[Bug 1590235] Re: Sync libarchive 3.2.0-2 (main) from Debian unstable (main)

Daniel Holbach daniel.holbach at ubuntu.com
Mon Jun 13 07:41:34 UTC 2016 

This bug was fixed in the package libarchive - 3.2.0-2
Sponsored for Logan Rosen (logan)

---------------
libarchive (3.2.0-2) unstable; urgency=medium

  * Add CVE identifiers to previous changelog entry.
  * Upload to unstable.

 -- Andreas Henriksson <andreas at fatal.se>  Wed, 01 Jun 2016 07:34:12
+0200

libarchive (3.2.0-1) experimental; urgency=medium

  * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
  * New upstream test release (3.1.901a).
  * Add liblz4-dev build-dependency to enable lz4 support.
  * Enable new bsdcat utility in separate package
  * Drop all patches, now included in release.
  * Add pkg-config build-dependency
  * Have dh-autoreconf use upstream build/autogen.sh
  * New upstream release (3.2.0).

 -- Andreas Henriksson <andreas at fatal.se>  Fri, 06 May 2016 10:08:56
+0200

** Changed in: libarchive (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1541

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1590235

Title:
  Sync libarchive 3.2.0-2 (main) from Debian unstable (main)

Status in libarchive package in Ubuntu:
  Fix Released

Bug description:
  Please sync libarchive 3.2.0-2 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: code execution via incorrect compressed size
      - debian/patches/CVE-2016-1541.patch: check sizes in
        libarchive/archive_read_support_format_zip.c.
      - CVE-2016-1541
    * SECURITY UPDATE: denial of service via malformed cpio archive
      - debian/patches/issue502.patch: fix implicit cast in
        libarchive/archive_read_support_format_cpio.c, reject attempts to
        move the file pointer by a negative amount in
        libarchive/archive_read.c.
      - CVE number pending.
  I verified in the code that both of the above security fixes are present in the new upstream release in unstable.

  Changelog entries since current yakkety version 3.1.2-11ubuntu1:

  libarchive (3.2.0-2) unstable; urgency=medium

    * Add CVE identifiers to previous changelog entry.
    * Upload to unstable.

   -- Andreas Henriksson <andreas at fatal.se>  Wed, 01 Jun 2016 07:34:12
  +0200

  libarchive (3.2.0-1) experimental; urgency=medium

    * CVE-2016-1541: heap-based buffer overflow due to improper input
       validation (Closes: #823893)
    * New upstream test release (3.1.901a).
    * Add liblz4-dev build-dependency to enable lz4 support.
    * Enable new bsdcat utility in separate package
    * Drop all patches, now included in release.
    * Add pkg-config build-dependency
    * Have dh-autoreconf use upstream build/autogen.sh
    * New upstream release (3.2.0).

   -- Andreas Henriksson <andreas at fatal.se>  Fri, 06 May 2016 10:08:56
  +0200

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1590235/+subscriptions

More information about the Ubuntu-sponsors mailing list