On Mon, May 01, 2017 at 03:16:09PM +0200, Salvatore Bonaccorso wrote:
> Source: libarchive
> Version: 3.1.2-11
> Severity: important
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerabilities were published for libarchive.
>
> CVE-2016-10349[0]:
> | The archive_le32dec function in archive_endian.h in libarchive 3.2.2
> | allows remote attackers to cause a denial of service (heap-based buffer
> | over-read and application crash) via a crafted file.
>
> CVE-2016-10350[1]:
> | The archive_read_format_cab_read_header function in
> | archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
> | attackers to cause a denial of service (heap-based buffer over-read and
> | application crash) via a crafted file.
>
> The issue is found back to 3.1.2, and verifiable with an ASAN build,
> the upstream reports [2] and [3] contain details, and fixed with [4].
> I did bisect the upstream repo to try confirm that:
>
> I'm yet unsure if we want a DSA for those, please check back with
> [email protected], it defintively would be great to see the fix
> for stretch.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-10349
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349
> [1] https://security-tracker.debian.org/tracker/CVE-2016-10350
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350
> [2] https://github.com/libarchive/libarchive/issues/834
> [3] https://github.com/libarchive/libarchive/issues/835
> [4]
> https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3
Can we get this into stretch, please?
Cheers,
Moritz
