From ${URL} : Fabian Yamaguchi reported a read buffer overflow flaw in libarchive on 64-bit systems where sizeof(size_t) is equal to 8. In the archive_write_zip_data() function in libarchive/archive_write_set_format_zip.c, the "s" parameter is of type size_t (64 bit, unsigned) and is cast to a 64 bit signed integer. If "s" is larger than MAX_INT, it will not be set to "zip->remaining_data_bytes" even though it is larger than "zip->remaining_data_bytes", which leads to a buffer overflow when calling deflate(). This can lead to a segfault in an application that uses libarchive to create ZIP archives.
3.1.2-r1 in Portage with the upstream patch for this issue: https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 Please test and mark it stable. Thank you!
Stable for HPPA.
amd64 stable
x86 stable
ia64 stable
alpha stable
sh stable
sparc stable
arm stable
s390 stable
ppc stable
ppc64 stable
Added to existing GLSA request.
CVE-2013-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0211): Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.
This issue was resolved and addressed in GLSA 201406-02 at http://security.gentoo.org/glsa/glsa-201406-02.xml by GLSA coordinator Sean Amoss (ackle).