Fedora has updated to libarchive 3.2.2 "mostly for security issues": https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BO5OJRANS6LE3Q4OKUIMVWNBQKRENMSM/ http://pkgs.fedoraproject.org/cgit/rpms/libarchive.git/commit/?id=51dd9a41d64dda375bddf35e3fb97734c6740ff4 I don't know if there are any additional security fixes beyond what we've already added to the package, but we should at least update Cauldron to 3.2.2.
Cauldron updated in SVN and freeze push request done.
Done for mga5 also. Suggested advisory: ======================== The updated packages might contain additional security fixes if we missed some other ones when we cherry-picked patches against version 3.2.1. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BO5OJRANS6LE3Q4OKUIMVWNBQKRENMSM/ ======================== Updated packages in core/updates_testing: ======================== i586: libarchive13-3.2.2-1.mga5.i586.rpm libarchive-devel-3.2.2-1.mga5.i586.rpm bsdtar-3.2.2-1.mga5.i586.rpm bsdcpio-3.2.2-1.mga5.i586.rpm bsdcat-3.2.2-1.mga5.i586.rpm x86_64: lib64archive13-3.2.2-1.mga5.x86_64.rpm lib64archive-devel-3.2.2-1.mga5.x86_64.rpm bsdtar-3.2.2-1.mga5.x86_64.rpm bsdcpio-3.2.2-1.mga5.x86_64.rpm bsdcat-3.2.2-1.mga5.x86_64.rpm Source RPMs: libarchive-3.2.2-1.mga5.src.rpm ======================== Procedure: https://bugs.mageia.org/show_bug.cgi?id=9671#c2
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: nicolas.salguero => qa-bugsSource RPM: libarchive-3.2.1-4.mga6.src.rpm => libarchive-3.2.1-1.2.mga5.src.rpmWhiteboard: (none) => has_procedure
Testing Mageia 5 x64 real h/w bsdcat-3.2.2-1.mga5 bsdcpio-3.2.2-1.mga5 bsdtar-3.2.2-1.mga5 lib64archive13-3.2.2-1.mga5 With Ark [which uses the library] -------- I probed a large variety of archive formats, many being complex, even archives within archives: tar.gz, deb, rpm, tgz, iso, zip, tar.bz2, tar, cpio. Everything was revealed correctly, and text files at any level could be displayed directly. (As noted on a previous bug, after some complex series of 'opens' Ark crashed on finally exiting. No matter). I used Ark to make a simple tar.gz archive, and extracted the result elsewhere: the viewable images therein were OK. bsdcat ------ I copied then gzipped a text file, which viewed OK with this command. O/P redirected to a file, that file was identical with the original one. $ gzip archives/testdata.xml [adds .gz suffix] $ bsdcat archives/testdata.xml.gz [to STDOUT] $ bsdcat archives/testdata.xml.gz > archives/testdata.xml $ cmp testdata.xml archives/testdata.xml [identical] $ diff testdata.xml archives/testdata.xml [identical] BEWARE with the following utilities *not* to create archives whose contents start with / or ../ bsdcpio ------- Created a cpio archive of images. $ find images/ | bsdcpio -o > archives/images.cpio 8856 blocks Looked at that with Ark, and was able to directly view the image files within Ark. Listed the archive contents. $ bsdcpio -itv < archives/images.cpio drwxr-xr-x 2 lewis lewis 0 Hyd 23 11:23 images/ [then the individual files listed] 8856 blocks Extracted the archive to another directory; the resulting image files were viewable. $ cpio -iv < images.cpio [extract to current directory] images images/[per individual files ] 8856 blocks bsdtar ----- Created a tar archive of images. $ bsdtar -c -f archives/images.tar images/ Looked at it with Ark, and was able to view images directly from it. Listed the archive contents. $ bsdtar -t -f archives/images.tar images/ [then the individual files listed] Extracted the archive to another directory and checked viewable images were correct. $ bsdtar -xv -f images.tar x images/ x images/[per individual file] We have tested these packages often. The update is OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
Shall run this in 32bit vbox later on.
CC: (none) => tarazed25
i586 in vbox. Ran the updates. Using comment 3 as a tutorial, found or created a number of archives in different formats and examined them with ark. No problems in general, images and text files could be previewed and an mp4 video could be played directly from ark. Typical tests: Created a cpio archive from images in pool/ and gzipped it. Ark showed thumbnails of the included images. Moved the archive and extracted the files to a new subdirectory. $ ark -b -a pool.cpio.gz This created pool/ and copied the images into it. $ bsdtar -t -f pool.cpio.tar listed the extracted files. Also used the ark gui to extract files. This looks good for i586.
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK
Validating. Advisory already uploaded.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0378.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/706588/