Source: libarchive Version: 3.1.2-11 Severity: important Tags: security patch upstream
Hi, the following vulnerabilities were published for libarchive. CVE-2016-10349[0]: | The archive_le32dec function in archive_endian.h in libarchive 3.2.2 | allows remote attackers to cause a denial of service (heap-based buffer | over-read and application crash) via a crafted file. CVE-2016-10350[1]: | The archive_read_format_cab_read_header function in | archive_read_support_format_cab.c in libarchive 3.2.2 allows remote | attackers to cause a denial of service (heap-based buffer over-read and | application crash) via a crafted file. The issue is found back to 3.1.2, and verifiable with an ASAN build, the upstream reports [2] and [3] contain details, and fixed with [4]. I did bisect the upstream repo to try confirm that: I'm yet unsure if we want a DSA for those, please check back with t...@security.debian.org, it defintively would be great to see the fix for stretch. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349 [1] https://security-tracker.debian.org/tracker/CVE-2016-10350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350 [2] https://github.com/libarchive/libarchive/issues/834 [3] https://github.com/libarchive/libarchive/issues/835 [4] https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 Regards, Salvatore