Summary: | <app-arch/libarchive-3.1.2-r1: read buffer overflow on 64-bit systems (CVE-2013-0211) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bsd+disabled, ferringb, ssuominen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=902998 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-28 16:54:57 UTC
3.1.2-r1 in Portage with the upstream patch for this issue: https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 Please test and mark it stable. Thank you! Stable for HPPA. amd64 stable x86 stable ia64 stable alpha stable sh stable sparc stable arm stable s390 stable ppc stable ppc64 stable Added to existing GLSA request. CVE-2013-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0211): Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow. This issue was resolved and addressed in GLSA 201406-02 at http://security.gentoo.org/glsa/glsa-201406-02.xml by GLSA coordinator Sean Amoss (ackle). |