RedHat has issued an advisory on September 12: https://rhn.redhat.com/errata/RHSA-2016-1844.html The patches they added are these two: https://git.centos.org/raw/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch https://git.centos.org/raw/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch Those would need to be rediffed to be used with 3.2.1. Hopefully there are upstream commits with these fixes as well. In fact, it looks like the commits from September 11 may be what we need: https://github.com/libarchive/libarchive/commits/master
CC: (none) => nicolas.salguero, rverscheldeWhiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => fundawang, marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
Hi, A commit (on Aug 10, 2016) for issue #744 was already added in Cauldron. When looking at the commits, I found some other ones that might be related to security as well: - Commits on Aug 21, 2016: - Issue #770: Be more careful about extra_length - Issue #767: Buffer overflow printing a filename - Commits on Aug 22, 2016: - Issue #748: Zip decompression failure with highly-compressed data - Issue #744 (part of Issue #743): Enforce sandbox with very long pathnames - Issue #731: Reject tar entries >= INT64_MAX I added all those patches and the one for CVE-2016-5418 and libarchive built locally without any problem (on Mga5). So, do I add all the patches on SVN for Cauldron and Mga5? Best regards, Nico.
Please do, thanks.
Done for Cauldron and Mga5, then. Suggested advisory: ======================== The updated packages fix several security vulnerabilities: A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418, issues #745 and #746) Very long pathnames evade symlink checks (issue#744) size_t underflow leading to out of bounds heap read in process_extra() / archive_read_support_format_zip.c (issue#770) stack-based buffer overflow in bsdtar_expand_char (util.c) (issue#767) libarchive can compress, but cannot decompress zip some files (issue#748) hang in tar parser (issue#731) References: https://rhn.redhat.com/errata/RHSA-2016-1844.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5418 https://github.com/libarchive/libarchive/issues/745 https://github.com/libarchive/libarchive/issues/746 https://github.com/libarchive/libarchive/issues/744 https://github.com/libarchive/libarchive/issues/770 https://github.com/libarchive/libarchive/issues/767 https://github.com/libarchive/libarchive/issues/748 https://github.com/libarchive/libarchive/issues/731 ======================== Updated packages in core/updates_testing: ======================== i586: libarchive13-3.2.1-1.1.mga5.i586.rpm libarchive-devel-3.2.1-1.1.mga5.i586.rpm bsdcat-3.2.1-1.1.mga5.i586.rpm bsdcpio-3.2.1-1.1.mga5.i586.rpm bsdtar-3.2.1-1.1.mga5.i586.rpm x86_64: lib64archive13-3.2.1-1.1.mga5.x86_64.rpm lib64archive-devel-3.2.1-1.1.mga5.x86_64.rpm bsdcat-3.2.1-1.1.mga5.x86_64.rpm bsdcpio-3.2.1-1.1.mga5.x86_64.rpm bsdtar-3.2.1-1.1.mga5.x86_64.rpm Source RPMs: libarchive-3.2.1-1.1.mga5.src.rpm ======================== Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
Whiteboard: (none) => has_procedure
mga5-32 $ ls *.JPG | bsdcpio -ov > jpegs.cpio 100_0764.JPG 100_0765.JPG 100_0766.JPG 100_0767.JPG 100_0768.JPG 100_0769.JPG 100_0770.JPG 100_0771.JPG 100_0772.JPG 100_0773.JPG 100_0774.JPG 21188 blocks $ bsdcpio -it < jpegs.cpio 100_0764.JPG 100_0765.JPG 100_0766.JPG 100_0767.JPG 100_0768.JPG 100_0769.JPG 100_0770.JPG 100_0771.JPG 100_0772.JPG 100_0773.JPG 100_0774.JPG 21188 blocks [brian@localhost 2006-03-26]$ cd ../../tmp [brian@localhost tmp]$ cpio -iv < ~/Pictures/2006-03-26/jpegs.cpio 100_0764.JPG 100_0765.JPG 100_0766.JPG 100_0767.JPG 100_0768.JPG 100_0769.JPG 100_0770.JPG 100_0771.JPG 100_0772.JPG 100_0773.JPG 100_0774.JPG 21188 blocks I pulled up a couple of the pictures - they are displayable with no errors. [brian@localhost tmp]$ bsdtar cJf tarfile.tar.xz *.JPG [brian@localhost tmp]$ ls 100_0764.JPG 100_0767.JPG 100_0770.JPG 100_0773.JPG 100_0765.JPG 100_0768.JPG 100_0771.JPG 100_0774.JPG 100_0766.JPG 100_0769.JPG 100_0772.JPG tarfile.tar.xz [brian@localhost tmp]$ rm *.JPG rm: remove write-protected regular file â100_0771.JPGâ? y [brian@localhost tmp]$ ls tarfile.tar.xz [brian@localhost tmp]$ ---note I didn't use -f so had to answer Y a lot. This is expected [brian@localhost tmp]$ bsdtar xJf tarfile.tar.xz [brian@localhost tmp]$ ls 100_0764.JPG 100_0767.JPG 100_0770.JPG 100_0773.JPG 100_0765.JPG 100_0768.JPG 100_0771.JPG 100_0774.JPG 100_0766.JPG 100_0769.JPG 100_0772.JPG tarfile.tar.xz [brian@localhost tmp]$ I was able to view the pictures without errors.
