Sync libarchive 3.2.0-2 (main) from Debian unstable (main)

Bug #1590235 reported by Logan Rosen on 2016-06-08
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libarchive (Ubuntu)
Wishlist
Unassigned

Bug Description

Please sync libarchive 3.2.0-2 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: code execution via incorrect compressed size
    - debian/patches/CVE-2016-1541.patch: check sizes in
      libarchive/archive_read_support_format_zip.c.
    - CVE-2016-1541
  * SECURITY UPDATE: denial of service via malformed cpio archive
    - debian/patches/issue502.patch: fix implicit cast in
      libarchive/archive_read_support_format_cpio.c, reject attempts to
      move the file pointer by a negative amount in
      libarchive/archive_read.c.
    - CVE number pending.
I verified in the code that both of the above security fixes are present in the new upstream release in unstable.

Changelog entries since current yakkety version 3.1.2-11ubuntu1:

libarchive (3.2.0-2) unstable; urgency=medium

  * Add CVE identifiers to previous changelog entry.
  * Upload to unstable.

 -- Andreas Henriksson <email address hidden> Wed, 01 Jun 2016 07:34:12 +0200

libarchive (3.2.0-1) experimental; urgency=medium

  * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
  * New upstream test release (3.1.901a).
  * Add liblz4-dev build-dependency to enable lz4 support.
  * Enable new bsdcat utility in separate package
  * Drop all patches, now included in release.
  * Add pkg-config build-dependency
  * Have dh-autoreconf use upstream build/autogen.sh
  * New upstream release (3.2.0).

 -- Andreas Henriksson <email address hidden> Fri, 06 May 2016 10:08:56 +0200

CVE References

Logan Rosen (logan) on 2016-06-08
Changed in libarchive (Ubuntu):
importance: Undecided → Wishlist
Daniel Holbach (dholbach) wrote :

This bug was fixed in the package libarchive - 3.2.0-2
Sponsored for Logan Rosen (logan)

---------------
libarchive (3.2.0-2) unstable; urgency=medium

  * Add CVE identifiers to previous changelog entry.
  * Upload to unstable.

 -- Andreas Henriksson <email address hidden> Wed, 01 Jun 2016 07:34:12 +0200

libarchive (3.2.0-1) experimental; urgency=medium

  * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
  * New upstream test release (3.1.901a).
  * Add liblz4-dev build-dependency to enable lz4 support.
  * Enable new bsdcat utility in separate package
  * Drop all patches, now included in release.
  * Add pkg-config build-dependency
  * Have dh-autoreconf use upstream build/autogen.sh
  * New upstream release (3.2.0).

 -- Andreas Henriksson <email address hidden> Fri, 06 May 2016 10:08:56 +0200

Changed in libarchive (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers