSbyHpK/fN6jczRPjnVYDXbX/NB
/tuOG+XUiIQJar1BmTFKZPR7dAjIGUmhJA7hQdGMy24HlGcsqLWoVMogsa0YhfV0
jscj9v3pS5UUay7FFZOYCwZV+hpI0eJLtxRZhSH2xOsIneLYFHCLrQyOaZNEoqJt
0EsoQE7uSz1IcXYzRd2UqtYRunCSmiBRbgkjEloXGb+YNUR+gVLZAJ3lyTOx6k75
qNORk5Mj4V0ecPYdB3xZTEXozhwe4U7TGXsqbRbVt5WMM+jZf9ir1dJUajhjLKEu
DiB0e5V6543c
=ywSy
-----END PGP SIGNATURE-----
--- End Message ---
