[ubuntu/yakkety-security] libarchive 3.2.1-2ubuntu0.1 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Mar 9 18:30:04 UTC 2017 

libarchive (3.2.1-2ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

Date: 2017-03-09 16:42:20.022374+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libarchive/3.2.1-2ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Yakkety-changes mailing list