Ubuntu
libarchive package

libarchive 3.1.2-7ubuntu2.3 source package in Ubuntu

Changelog

libarchive (3.1.2-7ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via malformed rar or cab files
    - debian/patches/CVE-2015-8916.patch: ignore entries with empty
      filenames in tar/read.c.
    - CVE-2015-8916
    - CVE-2015-8917
  * SECURITY UPDATE: denial of service via malformed lzh file
    - debian/patches/CVE-2015-8919.patch: recognize empty dir name in
      libarchive/archive_read_support_format_lha.c.
    - CVE-2015-8919
  * SECURITY UPDATE: buffer underflow parsing ar header
    - debian/patches/CVE-2015-8920.patch: check for empty filenames in
      libarchive/archive_read_support_format_ar.c.
    - CVE-2015-8920
  * SECURITY UPDATE: read past end of string parsing
    - debian/patches/CVE-2015-8921.patch: properly calculate string length
      in libarchive/archive_entry.c.
    - CVE-2015-8921
  * SECURITY UPDATE: segfault on malformed 7z archive
    - debian/patches/CVE-2015-8922.patch: reject some malformed files in
      libarchive/archive_read_support_format_7zip.c, added tests to
      Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu,
      libarchive/test/test_read_format_7zip_malformed.c,
      libarchive/test/test_read_format_7zip_malformed2.7z.uu,
      libarchive/test/CMakeLists.txt.
    - CVE-2015-8922
  * SECURITY UPDATE: segfault on malformed Zip archive
    - debian/patches/CVE-2015-8923.patch: properly handle sizes in
      libarchive/archive_read_support_format_zip.c, added tests to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_zip_malformed.c,
      libarchive/test/test_read_format_zip_malformed1.zip.uu.
    - CVE-2015-8923
  * SECURITY UPDATE: buffer overflow when processing tar files
    - debian/patches/CVE-2015-8924.patch: properly handle empty filenames
      in libarchive/archive_read_support_format_tar.c.
    - CVE-2015-8924
  * SECURITY UPDATE: improper newline parsing
    - debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in
      libarchive/archive_read_support_format_mtree.c, added tests to
      libarchive/test/test_read_format_mtree.c,
      libarchive/test/test_read_format_mtree.mtree.uu.
    - CVE-2015-8925
  * SECURITY UPDATE: segfault on invalid rar archive
    - debian/patches/CVE-2015-8926.patch: properly handle return code in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2015-8926
  * SECURITY UPDATE: out-of-bounds read in mtree
    - debian/patches/CVE-2015-8928.patch: properly handle filename parsing
      in libarchive/archive_read_support_format_mtree.c.
    - CVE-2015-8928
  * SECURITY UPDATE: segfault via dir loop in malformed ISO
    - debian/patches/CVE-2015-8930.patch: limit recursion in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2015-8930
  * SECURITY UPDATE: integer overflow parsing time values
    - debian/patches/CVE-2015-8931.patch: fix time handling in
      libarchive/archive_read_support_format_mtree.c.
    - CVE-2015-8931
  * SECURITY UPDATE: crash via invalid compressed data
    - debian/patches/CVE-2015-8932.patch: add more checks to
      libarchive/archive_read_support_filter_compress.c, added tests to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_filter_compress.c.
    - CVE-2015-8932
  * SECURITY UPDATE: integer overflow via negative-sized sparse blocks
    - debian/patches/CVE-2015-8933.patch: add check to
      libarchive/archive_read_support_format_tar.c.
    - CVE-2015-8933
  * SECURITY UPDATE: heap overflow parsing malformed tar archives
    - debian/patches/CVE-2015-8934.patch: properly check reading from lzss
      decompression buffer in libarchive/archive_read_support_format_rar.c,
      added tests to Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_rar_invalid1.c,
      libarchive/test/test_read_format_rar_invalid1.rar.uu.
    - CVE-2015-8934
  * SECURITY UPDATE: overflow reading 7-Zip with large number of substreams
    - debian/patches/CVE-2016-4300.patch: add another limit to
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-4300
  * SECURITY UPDATE: crash via rar files with zero dictionary size
    - debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in
      libarchive/archive_ppmd7.c,
      libarchive/archive_read_support_format_rar.c.
    - CVE-2016-4302
  * SECURITY UPDATE: memory allocation issues with large cpio symlinks
    - debian/patches/CVE-2016-4809.patch: reject large symlinks in
      libarchive/archive_read_support_format_cpio.c.
    - CVE-2016-4809
  * SECURITY UPDATE: integer overflow when computing volume descriptor
    - debian/patches/CVE-2016-5844.patch: fix multiplications in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2016-5844

 -- Marc Deslauriers <email address hidden>  Wed, 13 Jul 2016 11:23:39 -0400

Upload details

Uploaded by:
Marc Deslauriers
Uploaded to:
Trusty
Original maintainer:
Ubuntu Developers
Architectures:
any
Section:
libs
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
libarchive_3.1.2.orig.tar.gz 4.3 MiB eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e
libarchive_3.1.2-7ubuntu2.3.debian.tar.gz 33.6 KiB 83a703ae4d7096217a19b3c60064e82c220f5b5a34ac934088021d7ebef7bd20
libarchive_3.1.2-7ubuntu2.3.dsc 2.3 KiB ed409db9fdb8a6c84d85e562899a6ba7758f7d0d04e39d1648ec4b5bb0192c7c