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure mga5-32-ok
(In reply to Brian Rockwell from comment #5) > mga5-32 > > > $ ls *.JPG | bsdcpio -ov > jpegs.cpio > 100_0764.JPG > 100_0765.JPG > 100_0766.JPG > 100_0767.JPG > 100_0768.JPG > 100_0769.JPG > 100_0770.JPG > 100_0771.JPG > 100_0772.JPG > 100_0773.JPG > 100_0774.JPG > 21188 blocks > > $ bsdcpio -it < jpegs.cpio > 100_0764.JPG > 100_0765.JPG > 100_0766.JPG > 100_0767.JPG > 100_0768.JPG > 100_0769.JPG > 100_0770.JPG > 100_0771.JPG > 100_0772.JPG > 100_0773.JPG > 100_0774.JPG > 21188 blocks > > > [brian@localhost 2006-03-26]$ cd ../../tmp > [brian@localhost tmp]$ cpio -iv < ~/Pictures/2006-03-26/jpegs.cpio > 100_0764.JPG > 100_0765.JPG > 100_0766.JPG > 100_0767.JPG > 100_0768.JPG > 100_0769.JPG > 100_0770.JPG > 100_0771.JPG > 100_0772.JPG > 100_0773.JPG > 100_0774.JPG > 21188 blocks > > I pulled up a couple of the pictures - they are displayable with no errors. > > [brian@localhost tmp]$ bsdtar cJf tarfile.tar.xz *.JPG > [brian@localhost tmp]$ ls > 100_0764.JPG 100_0767.JPG 100_0770.JPG 100_0773.JPG > 100_0765.JPG 100_0768.JPG 100_0771.JPG 100_0774.JPG > 100_0766.JPG 100_0769.JPG 100_0772.JPG tarfile.tar.xz > > [brian@localhost tmp]$ rm *.JPG > rm: remove write-protected regular file â100_0771.JPGâ? y > [brian@localhost tmp]$ ls > tarfile.tar.xz > [brian@localhost tmp]$ > > ---note I didn't use -f so had to answer Y a lot. This is expected > > [brian@localhost tmp]$ bsdtar xJf tarfile.tar.xz > [brian@localhost tmp]$ ls > 100_0764.JPG 100_0767.JPG 100_0770.JPG 100_0773.JPG > 100_0765.JPG 100_0768.JPG 100_0771.JPG 100_0774.JPG > 100_0766.JPG 100_0769.JPG 100_0772.JPG tarfile.tar.xz > [brian@localhost tmp]$ > > I was able to view the pictures without errors. FYI - Thanks Claire for the procedure!!!
