libarchive: CVE-2016-1541

Debian Bug report logs - #823893
libarchive: CVE-2016-1541

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libarchive: CVE-2016-1541

Date: Tue, 10 May 2016 06:34:05 +0200

Source: libarchive
Version: 3.1.2-11
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 3.2.0-1

Hi,

the following vulnerability was published for libarchive.

CVE-2016-1541[0]:
| Heap-based buffer overflow in the zip_read_mac_metadata function in
| archive_read_support_format_zip.c in libarchive before 3.2.0 allows
| remote attackers to execute arbitrary code via crafted entry-size
| values in a ZIP archive.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1541
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541
[1] https://www.kb.cert.org/vuls/id/862384

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 823893@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Tue, 10 May 2016 08:12:48 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Tue, May 10, 2016 at 06:34:05AM +0200, Salvatore Bonaccorso wrote:
> Source: libarchive
> Version: 3.1.2-11
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> Control: fixed -1 3.2.0-1
> 
> Hi,
> 
> the following vulnerability was published for libarchive.
> 
> CVE-2016-1541[0]:
> | Heap-based buffer overflow in the zip_read_mac_metadata function in
> | archive_read_support_format_zip.c in libarchive before 3.2.0 allows
> | remote attackers to execute arbitrary code via crafted entry-size
> | values in a ZIP archive.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-1541
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541
> [1] https://www.kb.cert.org/vuls/id/862384
> 
> Please adjust the affected versions in the BTS as needed.

Attached is the debdiff I prepared for jessie-security, but the same
patch would apply for unstable as well unless planning to move to
3.2.0-1 anyway.

Regards,
Salvatore

[libarchive_3.1.2-11+deb8u1.debdiff (text/plain, attachment)]

Message #19 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Salvatore Bonaccorso <carnil@debian.org>, 823893@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Tue, 10 May 2016 09:18:26 +0200

Hello Salvatore Bonaccorso.

On Tue, May 10, 2016 at 08:12:48AM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Tue, May 10, 2016 at 06:34:05AM +0200, Salvatore Bonaccorso wrote:
> > Source: libarchive
> > Version: 3.1.2-11
> > Severity: grave
> > Tags: security upstream fixed-upstream
> > Justification: user security hole
> > Control: fixed -1 3.2.0-1
[...]
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I'll make sure to include this in the 3.2.0-1 entry in debian/changelog
in future uploads.

[...]
> Attached is the debdiff I prepared for jessie-security, but the same
> patch would apply for unstable as well unless planning to move to
> 3.2.0-1 anyway.
[...]

Thanks! Please feel free to NMU at once as I'd prefer not having to touch
stable updates.

I'm torn on uploading 3.2.0 to unstable now because of regressing on
kfreebsd where we now have test failures because of FTBFS. Feel free to
NMU to unstable as well if you think it's urgent to get it fixed and
don't want to wait for giving kfreebsd porters time to look at the
regression.

Regards,
Andreas Henriksson

Message #24 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 823893@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Tue, 10 May 2016 10:38:27 +0200

Hi Andreas,

On Tue, May 10, 2016 at 09:18:26AM +0200, Andreas Henriksson wrote:
> Hello Salvatore Bonaccorso.
> 
> On Tue, May 10, 2016 at 08:12:48AM +0200, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Tue, May 10, 2016 at 06:34:05AM +0200, Salvatore Bonaccorso wrote:
> > > Source: libarchive
> > > Version: 3.1.2-11
> > > Severity: grave
> > > Tags: security upstream fixed-upstream
> > > Justification: user security hole
> > > Control: fixed -1 3.2.0-1
> [...]
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> I'll make sure to include this in the 3.2.0-1 entry in debian/changelog
> in future uploads.
> 
> [...]
> > Attached is the debdiff I prepared for jessie-security, but the same
> > patch would apply for unstable as well unless planning to move to
> > 3.2.0-1 anyway.
> [...]
> 
> Thanks! Please feel free to NMU at once as I'd prefer not having to touch
> stable updates.

Thanks for your quick response, very appreciated. I will upload the
package later today to security-master for the DSA.

> I'm torn on uploading 3.2.0 to unstable now because of regressing on
> kfreebsd where we now have test failures because of FTBFS. Feel free to
> NMU to unstable as well if you think it's urgent to get it fixed and
> don't want to wait for giving kfreebsd porters time to look at the
> regression.

Makes sense then to wait for moving 3.2.0 to experimental. Thanks for
the ack on NMU'ing. I might then as well fix unstable with the
upstream patch.

