A security issue fixed upstream in libarchive has been announced on September 6: http://openwall.com/lists/oss-security/2017/09/06/5 The message above contains a link to the commit that fixed the issue.
Assignee: bugsquad => pkg-bugsCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA6TOO, MGA5TOO
Pushed in updates_testing src.rpm: libarchive-3.2.2-1.4.mga5 libarchive-3.3.1-1.1.mga6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 6CC: (none) => mageia
Advisory: ======================== Updated libarchive packages fix security vulnerability: Heap-based buffer overflow in xml_data() in archive_read_support_format_xar.c (CVE-2017-14166). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166 http://openwall.com/lists/oss-security/2017/09/06/5 ======================== Updated packages in core/updates_testing: ======================== libarchive13-3.2.2-1.4.mga5 libarchive-devel-3.2.2-1.4.mga5 bsdtar-3.2.2-1.4.mga5 bsdcpio-3.2.2-1.4.mga5 bsdcat-3.2.2-1.4.mga5 libarchive13-3.3.1-1.1.mga6 libarchive-devel-3.3.1-1.1.mga6 bsdtar-3.3.1-1.1.mga6 bsdcpio-3.3.1-1.1.mga6 bsdcat-3.3.1-1.1.mga6 from SRPMS: libarchive-3.2.2-1.4.mga5.src.rpm libarchive-3.3.1-1.1.mga6.src.rpm
Installed and tested without issues. Tested using bsdtar and ark. Confirmed, using strace, that both use the libarchive.so.13 library. Tests: - Created, added, deleted files from compress (gzip, bzip2, xz) tar balls with both ark and bsdtar. - Tested, using GNU tar, the tar balls created with bsdtar and ark. - Extracted tar balls and compared (using diff -r) the extracted files with the original files. - Testing dozens of tar balls on the system with bsdtar (see commands below). System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q bsdtar lib64archive13 ark bsdtar-3.2.2-1.4.mga5 lib64archive13-3.2.2-1.4.mga5 ark-4.14.3-1.mga5 $ find ~/ -ipath '*.tar' -print -exec bsdtar tf '{}' ';' > /dev/null $ find ~/ -ipath '*.tar.gz' -print -exec bsdtar tfz '{}' ';' > /dev/null $ find ~/ -ipath '*.tar.bz2' -print -exec bsdtar tfj '{}' ';' > /dev/null $ # all tar balls tested OK
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues. At CLI as normal user: $ cd Documenten -- Dutch installation $ strace -o libarch.txt bsdtar -c -f ~/archtar ~/Afbeeldingen/ bsdtar: Removing leading '/' from member names archtar created at my home OK as expected. libarch.txt shows call to libarch as expected BUT opened archtar with engrampa and found it contained the whole /home , what I did not expect. My mistake or .....?
CC: (none) => herman.viaene
mga6_64 $ uname -a Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 9 packages are going to be installed: - bsdcat-3.3.1-1.1.mga6.x86_64 - bsdcpio-3.3.1-1.1.mga6.x86_64 - bsdtar-3.3.1-1.1.mga6.x86_64 - lib64archive13-3.3.1-1.1.mga6.x86_64 - lib64rpm7-4.13.0.1-3.1.mga6.x86_64 - lib64rpmsign7-4.13.0.1-3.1.mga6.x86_64 - python2-rpm-4.13.0.1-3.1.mga6.x86_64 - python3-rpm-4.13.0.1-3.1.mga6.x86_64 - rpm-4.13.0.1-3.1.mga6.x86_64 181KB of additional disk space will be used. 1.3MB of packages will be retrieved. Is it ok to continue? ------------ I ran the bsdcpio to create a cpio file with text in it. Also ran bsdcat. It seemed to work.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => brtians1
MGA6-32 on Asus A6000VM MATE No installation issues. As normal user at CLI: $ cd Afbeeldingen/ --Pictures $ strace -o ~/Documenten/libarch.txt bsdtar -c -f ~/archtar * Trace shows libarchive, archtar is generated at my home directory. Checking contents of archtar shows correct directory and files from Afbeeldingen. OK for me. Will repeat this form of the bsdtar command for M5.
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK
MGA-32, test as per Comment 6 is OK also here.
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0337.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED