Your message dated Sat, 07 Mar 2020 15:20:18 +0000
with message-id <[email protected]>
and subject line Bug#951759: fixed in libarchive 3.4.0-2
has caused the Debian Bug report #951759,
regarding libarchive: CVE-2020-9308
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951759
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.4.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libarchive/libarchive/pull/1326
Hi,
The following vulnerability was published for libarchive.
CVE-2020-9308[0]:
| archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts
| to unpack a RAR5 file with an invalid or corrupted header (such as a
| header size of zero), leading to a SIGSEGV or possibly unspecified
| other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308
[1] https://github.com/libarchive/libarchive/pull/1326
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.4.0-2
Done: Peter Pentchev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <[email protected]> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Mar 2020 16:28:00 +0200
Source: libarchive
Architecture: source
Version: 3.4.0-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <[email protected]>
Changed-By: Peter Pentchev <[email protected]>
Closes: 951759 953140
Changes:
libarchive (3.4.0-2) unstable; urgency=medium
.
* Declare compliance with Debian Policy 4.5.0 with no changes.
* Add the year 2020 to my debian/* copyright notice.
* Add the CVE-2020-9308 patch - invalid RAR5 headers. (Closes: #951759)
* Make the autopkgtests cross-test-friendly. (Closes: #953140)
Checksums-Sha1:
40bef80cfd35071ad6b77e5c4b3e72d10862fe0c 2502 libarchive_3.4.0-2.dsc
1052c10d342a09e73c5d2c7c7cf9f75627ce61ee 39152 libarchive_3.4.0-2.debian.tar.xz
d696a3078e5848d4bd43b89facee74f30a580fba 7371
libarchive_3.4.0-2_amd64.buildinfo
Checksums-Sha256:
3a996abb332e4ccdfd6b6561644fc8e0bf2aa416a3505cc93590204448591774 2502
libarchive_3.4.0-2.dsc
05018aeb9729d8bd4ece1ebfea0d7eb647e11d00c097abdc759dcb78ad7c538e 39152
libarchive_3.4.0-2.debian.tar.xz
0e21bbfb09156d560ccda610ac2ffde3249c46726b9c41cc92b9fefbed8c47e1 7371
libarchive_3.4.0-2_amd64.buildinfo
Files:
77a2a2c716348b4465e8b85d41cdcf87 2502 libs optional libarchive_3.4.0-2.dsc
eb9b0499bf6647a9e787127badccdc78 39152 libs optional
libarchive_3.4.0-2.debian.tar.xz
3875da438954961ef0902a04a87d17d8 7371 libs optional
libarchive_3.4.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAl5jsTkACgkQZR7vsCUn
3xMzPBAAkXvwwrxk2wl39B9bPcpLKGElXe4pIGiWkxdSkitEFiCenkNVOJB6akCD
lf64HnQLggpDPstUmyGccBOgJXLmS7mlmCuHD67UkT+u5/QAffw8Q7ctHyE8sm8L
j2chyC0i70kEeahcjgWAqtEAjtHDiKXfb36t7C29ySFrx0TbFSvZc7ZDA1LKseHm
xIvjzfcWEqrX3CjH/f2GPKdjCDSO9aQJGPtIPUN5R6SSZmJicuAVm81undJJb+tO
rHZ8YRjCoRF8wr4688wZg/Psl7LNgiBtXtnGSCPeTb1AV3uudy4GxuAph07v09YC
vku0bMXfpB3d4Y306mmwE84CDjVQgtChTDzK406thAf8Cfw+YcKZolKwxTA7uHy/
xofY9kxIp42W6ePro0c6qKnuVm/ZHYY5mUcs85j/q2TSj3ujUupV+VFEr2+s9S+K
upYcb3SJ9xuzlheuVNG2vQnCGSgmMuaexotlERVR89dnTFHvIDr4til2dTRnyQ0U
yEcw8jrtP1+UhFisI8pTIQKWvHDEhSw4lcNUnX3yzCBRlCYUbpNxTqHyWBBIrNLr
U4BXT2Dq60DX8QpLW19bapHGYfqJ5bMWH+dg155zahy4ySuNYvnfDyoLkzdNmkKP
m3aicq6CKXofmY9f7R6EvhLAU0x0vtTcI9bdRA9pOTNGXvlfnAg=
=fCmv
-----END PGP SIGNATURE-----
--- End Message ---