Regards,
Salvatore

Message #29 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 823893@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Tue, 10 May 2016 10:45:33 +0200

Hello Salvatore,

On Tue, May 10, 2016 at 10:38:27AM +0200, Salvatore Bonaccorso wrote:
> Hi Andreas,
[...]
> Makes sense then to wait for moving 3.2.0 to experimental. Thanks for
> the ack on NMU'ing. I might then as well fix unstable with the
> upstream patch.

FYI I just sent a mail to inquiry about help from kfreebsd porters and
get their view on if we should delay the upload of 3.2.0 to unstable.
The only blocker is kfreebsd as I see it, otherwise I'm ready to put it
in unstable.

https://lists.debian.org/debian-bsd/2016/05/msg00032.html

Hoping for feedback on the above to help me determine when we can get
3.2.0 uploaded to unstable. Hopefully they say it's not a big problem
for them to get out of date so I can proceed to upload....

Regards,
Andreas Henriksson

Message #34 received at 823893@bugs.debian.org (full text, mbox, reply):

From: <adam.jones@tutanota.com>

To: Andreas Henriksson <andreas@fatal.se>, <823893@bugs.debian.org>

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Thu, 12 May 2016 09:50:32 +0100 (BST)

[Message part 1 (text/plain, inline)]

Hello Andreas,

Has there been any news on this?

Thank you,
Adam

[Message part 2 (text/html, inline)]

Message #39 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 823893@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, adam.jones@tutanota.com, 823984@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Mon, 16 May 2016 10:12:19 +0100

[Message part 1 (text/plain, inline)]

Control: tags 823893 + pending
Control: tags 823984 + pending

On Tue, 10 May 2016 at 09:18:26 +0200, Andreas Henriksson wrote:
> I'm torn on uploading 3.2.0 to unstable now because of regressing on
> kfreebsd where we now have test failures because of FTBFS. Feel free to
> NMU to unstable as well if you think it's urgent to get it fixed and
> don't want to wait for giving kfreebsd porters time to look at the
> regression.

I think it would have been better to upload *something* with the security
fix immediately, if not 3.2.0 then a patched 3.1.2; either way, if it
had been high or medium urgency and had no new RC bugs, then testing
would not be vulnerable by now.

libarchive/stable is uninstallable in unstable due to the libnettle
transition, so to keep this moving, I've prepared an NMU which I have
uploaded to DELAYED/5. Diff attached, or available here:
ssh://alioth.debian.org/srv/home/users/smcv/public_git/libarchive.git

If you would like it accelerated or cancelled, please let me know; or
if you decide to go ahead with 3.2.0 or a 3.1.2-12 maintainer upload
in unstable so that my NMU is superseded and rejected, that's also fine
of course.

I'll open a separate bug for the test failure. Since you are the
libarchive maintainer, you get to decide whether you consider failures on
the non-release kFreeBSD architectures to be RC. Because the kFreeBSD
architectures aren't release architectures, I believe out-of-date
binaries on those architectures don't slow down testing migration,
so fixing the security vulnerability on Linux doesn't need to block on
fixing the tests on kFreeBSD.

    S

[0001-Make-libarchive-unstable-catch-up-with-libarchive-st.patch (text/x-diff, attachment)]

Message #46 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Simon McVittie <smcv@debian.org>

Cc: 823893@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, adam.jones@tutanota.com, 823984@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Mon, 16 May 2016 11:25:31 +0200

Hello Simon McVittie.

On Mon, May 16, 2016 at 10:12:19AM +0100, Simon McVittie wrote:
[...]
> uploaded to DELAYED/5. Diff attached, or available here:
> ssh://alioth.debian.org/srv/home/users/smcv/public_git/libarchive.git
> 
> If you would like it accelerated or cancelled, please let me know; or

Please feel free to go ahead with NMU without delay (as already mentioned
to Salvatore)!

> if you decide to go ahead with 3.2.0 or a 3.1.2-12 maintainer upload
> in unstable so that my NMU is superseded and rejected, that's also fine
> of course.

I'll focus on 3.2.0 myself which means I'll likely just ignore your NMU
if you base it on 3.1.2 when I feel 3.2.0 is ready to go to unstable
(unless you have strong opinions on having your NMU changelog entry
merged).

> 
> I'll open a separate bug for the test failure. Since you are the
> libarchive maintainer, you get to decide whether you consider failures on
> the non-release kFreeBSD architectures to be RC. Because the kFreeBSD
> architectures aren't release architectures, I believe out-of-date
> binaries on those architectures don't slow down testing migration,
> so fixing the security vulnerability on Linux doesn't need to block on
> fixing the tests on kFreeBSD.

