Upstream has released version 3.2.0 on May 1, fixing a security issue: https://groups.google.com/forum/#!topic/libarchive-announce/qdeGf_DRvN4 The fix was in this commit: https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 Some of the crash bug fixes may be considered security relevant in some contexts, so upgrading it might be better if possible. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Here's Fedora's packaging commit for 3.2.0: http://pkgs.fedoraproject.org/cgit/rpms/libarchive.git/commit/?id=9e3ae291246c023251a2b07e5a1bd32ea400aaf5
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
Will have a look at it.
Assignee: pkg-bugs => rverschelde
libarchive-3.2.0-1.mga6 uploaded for Cauldron by Thierry.
CC: (none) => thierry.vignaudVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
I went ahead and synced libarchive with Cauldron for Mageia 5. The changelog linked in comment 0 sounds like it's worth the version upgrade, as it mostly contains important bug fixes and new features that (a priori) shouldn't have too much impact on the existing API. The lib major stays the same. We'll have to check some packages that depend on libarchive to ensure that they still work as expected though (especially rpm): $ urpmq --whatrequires lib64archive13 | uniq ark attract bsdcat bsdcpio bsdtar claws-mail-archive-plugin cmake cmake-qtgui epic5 file-roller gnome-boxes gnome-epub-thumbnailer grilo-plugins grub-customizer gvfs-archive lib64appstream-builder-gir1.0 lib64appstream-builder8 lib64appstream-glib8 lib64archive-devel lib64archive13 lib64extractor3 lib64glom1.32_0 lib64gxps2 lib64ostree1 lib64totem-plparser18 lordsawar meandmyshadow ocaml-archive ocaml-archive-devel pinot rpm samba-client swi-prolog-nox vdrift xdg-app zeal
Assigning to QA. Advisory coming soonâ¢. RPMs in core/updates_testing: ============================= lib{,64}archive13-3.2.0-1.mga5 lib{,64}archive-devel-3.2.0-1.mga5 bsdcat-3.2.0-1.mga5 bsdcpio-3.2.0-1.mga5 bsdtar-3.2.0-1.mga5 SRPM in core/updates_testing: ============================= libarchive-3.2.0-1.mga5
Assignee: rverschelde => qa-bugs
Debian has issued an advisory for this on May 10: https://www.debian.org/security/2016/dsa-3574 Advisory: ======================== Updated libarchive packages fix security vulnerability: Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive (CVE-2016-1541). The libarchive package has been updated to version 3.2.0, fixing this issue and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541 https://groups.google.com/forum/#!topic/libarchive-announce/qdeGf_DRvN4 https://www.debian.org/security/2016/dsa-3574
URL: (none) => http://lwn.net/Vulnerabilities/687044/
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2
Whiteboard: (none) => has_procedure
Shall test this for 64-bits some time today.
CC: (none) => tarazed25
mga5 x86_64 Updated the packages listed above and tested them according to Claire's recipe in bug #9671. $ ls *.mp4 | bsdcpio -ov > videos.cpio LaRouteDIstanbul.mp4 pangea.mp4 TheTeam_1.mp4 YosemiteII.mp4 yosemite.mp4 7991442 blocks $ bsdcpio -it < videos.cpio LaRouteDIstanbul.mp4 pangea.mp4 TheTeam_1.mp4 YosemiteII.mp4 yosemite.mp4 7991442 blocks $ cd archive LaRouteDIstanbul.mp4 pangea.mp4 TheTeam_1.mp4 YosemiteII.mp4 yosemite.mp4 7991442 blocks $ ls LaRouteDIstanbul.mp4 TheTeam_1.mp4 YosemiteII.mp4 pangea.mp4 videos.cpio yosemite.mp4 $ bsdtar cJf videos.tar.xz *.mp4 $ ls -l total 11974052 -rw-r--r-- 1 lcl lcl 1799284326 May 13 14:54 LaRouteDIstanbul.mp4 -rw-rw-r-- 1 lcl lcl 215569492 May 13 14:54 pangea.mp4 -rw-r--r-- 1 lcl lcl 996016561 May 13 14:55 TheTeam_1.mp4 -rw-r--r-- 1 lcl lcl 4091618304 May 13 14:48 videos.cpio -rw-r--r-- 1 lcl lcl 4078149280 May 13 15:29 videos.tar.xz -rw-rw-r-- 1 lcl lcl 811535501 May 13 14:55 YosemiteII.mp4 -rw-rw-r-- 1 lcl lcl 269211538 May 13 14:55 yosemite.mp4 Verified the integrity of the mp4 files - some of them. $ rm -rf *.mp4 $ bsdtar xJf videos.tar.xz $ ls LaRouteDIstanbul.mp4 TheTeam_1.mp4 videos.tar.xz yosemite.mp4 pangea.mp4 videos.cpio YosemiteII.mp4 Played a couple of files with vlc. No problems. Used ark to examine isos, tarfiles and zipped files, extracted contents of an iso and a few compressed file archives. Working perfectly. Good for 64-bits. Validating this. Over to sysadmin - thanks.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0179.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Wow, good thing we updated this. CVE-2016-8915 through CVE-2016-8934 were also fixed in 3.2.0: http://openwall.com/lists/oss-security/2016/06/17/5
(In reply to David Walser from comment #12) > Wow, good thing we updated this. > > CVE-2016-8915 through CVE-2016-8934 were also fixed in 3.2.0: > http://openwall.com/lists/oss-security/2016/06/17/5 LWN reference: http://lwn.net/Vulnerabilities/694629/
CVE-2016-6250 assigned for more issues fixed in 3.2.0: http://openwall.com/lists/oss-security/2016/07/21/3
(In reply to David Walser from comment #14) > CVE-2016-6250 assigned for more issues fixed in 3.2.0: > http://openwall.com/lists/oss-security/2016/07/21/3 LWN reference: http://lwn.net/Vulnerabilities/695689/
CVE-2015-8918 CVE-2015-8929 also fixed in 3.2.0: http://lwn.net/Vulnerabilities/695807/
CVE-2016-7166 also fixed in 3.2.0: http://www.openwall.com/lists/oss-security/2016/09/08/18
LWN reference for CVE-2015-8915 and CVE-2016-7166: http://lwn.net/Vulnerabilities/700387/
CVE-2015-8927 also fixed in 3.2.0: https://lwn.net/Vulnerabilities/710487/