$ uname -a Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 09:23:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux The following 5 packages are going to be installed: - bsdcat-3.2.1-1.1.mga5.x86_64 - bsdcpio-3.2.1-1.1.mga5.x86_64 - bsdtar-3.2.1-1.1.mga5.x86_64 - lib64archive13-3.2.1-1.1.mga5.x86_64 - meta-task-5-28.1.mga5.noarch 168KB of additional disk space will be used. 424KB of packages will be retrieved. $ ls *.JPG | bsdcpio -ov > jpegs.cpio 100_0775.JPG 100_0776.JPG 100_0777.JPG 100_0778.JPG 100_0779.JPG 100_0780.JPG 100_0781.JPG 100_0782.JPG 100_0783.JPG 100_0784.JPG 100_0785.JPG 100_0786.JPG 100_0787.JPG 100_0788.JPG 100_0789.JPG 100_0790.JPG 100_0791.JPG 100_0792.JPG 100_0793.JPG 100_0794.JPG 100_0795.JPG 100_0796.JPG 100_0797.JPG 100_0798.JPG 100_0799.JPG 100_0800.JPG 100_0801.JPG 100_0802.JPG 100_0803.JPG 100_0804.JPG 100_0805.JPG 100_0806.JPG 100_0807.JPG 100_0808.JPG 100_0809.JPG 100_0810.JPG 100_0811.JPG 100_0812.JPG 100_0813.JPG 100_0814.JPG 100_0815.JPG 100_0816.JPG 100_0817.JPG 100_0818.JPG 100_0819.JPG 100_0820.JPG 100_0821.JPG 100_0822.JPG 100_0823.JPG 100_0824.JPG 100_0825.JPG 100_0826.JPG 100_0827.JPG 100_0828.JPG 100_0829.JPG 100_0830.JPG 100_0831.JPG 100_0832.JPG 100_0833.JPG 100_0834.JPG 100_0835.JPG 100_0836.JPG 100_0837.JPG 100_0838.JPG 100_0839.JPG 100_0840.JPG 100_0841.JPG 100_0842.JPG 100_0843.JPG 100_0844.JPG 100_0845.JPG 100_0847.JPG 100_0848.JPG 100_0849.JPG 100_0850.JPG 104665 blocks bsdcpio -it < jpegs.cpio <blah blah blah> 104665 blocks cpio -iv < ~/Pictures/2006-04-06/jpegs.cpio 100_0775.JPG <blah blah blah> 104665 blocks $ bsdtar cJf tarfile.tar.xz *.JPG $ ls 100_0775.JPG 100_0791.JPG 100_0807.JPG 100_0823.JPG 100_0839.JPG 100_0776.JPG 100_0792.JPG 100_0808.JPG 100_0824.JPG 100_0840.JPG 100_0777.JPG 100_0793.JPG 100_0809.JPG 100_0825.JPG 100_0841.JPG 100_0778.JPG 100_0794.JPG 100_0810.JPG 100_0826.JPG 100_0842.JPG 100_0779.JPG 100_0795.JPG 100_0811.JPG 100_0827.JPG 100_0843.JPG 100_0780.JPG 100_0796.JPG 100_0812.JPG 100_0828.JPG 100_0844.JPG 100_0781.JPG 100_0797.JPG 100_0813.JPG 100_0829.JPG 100_0845.JPG 100_0782.JPG 100_0798.JPG 100_0814.JPG 100_0830.JPG 100_0847.JPG 100_0783.JPG 100_0799.JPG 100_0815.JPG 100_0831.JPG 100_0848.JPG 100_0784.JPG 100_0800.JPG 100_0816.JPG 100_0832.JPG 100_0849.JPG 100_0785.JPG 100_0801.JPG 100_0817.JPG 100_0833.JPG 100_0850.JPG 100_0786.JPG 100_0802.JPG 100_0818.JPG 100_0834.JPG tarfile.tar.xz 100_0787.JPG 100_0803.JPG 100_0819.JPG 100_0835.JPG 100_0788.JPG 100_0804.JPG 100_0820.JPG 100_0836.JPG 100_0789.JPG 100_0805.JPG 100_0821.JPG 100_0837.JPG 100_0790.JPG 100_0806.JPG 100_0822.JPG 100_0838.JPG $ rm -f *.JPG $ ls tarfile.tar.xz $ bsdtar xJf tarfile.tar.xz $ ls 100_0775.JPG 100_0791.JPG 100_0807.JPG 100_0823.JPG 100_0839.JPG 100_0776.JPG 100_0792.JPG 100_0808.JPG 100_0824.JPG 100_0840.JPG 100_0777.JPG 100_0793.JPG 100_0809.JPG 100_0825.JPG 100_0841.JPG 100_0778.JPG 100_0794.JPG 100_0810.JPG 100_0826.JPG 100_0842.JPG 100_0779.JPG 100_0795.JPG 100_0811.JPG 100_0827.JPG 100_0843.JPG 100_0780.JPG 100_0796.JPG 100_0812.JPG 100_0828.JPG 100_0844.JPG 100_0781.JPG 100_0797.JPG 100_0813.JPG 100_0829.JPG 100_0845.JPG 100_0782.JPG 100_0798.JPG 100_0814.JPG 100_0830.JPG 100_0847.JPG 100_0783.JPG 100_0799.JPG 100_0815.JPG 100_0831.JPG 100_0848.JPG 100_0784.JPG 100_0800.JPG 100_0816.JPG 100_0832.JPG 100_0849.JPG 100_0785.JPG 100_0801.JPG 100_0817.JPG 100_0833.JPG 100_0850.JPG 100_0786.JPG 100_0802.JPG 100_0818.JPG 100_0834.JPG tarfile.tar.xz 100_0787.JPG 100_0803.JPG 100_0819.JPG 100_0835.JPG 100_0788.JPG 100_0804.JPG 100_0820.JPG 100_0836.JPG 100_0789.JPG 100_0805.JPG 100_0821.JPG 100_0837.JPG 100_0790.JPG 100_0806.JPG 100_0822.JPG 100_0838.JPG confirmed pictures are viewable
