Mandriva issued this advisory on December 18: http://lists.mandriva.com/security-announce/2011-12/msg00015.php
Suggested advisory: ======================== Updated libarchive packages fix security vulnerabilities: Two heap-based buffer overflow flaws were discovered in libarchive. If a user were tricked into expanding a specially-crafted ISO 9660 CD-ROM image or tar archive with an application using libarchive, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2011-1777, CVE-2011-1778). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190 ======================== Updated packages in core/updates_testing: ===================== bsdtar-2.8.4-2.1.mga1 bsdcpio-2.8.4-2.1.mga1 lib(64)archive2-2.8.4-2.1.mga1 lib(64)archive-devel-2.8.4-2.1.mga1 from libarchive-2.8.4-2.1.mga1 src.rpm. ===================== No testcase.
Status: NEW => ASSIGNEDCC: (none) => anssi.hannulaAssignee: bugsquad => qa-bugs
ark is unable to open ISO's with the updated libarchive for me.
I can confirm the regression with opening ISOs on i586.
The redhat/mdv patch was broken in several places, I've now fixed it and informed the redhat bugzilla ticket about it: https://bugzilla.redhat.com/show_bug.cgi?id=705849#c23 I'll also send a note to Mandriva security team. libarchive-2.8.4-2.2.mga1 now submitted to core/updates_testing, please test (it seems to fix the issues for me).
I can confirm that this update works on i586. Thanks Anssi (and thanks claire for noticing the bug).
Testing complete x86_64 SRPM: libarchive-2.8.4-2.2.mga1 Suggested advisory: ======================== Updated libarchive packages fix security vulnerabilities: Two heap-based buffer overflow flaws were discovered in libarchive. If a user were tricked into expanding a specially-crafted ISO 9660 CD-ROM image or tar archive with an application using libarchive, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2011-1777, CVE-2011-1778). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1778 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:190 ======================== Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED