Your message dated Thu, 14 Sep 2017 15:15:48 +0000
with message-id <[email protected]>
and subject line Bug#859456: fixed in libarchive 3.2.2-3.1
has caused the Debian Bug report #859456,
regarding libarchive: CVE-2016-10209
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859456
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: upstream security
Forwarded: https://github.com/libarchive/libarchive/issues/842
Hi,
the following vulnerability was published for libarchive.
CVE-2016-10209[0]:
| The archive_wstring_append_from_mbs function in archive_string.c in
| libarchive 3.2.2 allows remote attackers to cause a denial of service
| (NULL pointer dereference and application crash) via a crafted archive
| file.
It was reported upstream at [1] and if I'm correct the fix should be
[2]. Can you confirm that?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10209
[1] https://github.com/libarchive/libarchive/issues/842
[2]
https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
Please adjust the affected versions in the BTS as needed.
Regarding an update, I do not think this would warrant a DSA on it's
own but would be great once fixed for sid and stretch, if a fix can as
well land in jessie (via a point release as well for the other issues
marked currently no-dsa).
Regards,
Salvatore
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.2.2-3.1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libarchive
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Sep 2017 16:02:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-3.1
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 859456 861609 874539
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other
archive too
libarchive13 - Multi-format archive and compression library (shared library)
Changes:
libarchive (3.2.2-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Reupload 3.2.2-2.1 on top of 3.2.2-3
* archive_strncat_l(): allocate and do not convert if length == 0
(CVE-2016-10209) (Closes: #859456)
* Reread the CAB header skipping the self-extracting binary code
(CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
* Do something sensible for empty strings to make fuzzers happy
(CVE-2017-14166)
Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
Checksums-Sha1:
9baa983a4914b8cae22cbf2cba9c03985dcb0c97 2513 libarchive_3.2.2-3.1.dsc
6d5d43352c9a01c51392116a3c05594cbd887d63 16860
libarchive_3.2.2-3.1.debian.tar.xz
Checksums-Sha256:
4905764794d3010a56ad9cd91d24be078a99aac3e3761bd9c4e20396c5e664d3 2513
libarchive_3.2.2-3.1.dsc
8de2c8b2be12b483af4f2ccde9679c603634f2be5f84706965c61d916031645b 16860
libarchive_3.2.2-3.1.debian.tar.xz
Files:
322111513c724ecde6e9c12b807ba39a 2513 libs optional libarchive_3.2.2-3.1.dsc
8d01ed6151bb8b7274cdd2a0b9ac5e09 16860 libs optional
libarchive_3.2.2-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm6jNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbOMP/RAvIUOQmSLqxmJYRdlCEH6CkXjivdrU
KqWO8Ol0VsXWzVWuMIvz4LGrh3ghIxFadf0GlRc4DaRkdoIP2NlwffoDR6wgWyxQ
2C/DtDJPFTo23y62wm1pCTHGDsWcKhy7SBFrc+GRRQntXzuASJQvTuioYrgnVkS2
KkDKuiY1diRzXdGznlM4PsnQb5ToMNv+KzGYrC2Yv5Igaz5FG8XKDTeFofmTgUEx
WIhJMZz0ynsfbL3K/8Nfh+XD0PWJIsQ3GptOXVUXJCudOl8UW+PU1mfHCisNPfrc
eNQF/GeVSRg57MxbKMeCYTmay/Idkc6PfOp3IselFNhs8DJjoUGJf+vbbGIVErti
fGoDpRo1khJqbEBSfyU+vsc9YUcLIX8i3e5opgW8/6X4BI8SXr5Ar8pNlYhXNuLH
Rqb27H0ZwOBo7Nl1LfCmFBlDgA4Yjg3EKsBHbS+8Yh8FmQY6ZSKkYpWuiYnx1YlM
T8IaGKUuisE/E0T+OtBGPV0+9N3+kSBC7G47YodPUZE1m4CfabIdbONZq5MgmqTv
4ClTBecKKLCFak+bKf8WRH+4PQ4hpFgS3vQ9Cc3dN+D9/m2Up5MK/nqDfHVgeoV2
q9wXiE8OksghuDPwFmYHaWeTBK5PoTXkt/we99MpwBa9pWPB3AW6SNDWQWoRhkel
Sz45BQyFQ8e+
=3113
-----END PGP SIGNATURE-----
--- End Message ---