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Ah, it does not look as if 'bsdcat' was tested. This is essentially the same as zcat. It only (?) seems to apply to *.gz compressed character files. The man page is vague: "expand files to standard output", but the only examples show .gz . I tried it on a zipped character file, and only got rubbish. Ark uses lib[64]archive13. Testing 'bsdcat' & Ark on M5 x64, Mate desktop. BEFORE update: bsdtar-3.2.1-1.mga5 bsdcpio-3.2.1-1.mga5 bsdcat-3.2.1-1.mga5 lib64archive13-3.2.1-1.mga5 Played with Ark on various archives (open only), tried bsdcat. No problems. AFTER update to version 3.2.1-1.1: Tried Ark (open only) on a huge variety of archives: tar.xz, 7z, tar, tar.bz2, tar.gz, zip, iso, rpm, deb, cpio; all opened OK, including archives within archives. I found an obscure and trivial Ark bug whereby if it has opened a compressed archive within a deb file, it continues to work OK, but crashes when you eventually exit. Specifically tried: deb/tar.gz, deb/tar.xz . I cannot confirm this before update, and it does not warrant stopping the update. A new bug perhaps. For bsdcat, where poedit.po is a large text file: $ cp poedit.po poedit2.po [because gzip ovewrites the original] $ gzip poedit2.po [creates poedit2.po.gz] $ bsdcat poedit2.po.gz > popo2 [popo2 should be the same as the original] $ diff poedit.po popo2 [no difference] which is OK.
CC: (none) => lewyssmith
Advisory uploaded.
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisory
Nicolas, there are a few more security-related commits in git now from September 18, and now there's a post saying all issues have been fixed: http://openwall.com/lists/oss-security/2016/09/19/2 Could you include those additional commits and resubmit this?
Also, the original CVE issue had to do with hardlinks, so at this commit from September 11 which you didn't already include may be security-related: https://github.com/libarchive/libarchive/commit/9f0dee226163de2490510fd258fbd9547a032f16
I added the 3 commits in Cauldron and Mga5. Updated packages in core/updates_testing: ======================== i586: libarchive13-3.2.1-1.2.mga5.i586.rpm libarchive-devel-3.2.1-1.2.mga5.i586.rpm bsdcat-3.2.1-1.2.mga5.i586.rpm bsdcpio-3.2.1-1.2.mga5.i586.rpm bsdtar-3.2.1-1.2.mga5.i586.rpm x86_64: lib64archive13-3.2.1-1.2.mga5.x86_64.rpm lib64archive-devel-3.2.1-1.2.mga5.x86_64.rpm bsdcat-3.2.1-1.2.mga5.x86_64.rpm bsdcpio-3.2.1-1.2.mga5.x86_64.rpm bsdtar-3.2.1-1.2.mga5.x86_64.rpm Source RPMs: libarchive-3.2.1-1.2.mga5.src.rpm
We should also add to the advisory: Out of bounds read in mtree parser (issue#747) heap-based buffer overflow in read_Header (archive_read_support_format_7zip.c) (issue#761)
Back to QA for a little more testing (please add the advisory bits from Comment 13 in SVN also).
