Your message dated Fri, 21 Dec 2018 16:36:23 +0000
with message-id <[email protected]>
and subject line Bug#916964: fixed in libarchive 3.3.3-2
has caused the Debian Bug report #916964,
regarding libarchive: CVE-2018-1000877
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
916964: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916964
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.3.3-1
Severity: important
Tags: security upstream
Control: found -1 3.2.2-2
Hi,
The following vulnerability was published for libarchive.
CVE-2018-1000877[0]:
| libarchive version commit 416694915449219d505531b1096384f3237dd6cc
| onwards (release v3.1.0 onwards) contains a CWE-415: Double Free
| vulnerability in RAR decoder -
| libarchive/archive_read_support_format_rar.c, parse_codes(),
| realloc(rar->lzss.window, new_size) with new_size = 0 that can result
| in Crash/DoS. This attack appear to be exploitable via the victim must
| open a specially crafted RAR archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877
[1] https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
[2] https://github.com/libarchive/libarchive/pull/1105
[3]
https://github.com/libarchive/libarchive/pull/1105/commits/021efa522ad729ff0f5806c4ce53e4a6cc1daa31
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.3.3-2
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <[email protected]> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Dec 2018 18:01:29 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.3.3-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <[email protected]>
Changed-By: Peter Pentchev <[email protected]>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other
archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 916960 916962 916963 916964
Changes:
libarchive (3.3.3-2) unstable; urgency=medium
.
* Add Daniel Axtens's security and reliability patches:
- CVE-2018-1000877.patch: Closes: #916964
- CVE-2018-1000878.patch: Closes: #916963
- CVE-2018-1000879.patch: Closes: #916962
- CVE-2018-1000880.patch: Closes: #916960
- all merged upstream in https://github.com/libarchive/libarchive/pull/1105
Thanks to Salvatore Bonaccorso for filing the Debian bugs!
Checksums-Sha1:
1458c3bed4dbfdc5f0ac7a1376287f1e96f576ad 2356 libarchive_3.3.3-2.dsc
2e2de7d85ed3d69e25697624336e9c38b92e7694 18460 libarchive_3.3.3-2.debian.tar.xz
bed2c5d4bf0c174a92942bb4404f5968648a3c0e 7617
libarchive_3.3.3-2_amd64.buildinfo
Checksums-Sha256:
8bedc724c6d7250c93e112b35bd7e2a2e92e03bd74b64bfe495e384caf9f5751 2356
libarchive_3.3.3-2.dsc
5f9c11e19c428a3b98657b3643d04802e728bbc48f333fee3bfc41f441c140af 18460
libarchive_3.3.3-2.debian.tar.xz
463cf49e06e07440293a27dd3204b911dcb55369f1e5fda3bc23f736e8c87019 7617
libarchive_3.3.3-2_amd64.buildinfo
Files:
ed565ad2f49ee60059bb43c208c915a6 2356 libs optional libarchive_3.3.3-2.dsc
f27f3687f7ea2c31299594df586b05f2 18460 libs optional
libarchive_3.3.3-2.debian.tar.xz
7c5e181637fc8d4ae6d3e224f498e93f 7617 libs optional
libarchive_3.3.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAlwdD4sACgkQZR7vsCUn
3xO7SxAA0MeHAu6PEriRFiXG6+7OMv4HJcckJgjtndqX5D0BfdDk5wcdiJEJ2KzU
g/xBqRnsYFezmb42stCYZPCyRzilxquaLNSrDuOAfjhIH91GBZVkrGoE/Jq1JN/h
oavURWmoO6f0rwXdxQD0SS2p7yEjLVKwFvDYHIbEKk27AdEks0D1/F69fBOi8vC6
8R854qY+qJSHxx9vquf2cam4E0zj3v+f6RMdGWSZoc7+LRn0+ZVdHZ/9MZugQel0
/0VDq8bFXwJsu6MdNklq2ve3inXw6wXjUlA60u98G7esMdRIjt4Wvk39wdxAakFs
eskXIalk6FcWsR7p25XoVg4VZtOIbHiHsScTPlgcTbSpz3W63YP8r9vAEuaaxVDm
6JHsBir+Ac0w2WTGWCeFL5ikYzOT2HEyWuVW13+F9DFHlLssnrO2nGZVzku81oOh
rlvLUbfCEZUZx3L3pBbaIYxMEkVCUf2RUF8c8u3aqCmsHU0uLStI1QPIubLS2ine
9SOIipDU99rgP//FyMV+RMesEPwkHi1CfsdH7uygIEMV/VslvbKGpayurDb0KBfp
ocZarnveU2WQwDUoIW8ReWLFNR3EmNi8EGmjoPy0p8jA1ZWFeQOSQrOh0hdDM8mZ
tk+5QF9okaWmgkrikUslcWbHK1ZhGckMAKbBpMWmn6FP+jS/X1w=
=E811
-----END PGP SIGNATURE-----
--- End Message ---