Thanks. I don't consider kfreebsd a "real" blocker as this bug should
not be RC, but given that AFAIK libarchive has a pretty exploding
reverse dependency chain many important parts of the archive could
quickly become unbuildable I thought it would be nice to give the
kfreebsd porters a chance to reply to
https://lists.debian.org/debian-bsd/2016/05/msg00032.html
before proceeding. Not that I have super high hopes of getting a reply
and I'll certainly not wait forever... just giving them a chance (so
in another week or a bit more maybe I'll just upload).

Regards,
Andreas Henriksson

PS. Help maintaining libarchive welcome!

Message #51 received at 823893@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 823893@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, adam.jones@tutanota.com, 823984@bugs.debian.org

Subject: Re: Bug#823893: libarchive: CVE-2016-1541

Date: Mon, 16 May 2016 10:34:01 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 16 May 2016 at 11:25:31 +0200, Andreas Henriksson wrote:
> Please feel free to go ahead with NMU without delay (as already mentioned
> to Salvatore)!

Thanks, rescheduled to 0-day.

> I'll focus on 3.2.0 myself which means I'll likely just ignore your NMU
> if you base it on 3.1.2 when I feel 3.2.0 is ready to go to unstable
> (unless you have strong opinions on having your NMU changelog entry
> merged).

Not merging 3.1.2-11.1 is fine, as long as the BTS version-tracking is happy
(#823893 is already marked as fixed in 3.2.0, I'll mark #823984 as fixed
there too).

    S
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXOZQJAAoJEE3o/ypjx8yQpHcP/1aioiphA4HItEvUjPCZI5nu
frJn6ebrsrj5OmpCitT12xzF2fojeAzw+05+lEeqMRLydTOALFO6hDXpH++sB/mT
B4k3sGweEg+RpkK0HY76I1C+NLHmswqULNQ7WEbcPCwqkkDsPmMnLfLPZh68SvSq
zHuYG+miHlIUX9Jvn1Myr4XyfS1hv/z1I0u+XZzpIN3UJLbh9eg7onOqvMHqXMkA
1Ki2AJkL9mXB1o2V5yJtqpnNfB0qQTvuELZ0yo6kjE4A/A2lMvTPOrUkQcbx9yS9
Kqgw1s5Fo5gOW5AKNNXwYe1Y2FWLWKNEw6IxiU+ClNMOzXVYy1GodBMO9CidbMo9
eZGbhYoivdrEYqI7KC5k4/+asxmfG/SGNcLY1FWzRAlS5tlJbs6Qd4dkX7EhQcxw
kYTHxRj4xRu+hHvsXWT/KKvAwWeVg5iaIbMzk7Ovun4NRQDWUjN0OC5tv6jQCZqK
8sRAIVQg+cx3pYUSZbNYre79b/SJ89D66IZnW4mGEs0xBuhtA92dYsEVZ6yMgnOQ
fkj/qcl6ivPRh0yGbRJgc20gceWlrCip3ooQi0J2snerZUq+Blj8Ig5OzeXrfNa9
FjhS0mQnkaNLaWTQ6sdG0KlQAyHxc9VATOrxMGRHhXekkOF9ulnDMoGnLkaEsFfy
ktuNI/VIobQAoy/ejZGU
=Xr3y
-----END PGP SIGNATURE-----

Message #56 received at 823893-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 823893-close@bugs.debian.org