Keywords: validated_update => (none)Whiteboard: has_procedure mga5-32-ok mga5-64-ok advisory => has_procedure
Testing M5 x64 with:
Testing M5 x64 with: bsdcat-3.2.1-1.2.mga5 bsdcpio-3.2.1-1.2.mga5 bsdtar-3.2.1-1.2.mga5 lib64archive13-3.2.1-1.2.mga5 bsdcat ------ $ cp poedit.po poedit2.po $ gzip poedit2.po $ bsdcat poedit2.po.gz > popo2 $ diff poedit.po popo2 $ cmp poedit.po popo2
continued...[this is getting on my nerves] [poedit.po is a large text file] The 'diff' & 'cmp' above show that the O/P of the gz file from bsdcat is identical to the original uncompressed file. $ rm poedit2.po.gz [remove the working duplicate] $ rm popo2 [& this] OK. I used Ark to inspect archives produced by bsdcpio & bsdtar, thus testing it (lib64archive13) also. This included looking directly at individual viewable files. bsdcpio ------- Extract/List an existing cpio archive: $ bsdcpio -itv < /mnt/common/finance/cyfrifon.cpio -rwxrwxrwx 1 root root 21868 Aws 23 2001 arian00.mm4 etc etc. O/P correct. Extract/List an existing tar archive: $ bsdcpio -itv < bsdtar.tar drwx------ 0 lewis lewis 0 Med 24 09:35 mnt/common/tmp/ -rw-r--r-- 0 lewis lewis 27093 Gor 30 20:51 mnt/common/tmp/megabusLimLon.png drwxr-xr-x 0 lewis lewis 0 Ion 3 2016 mnt/common/tmp/ISIS/ etc etc. Looks OK. Create an archive: $ find /mnt/common/tmp/ | bsdcpio -ov > bsdcpio.cpio /mnt/common/tmp/ /mnt/common/tmp/megabusLimLon.png /mnt/common/tmp/ISIS etc etc. Archives such as this with absolute pathnames (/...) curiously are *not* handled by Ark. So try again: $ cd /mnt/common/tmp/ $ find . | bsdcpio -ov > ~/tmp/bsdcpio.cpio . ./megabusLimLon.png ./ISIS etc etc. Confirmed OK with Ark. Read an archive: $ bsdcpio -itv -F ~/tmp/bsdcpio.cpio drwx------ 3 lewis lewis 0 Med 24 09:35 . -rw-r--r-- 1 lewis lewis 27093 Gor 30 20:51 ./megabusLimLon.png drwxr-xr-x 2 lewis lewis 0 Ion 3 2016 ./ISIS etc etc. OK. $ rm ~/tmp/bsdcpio.cpio [Remove this] bsdtar ------ Create a straight 'tar' archive: $ bsdtar -cf tmp/bsdtar.tar /mnt/common/tmp/ bsdtar: Removing leading '/' from member names Result OK with Ark. Create a 'bzip2' archive: $ bsdtar -cjf tmp/bsdtar.tar.bz2 /mnt/common/tmp/ bsdtar: Removing leading '/' from member names Result OK with Ark. Create an 'xz' archive: $ bsdtar -cJf tmp/bsdtar.tar.xz /mnt/common/tmp/ bsdtar: lzma compression failed: lzma_code() call returned status 11 This failure only occured once, thereafter the same thing worked: $ bsdtar -cJf tmp/bsdtar.tar.xz /mnt/common/tmp/ bsdtar: Removing leading '/' from member names Read a 'tar' archive: $ bsdtar -tvf bsdtar.tar drwx------ 0 lewis lewis 0 Med 24 09:35 mnt/common/tmp/ -rw-r--r-- 0 lewis lewis 27093 Gor 30 20:51 mnt/common/tmp/megabusLimLon.png drwxr-xr-x 0 lewis lewis 0 Ion 3 2016 mnt/common/tmp/ISIS/ etc etc. OK. Read a 'bzip2' archive: $ bsdtar -tvf bsdtar.tar.bz2 drwx------ 0 lewis lewis 0 Med 24 09:35 mnt/common/tmp/ -rw-r--r-- 0 lewis lewis 27093 Gor 30 20:51 mnt/common/tmp/megabusLimLon.png