[ubuntu/focal-security] libarchive 3.4.0-2ubuntu1.1 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Feb 17 13:47:59 UTC 2022 

libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
    - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
      ACLs in libarchive/archive_disk_acl_freebsd.c,
      libarchive/archive_disk_acl_linux.c,
      libarchive/archive_disk_acl_sunos.c.
    - CVE-2021-23177
  * SECURITY UPDATE: symbolic links incorrectly followed
    - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
      processing the fixup list in Makefile.am,
      libarchive/archive_write_disk_posix.c,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
      setting file flags on Linux in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
      processing the fixup list in libarchive/archive_write_disk_posix.c,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
      8a1bd5c in libarchive/archive_write_disk_posix.c.
    - CVE-2021-31566
  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-pre1.patch: verify window size for
      solid files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-pre2.patch: verify window size for
      multivolume archives in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

Date: 2022-02-16 17:59:14.947127+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libarchive/3.4.0-2ubuntu1.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list