Subject: Bug#823893: fixed in libarchive 3.1.2-11.1

Date: Mon, 16 May 2016 09:53:04 +0000

Source: libarchive
Source-Version: 3.1.2-11.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823893@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 16 May 2016 09:46:05 +0100
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: amd64 source
Version: 3.1.2-11.1
Distribution: unstable
Urgency: high
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 823893 823984
Description: 
 bsdcpio    - Implementation of the 'cpio' program from FreeBSD
 bsdtar     - Implementation of the 'tar' program from FreeBSD
 libarchive13 - Multi-format archive and compression library (shared library)
 libarchive-dev - Multi-format archive and compression library (development files)
Changes:
 libarchive (3.1.2-11.1) unstable; urgency=high
 .
   * Non-maintainer upload.
     - Make libarchive/unstable catch up with libarchive/stable
       (Closes: #823984)
 .
   [ Salvatore Bonaccorso ]
   * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
Checksums-Sha1: 
 ec25d752ead61a1b367f4f24c43d0b6a59284422 2275 libarchive_3.1.2-11.1.dsc
 30a83cc6aff08394efa7215db7d6da6681ecb6d6 15356 libarchive_3.1.2-11.1.debian.tar.xz
 9644f65bbcf4eb06c9c91eee9f60dd93e8402865 26322 bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 03e75b7c56b5275d98d2fe745c4fcf0ba3bf442e 39392 bsdcpio_3.1.2-11.1_amd64.deb
 b9e2f714fdecc0c6d7582ad92956ddc3c3a843d9 46360 bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 b0fb316aa887b8817606c7ec36032046d0918979 53808 bsdtar_3.1.2-11.1_amd64.deb
 ed74ec6eed114c9676b6f8460a64661c84443ed0 429448 libarchive-dev_3.1.2-11.1_amd64.deb
 7398d14faecca1e45109b24fd7763dd44489c6c8 702668 libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 7c320688e4231d2feb3fbaed2043bb134a4ae7bf 265848 libarchive13_3.1.2-11.1_amd64.deb
Checksums-Sha256: 
 7f5453b9e7c8de99bf67e38e67ea63e8ab03518e6b955d625c3d28fcc0d3b327 2275 libarchive_3.1.2-11.1.dsc
 459cc3b691b5c043b3d8009588d8f9446de12214f994c2b2c3208120a9a563bb 15356 libarchive_3.1.2-11.1.debian.tar.xz
 6acbe648b855903af0f0696dccfe6f446fd3655aba2466d314a284fa5d391ae4 26322 bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 cab17d0d430b60b2a92a44a53ff67c61a509730974207ec1dcf4bedbb1e12bec 39392 bsdcpio_3.1.2-11.1_amd64.deb
 10abfbd8ba6a3a2b7dc0d521fdda61a34530bf96443fc7dc0ee716783839e13e 46360 bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 7448cea1f7fa178c5ece8caf8fd2fb4706fbcd6f97ed7a7f7a589a6857c3ddda 53808 bsdtar_3.1.2-11.1_amd64.deb
 60db8b2f6cb54e6c389c8991a016de4d3f4c0ab99a1100b1915ca932ce923b86 429448 libarchive-dev_3.1.2-11.1_amd64.deb
 c2a111a538bccf60fb950973ce9bb390a1ec9444c02da5aa5238e63ed78b271e 702668 libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 9974330809fd1ebd3727a710d9d2047cc8b338810e06babae4cc667ce526aba1 265848 libarchive13_3.1.2-11.1_amd64.deb
Files: 
 08b546cc60e0a478c741bbe38ae68c40 2275 libs optional libarchive_3.1.2-11.1.dsc
 ee19a11a9ed8013467eebb0ae841f40e 15356 libs optional libarchive_3.1.2-11.1.debian.tar.xz
 b05a0bb778f67cf7af50f100d6865f13 26322 debug extra bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 3af8b7133aa3cad0ba6eef0445b37713 39392 utils optional bsdcpio_3.1.2-11.1_amd64.deb
 84b4dd622e8cf93bc93c1881e8ed24d4 46360 debug extra bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 c77bdada19a12ae90d4cbbe08fe543df 53808 utils optional bsdtar_3.1.2-11.1_amd64.deb
 f50ca967ebb900ab86747bf6ab7b78cb 429448 libdevel optional libarchive-dev_3.1.2-11.1_amd64.deb
 f9d65dc118958b691be6b6307e7e34e5 702668 debug extra libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 5e8a36d87a90ad9e06b402c52877f0ca 265848 libs optional libarchive13_3.1.2-11.1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXOY5EAAoJEE3o/ypjx8yQeiMP/2y00ud67RDDOuTHG2MAWPRF
2e02vJrlEDL13y5+jp83Td0OP06QI2N4PEGzqRnJ5MVayzJHPXMz5sBMBa/54e0F
zyLnICTMrS9TVQMtqbLEmjm3jmhMwclMQQEYbXnL6hjyNSvQ1qvUlVurZb97Dpe7
/6VCVc4hBB7yg5mf6DRVlu9nNLBDcjf7JcD4966U0DOXK4BN4/ydWQdHN7bsGzIE
Se1JLLWPpGdpqib6IOD0AKqPZICRy5ngcomG9pxVhl1XelnyAsgZGGkJhZ+MPxBI
bhs/MmlEIoDO6PpQFoI1ibsZjnO/eGwVF6U88xjlksfR9f8STED0onissUxC+iGT
s+aF7WiTtPe5d2YQ2jjd2Vh5UTJid8MrZjCauuYdb7q2tA+0vdLwLB2ukw51vwe1
oavkcbmNB7kwjOwuydJDnZPb8aLau9uSQMO1sWaz+R2oRRVcBkcsdGbis6p2mrFb
QRC7419NPVra+eqqNZoIIjl3o2HLrljnHLcRXON2P0cg3Z00fKqrIjGe1Hz3If+q
FypX1Mj3fQWuHRXVp1Lqo+NzdXStaRD1qiCQdt5u65asMMCBmUP30mXwfp1CWD1f
61fZQXK7kc4BGq95nIkObZ4rCsM6XWxXaNn44IoKlHNP3HNrs0xQ2TGaVxmyB1Lo
PJO9gzZeOTG8vbmVD3Hj
=weso
-----END PGP SIGNATURE-----

