Bug 3941 - libarchive missing security update for CVE-2011-1777 and CVE-2011-1778
: libarchive missing security update for CVE-2011-1777 and CVE-2011-1778
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
:
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2011-12-30 03:46 CET by David Walser
Modified: 2012-01-09 15:49 CET (History)
3 users (show)

See Also:
Source RPM: libarchive-2.8.4-2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2011-12-30 03:46:01 CET
Mandriva issued this advisory on December 18:
http://lists.mandriva.com/security-announce/2011-12/msg00015.php
Comment 1 Anssi Hannula 2011-12-30 05:10:46 CET
Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================

Updated packages in core/updates_testing:
=====================
bsdtar-2.8.4-2.1.mga1
bsdcpio-2.8.4-2.1.mga1
lib(64)archive2-2.8.4-2.1.mga1
lib(64)archive-devel-2.8.4-2.1.mga1

from libarchive-2.8.4-2.1.mga1 src.rpm.
=====================

No testcase.
Comment 2 claire robinson 2011-12-31 14:15:27 CET
ark is unable to open ISO's with the updated libarchive for me.
Comment 3 David Walser 2011-12-31 17:56:53 CET
I can confirm the regression with opening ISOs on i586.
Comment 4 Anssi Hannula 2012-01-01 02:35:52 CET
The redhat/mdv patch was broken in several places, I've now fixed it and informed the redhat bugzilla ticket about it:
https://bugzilla.redhat.com/show_bug.cgi?id=705849#c23

I'll also send a note to Mandriva security team.

libarchive-2.8.4-2.2.mga1 now submitted to core/updates_testing, please test (it seems to fix the issues for me).
Comment 5 David Walser 2012-01-01 04:45:04 CET
I can confirm that this update works on i586.  Thanks Anssi (and thanks claire for noticing the bug).
Comment 6 claire robinson 2012-01-05 15:13:16 CET
Testing complete x86_64

SRPM: libarchive-2.8.4-2.2.mga1

Suggested advisory:
========================
Updated libarchive packages fix security vulnerabilities:

Two heap-based buffer overflow flaws were discovered in libarchive. If
a user were tricked into expanding a specially-crafted ISO 9660
CD-ROM image or tar archive with an application using libarchive,
it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-1777, CVE-2011-1778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190
========================


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!
Comment 7 Thomas Backlund 2012-01-09 15:49:31 CET
update pushed

Note You need to log in before you can comment on or make changes to this bug.