View changes file

Binary packages built by this source

bsdcpio: Implementation of the 'cpio' program from FreeBSD

 The bsdcpio program is the default system 'cpio' program used on FreeBSD.
 bsdcpio uses the libarchive library as a backend which does all of the work for
 reading and writing archives in various formats.

bsdcpio-dbgsym: debug symbols for package bsdcpio

 The bsdcpio program is the default system 'cpio' program used on FreeBSD.
 bsdcpio uses the libarchive library as a backend which does all of the work for
 reading and writing archives in various formats.

bsdtar: Implementation of the 'tar' program from FreeBSD

 The bsdtar program is the default system 'tar' program used on FreeBSD. bsdtar
 uses the libarchive library as a backend which does all of the work for reading
 and writing archives in various formats.

bsdtar-dbgsym: debug symbols for package bsdtar

 The bsdtar program is the default system 'tar' program used on FreeBSD. bsdtar
 uses the libarchive library as a backend which does all of the work for reading
 and writing archives in various formats.

libarchive-dev: Multi-format archive and compression library (development files)

 The libarchive library provides a flexible interface for reading and writing
 archives in various formats such as tar and cpio. libarchive also supports
 reading and writing archives compressed using various compression filters such
 as gzip and bzip2. The library is inherently stream-oriented; readers serially
 iterate through the archive, writers serially add things to the archive.
 .
 Archive formats supported are:
 .
    * tar (read and write, including GNU extensions)
    * pax (read and write, including GNU and star extensions)
    * cpio (read and write, including odc and newc variants)
    * iso9660 (read and write, including Joliet and Rockridge extensions, with
      some limitations)
    * zip (read only, with some limitations, uses zlib)
    * mtree (read and write)
    * shar (write only)
    * ar (read and write, including BSD and GNU/SysV variants)
    * empty (read only; in particular, note that no other format will accept an
      empty file)
    * raw (read only)
    * xar (read only)
    * rar (read only, with some limitations)
    * 7zip (read and write, with some limitations)
 .
 Filters supported are:
 .
    * gzip (read and write, uses zlib)
    * bzip2 (read and write, uses bzlib)
    * compress (read and write, uses an internal implementation)
    * uudecode (read only)
    * separate command-line compressors with fixed-signature auto-detection
    * xz and lzma (read and write using liblzma)
 .
 This package provides the files necessary for development with libarchive.

libarchive13: Multi-format archive and compression library (shared library)

 The libarchive library provides a flexible interface for reading and writing
 archives in various formats such as tar and cpio. libarchive also supports
 reading and writing archives compressed using various compression filters such
 as gzip and bzip2. The library is inherently stream-oriented; readers serially
 iterate through the archive, writers serially add things to the archive.
 .
 Archive formats supported are:
 .
    * tar (read and write, including GNU extensions)
    * pax (read and write, including GNU and star extensions)
    * cpio (read and write, including odc and newc variants)
    * iso9660 (read and write, including Joliet and Rockridge extensions, with
      some limitations)
    * zip (read only, with some limitations, uses zlib)
    * mtree (read and write)
    * shar (write only)
    * ar (read and write, including BSD and GNU/SysV variants)
    * empty (read only; in particular, note that no other format will accept an
      empty file)
    * raw (read only)
    * xar (read only)
    * rar (read only, with some limitations)
    * 7zip (read and write, with some limitations)
 .
 Filters supported are:
 .
    * gzip (read and write, uses zlib)
    * bzip2 (read and write, uses bzlib)
    * compress (read and write, uses an internal implementation)
    * uudecode (read only)
    * separate command-line compressors with fixed-signature auto-detection
    * xz and lzma (read and write using liblzma)
 .
 This package provides the libarchive shared library.

libarchive13-dbgsym: debug symbols for package libarchive13

 The libarchive library provides a flexible interface for reading and writing
 archives in various formats such as tar and cpio. libarchive also supports
 reading and writing archives compressed using various compression filters such
 as gzip and bzip2. The library is inherently stream-oriented; readers serially
 iterate through the archive, writers serially add things to the archive.
 .
 Archive formats supported are:
 .
    * tar (read and write, including GNU extensions)
    * pax (read and write, including GNU and star extensions)
    * cpio (read and write, including odc and newc variants)
    * iso9660 (read and write, including Joliet and Rockridge extensions, with
      some limitations)
    * zip (read only, with some limitations, uses zlib)
    * mtree (read and write)
    * shar (write only)
    * ar (read and write, including BSD and GNU/SysV variants)
    * empty (read only; in particular, note that no other format will accept an
      empty file)
    * raw (read only)
    * xar (read only)
    * rar (read only, with some limitations)
    * 7zip (read and write, with some limitations)
 .
 Filters supported are:
 .
    * gzip (read and write, uses zlib)
    * bzip2 (read and write, uses bzlib)
    * compress (read and write, uses an internal implementation)
    * uudecode (read only)
    * separate command-line compressors with fixed-signature auto-detection
    * xz and lzma (read and write using liblzma)
 .
 This package provides the libarchive shared library.