drwxr-xr-x 0 lewis lewis 0 Ion 3 2016 mnt/common/tmp/ISIS/ etc etc. OK. Read an 'xz' archive: $ bsdtar -tvf bsdtar.tar.xz drwx------ 0 lewis lewis 0 Med 24 09:35 mnt/common/tmp/ -rw-r--r-- 0 lewis lewis 27093 Gor 30 20:51 mnt/common/tmp/megabusLimLon.png drwxr-xr-x 0 lewis lewis 0 Ion 3 2016 mnt/common/tmp/ISIS/ etc etc. OK. Ark/lib64archive13-3.2.1-1.2 ---------------------------- Used Ark to open and probe a large variety of archives, including nested ones, and viewing directly suitable (image, PDF, text) individual files therein. iso, zip/iso, tar.bz2, deb/tar.gz, tar, zip, tar.gz, rpm, deb/tar.xz/gz, 7z. The very obscure & trivial bug noted in Comment 8 is still there; forget it; and the dislike of absolute pathnames in some archives, which is its normal behaviour. All round this is impressive and OK.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 10:34:04 UTC 2016 i686 i686 i686 GNU/Linux The following 4 packages are going to be installed: - bsdcat-3.2.1-1.2.mga5.i586 - bsdcpio-3.2.1-1.2.mga5.i586 - bsdtar-3.2.1-1.2.mga5.i586 - libarchive13-3.2.1-1.2.mga5.i586 4B of disk space will be freed. 440KB of packages will be retrieved. $ ls -1 *.JPG | wc -l 24 $ ls *.JPG | bsdcpio -ov > jpegs.cpio 24 loaded 223383 blocks $ bsdcpio -it < jpegs.cpio | wc -l 223383 blocks 24 $ cpio -iv < ../jpegs.cpio Roll1_A114562-R1-00-1A.JPG Roll1_A114562-R1-01-2A.JPG Roll1_A114562-R1-02-3A.JPG Roll1_A114562-R1-03-4A.JPG Roll1_A114562-R1-04-5A.JPG Roll1_A114562-R1-05-6A.JPG Roll1_A114562-R1-06-7A.JPG Roll1_A114562-R1-07-8A.JPG Roll1_A114562-R1-08-9A.JPG Roll1_A114562-R1-09-10A.JPG Roll1_A114562-R1-10-11A.JPG Roll1_A114562-R1-11-12A.JPG Roll1_A114562-R1-12-13A.JPG Roll1_A114562-R1-13-14A.JPG Roll1_A114562-R1-14-15A.JPG Roll1_A114562-R1-15-16A.JPG Roll1_A114562-R1-16-17A.JPG Roll1_A114562-R1-17-18A.JPG Roll1_A114562-R1-18-19A.JPG Roll1_A114562-R1-19-20A.JPG Roll1_A114562-R1-20-21A.JPG Roll1_A114562-R1-21-22A.JPG Roll1_A114562-R1-22-23A.JPG Roll1_A114562-R1-23-24A.JPG 223383 blocks $ ls -1 *.JPG | wc -l 24 $ bsdtar cJf tarfile.tar.xz *.JPG $ ls Roll1_A114562-R1-00-1A.JPG Roll1_A114562-R1-13-14A.JPG Roll1_A114562-R1-01-2A.JPG Roll1_A114562-R1-14-15A.JPG Roll1_A114562-R1-02-3A.JPG Roll1_A114562-R1-15-16A.JPG Roll1_A114562-R1-03-4A.JPG Roll1_A114562-R1-16-17A.JPG Roll1_A114562-R1-04-5A.JPG Roll1_A114562-R1-17-18A.JPG Roll1_A114562-R1-05-6A.JPG Roll1_A114562-R1-18-19A.JPG Roll1_A114562-R1-06-7A.JPG Roll1_A114562-R1-19-20A.JPG Roll1_A114562-R1-07-8A.JPG Roll1_A114562-R1-20-21A.JPG Roll1_A114562-R1-08-9A.JPG Roll1_A114562-R1-21-22A.JPG Roll1_A114562-R1-09-10A.JPG Roll1_A114562-R1-22-23A.JPG Roll1_A114562-R1-10-11A.JPG Roll1_A114562-R1-23-24A.JPG Roll1_A114562-R1-11-12A.JPG tarfile.tar.xz Roll1_A114562-R1-12-13A.JPG $ rm -f *.JPG $ ls tarfile.tar.xz $ ls Roll1_A114562-R1-00-1A.JPG Roll1_A114562-R1-13-14A.JPG Roll1_A114562-R1-01-2A.JPG Roll1_A114562-R1-14-15A.JPG Roll1_A114562-R1-02-3A.JPG