Message #61 received at 823893-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 823893-close@bugs.debian.org

Subject: Bug#823893: fixed in libarchive 3.1.2-11+deb8u1

Date: Wed, 18 May 2016 21:49:42 +0000

Source: libarchive
Source-Version: 3.1.2-11+deb8u1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823893@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 May 2016 07:00:10 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: source
Version: 3.1.2-11+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 823893
Description: 
 bsdcpio    - Implementation of the 'cpio' program from FreeBSD
 bsdtar     - Implementation of the 'tar' program from FreeBSD
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
Checksums-Sha1: 
 56561a3f3227fa6f2e067c3559de0a6f212f62fb 2313 libarchive_3.1.2-11+deb8u1.dsc
 6a991777ecb0f890be931cec4aec856d1a195489 4527540 libarchive_3.1.2.orig.tar.gz
 f3bb9955faead9fa982e393b4e234afc551ed3ea 15364 libarchive_3.1.2-11+deb8u1.debian.tar.xz
Checksums-Sha256: 
 a61675199a98d083baf893ec781074db10739fca6cf6d7e731560858daf5e104 2313 libarchive_3.1.2-11+deb8u1.dsc
 eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e 4527540 libarchive_3.1.2.orig.tar.gz
 ae686924466df35cd920fc039cab38b04f05ea1c3d9d9b4b9d5ed8a4fc5d9908 15364 libarchive_3.1.2-11+deb8u1.debian.tar.xz
Files: 
 f7d91690d81bd1bfb3dbe233a0a8f47f 2313 libs optional libarchive_3.1.2-11+deb8u1.dsc
 efad5a503f66329bb9d2f4308b5de98a 4527540 libs optional libarchive_3.1.2.orig.tar.gz
 bbfcc04ec4fca51c50a8aeff847f5f03 15364 libs optional libarchive_3.1.2-11+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXMW9HAAoJEAVMuPMTQ89EUYIP/jdqNV0Z6m6kh+e87MR1tsKC
K6AilJ+UfKppfvDAo6WligA/2yhaT32PJ0vGIG6jaO2JsitIggZqrbTmrqjwChdq
2Rr+71eu83R/lkvZHdQHU1v3yL6UjxCr5LciJNhEbAOHV60sQ5RuNO14k+LqTvQe
zDkqENasSCk4oXEbkwp3hZoJbhoPdVkwMK+LSQ1+B3pni+2UbXA9XhP2xErCL0dB
sF7fllvCE550xtXG3BIcvIe6WaUxefUYZwsl1j3YP6IyHEDOrkjIBRSexqXC7kFO
uqP2FISDpE/UJrI2z4eS+nJfNfKGCga4bOE8y1SITmdTGf/B+WFqHSYquCBJs3Cy
sL609MV080j/BF3XCUzy10TsFbu9jhDx8AjVG+6ZZeIjJMxn49SrdUXUKXlu7mGV
WjgFUWdW5uvqpDeoh54ziZMRE6K5197d0kgnU6lg0F9Vn5Uedas4mqb957RZtYDu
rLQQt1bo0+xhlnPKr6nTuY0V2edZbBoecXvwbEXFiaJZAkEM/hUzs6A5dGLAUftN
JnZwUADbTljRN3d7rIoYFYFf3DLSeKevgJIFMvlazIUaRfPQdUqcKfCRHR3A+Dbt
Y5K5JVzoVSHxJFJouSBD2kok2Cu3BXuA+iWVHHh+Lpc2sr0Se5ACMPgwcUBgmu+y
EaxdwiSw9nZiktNb3thp
=MEYg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.