Debian-LTS alert DLA-617-1 (libarchive)
| From: | Jonas Meurer <mejo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 617-1] libarchive security update | |
| Date: | Sat, 10 Sep 2016 18:46:08 +0200 | |
| Message-ID: | <67815643-57b5-facd-57b6-b469ed630b67@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : libarchive Version : 3.0.4-3+wheezy3 CVE ID : CVE-2015-8915 CVE-2016-7166 Debian Bug : 784213 Several security vulnerabilities have been discovered in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause an out of bounds read or a denial of service against an application using the libarchive12 library using a carefully crafted input file. CVE-2015-8915 Paris Zoumpouloglou of Project Zero labs discovered a flaw in libarchive bsdtar. Using a crafted file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. CVE-2016-7166 Alexander Cherepanov discovered a flaw in libarchive compression handling. Using a crafted gzip file, one can get libarchive to invoke an infinite chain of gzip compressors until all the memory has been exhausted or another resource limit kicks in. For Debian 7 "Wheezy", these problems have been fixed in version 3.0.4-3+wheezy3. We recommend that you upgrade your libarchive packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX1DjKAAoJEFJi5/9JEEn+b3MP/jcW/Bx/EtEr3lli879ektYc eeZAy5HeuaMj1Jz2/8XLPBLBIR/dETz5z/yK/ALOwDrrcUTzK2ZNNRMNgGa2TqlG u+QUn53LGJ1wgSUGzdVhvrm/1GAjb5Bqlx3rWfkvTlWUHEcMoRGmd2QAfpOYCIWk RdMFIPQlz5snArTxcAOCR2yBTKhRoW2Nzq4Rfr8ZrM6Lu1U6aj1R34+qkY+Jhg1s 0lVyLN0+q4hzlsqK/BgAMBX2jXi9rXciVWBcr70nVjfMb/FU8jAUyv9lotUgqvLB wObRUZwLSPx4U4QWMi4qbWBNPz4lNqRQ5IsESuZ76mBJs49iC/fx2bYS70QgFiMq kNi7Pt/EisrBAwIFsgN5vLsifIVFMW60WpvfSZdjoE2seoyuGouoFIvMRKsH6ek0 vtqRI4LYyNyfpGx2VyaEax1fEqFQINkcBXSXCcbs2Fo91JDVEmafOlcgYcc7jq4h eDjeG4+dOWmXX+bR1TScEK9R0FOf2D5R4CHFOjoBqeQqvE8Z5MnE4UbckJH/Zy5O jAzVN4fGR8C2ctVh5GJQ1ccV9F8A1N0bVcLTJmYAyirn5nt//Rtu2WmeXNIwk3QC Jws99VkYk5lx/uH1rOTkd+J2geaerMSGKb5iHcEnSJT64Ewe69EGBqcdL0IhWgy3 6M8HNvNIKBF87FFePK7a =QDCj -----END PGP SIGNATURE-----