Roll1_A114562-R1-15-16A.JPG Roll1_A114562-R1-03-4A.JPG Roll1_A114562-R1-16-17A.JPG Roll1_A114562-R1-04-5A.JPG Roll1_A114562-R1-17-18A.JPG Roll1_A114562-R1-05-6A.JPG Roll1_A114562-R1-18-19A.JPG Roll1_A114562-R1-06-7A.JPG Roll1_A114562-R1-19-20A.JPG Roll1_A114562-R1-07-8A.JPG Roll1_A114562-R1-20-21A.JPG Roll1_A114562-R1-08-9A.JPG Roll1_A114562-R1-21-22A.JPG Roll1_A114562-R1-09-10A.JPG Roll1_A114562-R1-22-23A.JPG Roll1_A114562-R1-10-11A.JPG Roll1_A114562-R1-23-24A.JPG Roll1_A114562-R1-11-12A.JPG tarfile.tar.xz Roll1_A114562-R1-12-13A.JPG confirmed pictures are viewable
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_update
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/libarchive-3.2.1-1.1.mga5) 'validated_update' keyword reset.
Keywords: validated_update => (none)
src is libarchive-3.2.1-1.2.mga5.src.rpm
Keywords: (none) => validated_updateCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0318.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Thanks for pushing this, but the reason the SRPM was wrong (and this is usually the case when this happens) is the build was updated, and the advisory text was updated. The additional text from Comment 13 should have been added to the advisory in SVN and wasn't. Please add it. Something similar happened with the mariadb update recently when someone failed to update the advisory text in SVN.
ok done.
(In reply to David Walser from comment #22) > Thanks for pushing this, but the reason the SRPM was wrong (and this is > usually the case when this happens) is the build was updated, and the > advisory text was updated. The additional text from Comment 13 should have > been added to the advisory in SVN and wasn't. Please add it. (In reply to Nicolas Lécureuil from comment #23) > ok done. I did the original advisory, and was ready to do the updates to it mentioned in Comment 13 once this update got validated 2nd time round (& I had the time). Nicolas L kindly jumped in ahead of me; it was not forgotten.
(In reply to David Walser from comment #10) > Nicolas, there are a few more security-related commits in git now from > September 18, and now there's a post saying all issues have been fixed: > http://openwall.com/lists/oss-security/2016/09/19/2 - CVE-2016-8687 is Issue #767 - CVE-2016-8688 is Issue #747 - CVE-2016-8689 is Issue #761 http://openwall.com/lists/oss-security/2016/10/16/11
*** Bug 19606 has been marked as a duplicate of this bug. ***
(In reply to David Walser from comment #25) > (In reply to David Walser from comment #10) > > Nicolas, there are a few more security-related commits in git now from > > September 18, and now there's a post saying all issues have been fixed: > > http://openwall.com/lists/oss-security/2016/09/19/2 > > - CVE-2016-8687 is Issue #767 > - CVE-2016-8688 is Issue #747 > - CVE-2016-8689 is Issue #761 > > http://openwall.com/lists/oss-security/2016/10/16/11 LWN reference: http://lwn.net/Vulnerabilities/703866/