This bug was fixed in the package libarchive - 3.2.0-2 Sponsored for Logan Rosen (logan)
--------------- libarchive (3.2.0-2) unstable; urgency=medium * Add CVE identifiers to previous changelog entry. * Upload to unstable. -- Andreas Henriksson <[email protected]> Wed, 01 Jun 2016 07:34:12 +0200 libarchive (3.2.0-1) experimental; urgency=medium * CVE-2016-1541: heap-based buffer overflow due to improper input validation (Closes: #823893) * New upstream test release (3.1.901a). * Add liblz4-dev build-dependency to enable lz4 support. * Enable new bsdcat utility in separate package * Drop all patches, now included in release. * Add pkg-config build-dependency * Have dh-autoreconf use upstream build/autogen.sh * New upstream release (3.2.0). -- Andreas Henriksson <[email protected]> Fri, 06 May 2016 10:08:56 +0200 ** Changed in: libarchive (Ubuntu) Status: New => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1541 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libarchive in Ubuntu. https://bugs.launchpad.net/bugs/1590235 Title: Sync libarchive 3.2.0-2 (main) from Debian unstable (main) Status in libarchive package in Ubuntu: Fix Released Bug description: Please sync libarchive 3.2.0-2 (main) from Debian unstable (main) Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: code execution via incorrect compressed size - debian/patches/CVE-2016-1541.patch: check sizes in libarchive/archive_read_support_format_zip.c. - CVE-2016-1541 * SECURITY UPDATE: denial of service via malformed cpio archive - debian/patches/issue502.patch: fix implicit cast in libarchive/archive_read_support_format_cpio.c, reject attempts to move the file pointer by a negative amount in libarchive/archive_read.c. - CVE number pending. I verified in the code that both of the above security fixes are present in the new upstream release in unstable. Changelog entries since current yakkety version 3.1.2-11ubuntu1: libarchive (3.2.0-2) unstable; urgency=medium * Add CVE identifiers to previous changelog entry. * Upload to unstable. -- Andreas Henriksson <[email protected]> Wed, 01 Jun 2016 07:34:12 +0200 libarchive (3.2.0-1) experimental; urgency=medium * CVE-2016-1541: heap-based buffer overflow due to improper input validation (Closes: #823893) * New upstream test release (3.1.901a). * Add liblz4-dev build-dependency to enable lz4 support. * Enable new bsdcat utility in separate package * Drop all patches, now included in release. * Add pkg-config build-dependency * Have dh-autoreconf use upstream build/autogen.sh * New upstream release (3.2.0). -- Andreas Henriksson <[email protected]> Fri, 06 May 2016 10:08:56 +0200 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1590235/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
