libarchive 3.2.2 fixes some crashes I reported. Can we stabilize it?
CVE-2016-7166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7166): libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file. CVE-2016-6250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6250): Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow. CVE-2016-5844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5844): Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file. CVE-2016-4809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4809): The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink. CVE-2016-4302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4302): Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary. CVE-2016-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4301): Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file. CVE-2016-4300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4300): Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow.
@arches, please stabilize: =app-arch/libarchive-3.2.2
Once again the CVE's do not match the upstream commits with version numbers.
You pick the wrong CVEs. For what I know they are: CVE-2016-8687 CVE-2016-8688 CVE-2016-8689
(In reply to Agostino Sarubbo from comment #4) > You pick the wrong CVEs. > > For what I know they are: > CVE-2016-8687 > CVE-2016-8688 > CVE-2016-8689 Added as well with reference.
amd64 stable
x86 stable
arm stable
bump for stable.
sparc stable
ia64 stable
ppc stable
ppc64 stable
Stable for HPPA.
This issue was resolved and addressed in GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please drop <app-arch/libarchive-3.2.2 or apply masks indicating a security problem.
Cleanup PR: https://github.com/gentoo/gentoo/pull/3386
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ad1e7e4eca20b8715345435a764b2015ce1fe9f