Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libarchive: CVE-2017-5601

Related Vulnerabilities: CVE-2017-5601  

Source

Debian Bug report logs - #853278
libarchive: CVE-2017-5601

version graph

Package: src:libarchive; Maintainer for src:libarchive is Peter Pentchev <roam@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 31 Jan 2017 05:54:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions libarchive/3.1.2-11, libarchive/3.2.1-5

Fixed in version libarchive/3.2.1-6

Done: Andreas Henriksson <andreas@fatal.se>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#853278; Package src:libarchive. (Tue, 31 Jan 2017 05:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>. (Tue, 31 Jan 2017 05:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libarchive: CVE-2017-5601
Date: Tue, 31 Jan 2017 06:51:53 +0100
Source: libarchive
Version: 3.2.1-5
Severity: grave
Tags: upstream security patch
Justification: user security hole

Hi,

the following vulnerability was published for libarchive.

CVE-2017-5601[0]:
| An error in the lha_read_file_header_1() function
| (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote
| attackers to trigger an out-of-bounds read memory access and
| subsequently cause a crash via a specially crafted archive.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Once fixed for sid, can you please ask for an unblock so we have the
fix for the upcoming stable release stretch as well?

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5601

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions libarchive/3.1.2-11. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 31 Jan 2017 06:00:03 GMT) (full text, mbox, link).

Reply sent to Andreas Henriksson <andreas@fatal.se>:
You have taken responsibility. (Tue, 31 Jan 2017 09:54:19 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 31 Jan 2017 09:54:19 GMT) (full text, mbox, link).

Message #12 received at 853278-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>
To: 853278-close@bugs.debian.org
Subject: Bug#853278: fixed in libarchive 3.2.1-6
Date: Tue, 31 Jan 2017 09:48:58 +0000
Source: libarchive
Source-Version: 3.2.1-6

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 853278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 31 Jan 2017 10:25:56 +0100
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Closes: 853278
Changes:
 libarchive (3.2.1-6) unstable; urgency=medium
 .
   * Add debian/patches/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
     - Cherry-pick upstream commit 98dcbbf0bf4854bf987557
       "Fail with negative lha->compsize in lha_read_file_header_1()"
       Secunia SA74169, CVE-2017-5601 (Closes: #853278)
Checksums-Sha1:
 3b05f9f5c5748ee3907e2b7922ef6ddfc553156b 2457 libarchive_3.2.1-6.dsc
 81f22dd6ed3e3ef65b2263391327b011dc526d8d 27476 libarchive_3.2.1-6.debian.tar.xz
 6244f6e6aa852a1a1648bb250fbff52ff330b22a 6855 libarchive_3.2.1-6_amd64.buildinfo
Checksums-Sha256:
 64370e820af85934298b8e782444877fb921b1897a760515d2f6cf00f1df32fd 2457 libarchive_3.2.1-6.dsc
 e986eabc6b6ee55f09cbb69c99c9b5cc89f8fe271914e6788538d76185e2723a 27476 libarchive_3.2.1-6.debian.tar.xz
 95f02454244aded3d3d8612ea92423cf075505346216bcaca613216243471237 6855 libarchive_3.2.1-6_amd64.buildinfo
Files:
 c0690465db8568cfdaee9ef7286f8fce 2457 libs optional libarchive_3.2.1-6.dsc
 b44dbe9e4c1419f14f63088d5d61fd5c 27476 libs optional libarchive_3.2.1-6.debian.tar.xz
 776dc2c8f2d68ebd9b1f502b2602645e 6855 libs optional libarchive_3.2.1-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAliQWYcACgkQC8R9xk0T
UwYF1g/7BEoDkZrjrsgHhxB8TIXlhT8XBuD4A1LtFyF9GPG6dxPZTWY2VJO3qFWu
finpCObBgSu9chmZ38uEFegxLuYSpTvbLGNSZmKUl0tOjZQr8CMAwcp8olj/8TiF
8Cv+654LnS7SAq8pWp1x6ntiAjFyAMN4+WYYZg/jT6/0Pe3z4G8w8kdDs6l25WkK
tzJ5QmAWUE3H5p6v+PLELOexq9T8UDQHpYqhavo7fgq+bxIx8+KKaqO2brxKMsBI
q7OPRdw6F6nSQR1qI2YXuX9BcjkP/pcqp6Oj83Cbr6OyZV8rClCMI3Etj9F7a+7a
ENY80S8ZKmqVeN0QmJaIl4gsaawLZlr3M/3x/8VunW1uxscm6gM2//eBNoyzxM5a
2h0kPYs73vPjgYYGsYQ8X12p16lY8EsxtylE1nWB+R2YWhLuqDCF3uVNX0T0yzCN
QXDhyzP1WepfqwRUjHdVeVdOuZOKxJ4D+Xhh4ENmoCy3bGNS6lDjBJfXWwhT+bDz
JjVDTdy1PxhUSfWqW4YVZhGbzged2v2IeokngOOHAhYho6Vq6hbtQ4kftGd7MRyu
xDZtmBCcwKHgBhXFQKR0p3f07zIwb4z5VyZAlkuuQY8dbL9yBxXBrhdajdWyHEIE
f7bQYQR28FaaZhCB9YWQAck1Wq8n6ZCm3tYRwXeRUPSbEHEcFMQ=
=WNdk
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:51:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:33:09 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started