ALT-PU-2019-2795-1
Package libarchive updated to version 3.3.1-alt2 for branch p8 in task 237883.
Closed vulnerabilities
Published: 2017-02-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-8687
Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2016:3002
- openSUSE-SU-2016:3002
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- 93781
- 93781
- 1037668
- 1037668
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/
- https://bugzilla.redhat.com/show_bug.cgi?id=1377926
- https://bugzilla.redhat.com/show_bug.cgi?id=1377926
- https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
- https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- GLSA-201701-03
- GLSA-201701-03
Published: 2017-02-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-8688
The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.
Severity: MEDIUM (5.5)
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2016:3002
- openSUSE-SU-2016:3002
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- 93781
- 93781
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/
- https://bugzilla.redhat.com/show_bug.cgi?id=1377923
- https://bugzilla.redhat.com/show_bug.cgi?id=1377923
- https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca
- https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- GLSA-201701-03
- GLSA-201701-03
Published: 2017-02-15
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-8689
The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2016:3002
- openSUSE-SU-2016:3002
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
- 93781
- 93781
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-read_header-archive_read_support_format_7zip-c/
- https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-read_header-archive_read_support_format_7zip-c/
- https://bugzilla.redhat.com/show_bug.cgi?id=1377925
- https://bugzilla.redhat.com/show_bug.cgi?id=1377925
- https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
- https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
- GLSA-201701-03
- GLSA-201701-03