Debian-LTS has issued an advisory today (January 31): https://lwn.net/Alerts/713127/ The upstream commit is linked from here: https://security-tracker.debian.org/tracker/CVE-2017-5601 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. (CVE-2017-5601) References: https://lwn.net/Alerts/713127/ https://security-tracker.debian.org/tracker/CVE-2017-5601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601 ======================== Updated packages in core/updates_testing: ======================== lib(64)archive13-3.2.2-1.1.mga5 lib(64)archive-devel-3.2.2-1.1.mga5 bsdtar-3.2.2-1.1.mga5 bsdcpio-3.2.2-1.1.mga5 bsdcat-3.2.2-1.1.mga5 from SRPMS: libarchive-3.2.2-1.1.mga5.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Asus A6000VM Xfce No installation issues At CLI: $ strace -o libarchive.txt engrampa created an empty test.tar.gz archive and added a folder to it having 39 subfolders and 620 files of all sorts (odt, doc, ods, xlsx, odp, jpeg, png, pnm, pdf and some more) Found numerous calls to libarchive in the trace Moved the test.tar.gz archive to other folder, and extracted there. Found all folders back, opened some folders of different types, no problem found.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Similar testing on my x86_64 system. Validating the update
CC: (none) => sysadmin-bugsWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0056.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED