Debian Bug report logs -
#703957
libarchive: CVE-2013-0211
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 26 Mar 2013 08:39:01 UTC
Severity: grave
Tags: patch, security
Fixed in version libarchive/3.0.4-3
Done: Andreas Henriksson <andreas@fatal.se>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#703957; Package libarchive.
(Tue, 26 Mar 2013 08:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Tue, 26 Mar 2013 08:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libarchive
Severity: grave
Tags: security
Please see here for details and a link to the upstream commit:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0211
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#703957; Package libarchive.
(Tue, 26 Mar 2013 10:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Prach Pongpanich <prachpub@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Tue, 26 Mar 2013 10:03:06 GMT) (full text, mbox, link).
Message #10 received at 703957@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 703957 + patch
thanks
Dear maintainer,
I have prepared a patch (DEP-3 format) from upstream, which solves
the this bug (libarchive-3.0.4).
Regards,
--
Prach Pongpanich
[fix-CVE-2013-0211.patch (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from Prach Pongpanich <prachpub@gmail.com>
to control@bugs.debian.org.
(Tue, 26 Mar 2013 10:03:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#703957; Package libarchive.
(Wed, 27 Mar 2013 16:30:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Henriksson <andreas@fatal.se>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Wed, 27 Mar 2013 16:30:11 GMT) (full text, mbox, link).
Message #17 received at 703957@bugs.debian.org (full text, mbox, reply):
Hello!
On Tue, Mar 26, 2013 at 05:02:49PM +0700, Prach Pongpanich wrote:
> tags 703957 + patch
> thanks
>
> Dear maintainer,
>
> I have prepared a patch (DEP-3 format) from upstream, which solves
> the this bug (libarchive-3.0.4).
Thanks for preparing a prettified patch.....
It deviates from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 and doesn't build though....
Where did you get the patch from or why did you modify it?
Should I be worried?
--
Andreas Henriksson
Reply sent
to Andreas Henriksson <andreas@fatal.se>:
You have taken responsibility.
(Wed, 27 Mar 2013 16:51:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 27 Mar 2013 16:51:10 GMT) (full text, mbox, link).
Message #22 received at 703957-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.0.4-3
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 703957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 27 Mar 2013 16:20:36 +0100
Source: libarchive
Binary: libarchive-dev libarchive12 bsdtar bsdcpio
Architecture: source amd64
Version: 3.0.4-3
Distribution: unstable
Urgency: low
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
bsdcpio - Implementation of the 'cpio' program from FreeBSD
bsdtar - Implementation of the 'tar' program from FreeBSD
libarchive-dev - Multi-format archive and compression library (development files)
libarchive12 - Multi-format archive and compression library (shared library)
Closes: 703957
Changes:
libarchive (3.0.4-3) unstable; urgency=low
.
* Add patch that fixes CVE-2013-0211. (Closes: #703957)
Checksums-Sha1:
8779cb5de0b33cdeed326c8a1d16df95e0c64ab7 1612 libarchive_3.0.4-3.dsc
75d22645a3d7cec37493a3f98ee6ba62096ef540 10485 libarchive_3.0.4-3.debian.tar.gz
80695edf2f8eb59ac6481d8e595414535573521f 472080 libarchive-dev_3.0.4-3_amd64.deb
6fd2bbb4ce0da534dde1513850e8e07a7fc226be 303302 libarchive12_3.0.4-3_amd64.deb
a53624f9ccdc83b92039f2c587fc38bcef1ee3e6 54464 bsdtar_3.0.4-3_amd64.deb
d4c2f2606ec2adb019c83d03ddfad46c4494c33b 40920 bsdcpio_3.0.4-3_amd64.deb
Checksums-Sha256:
a77c593331a3297d7ddd4e163b47cac8df1e4e4186e18d5285f5abbd739c9291 1612 libarchive_3.0.4-3.dsc
f02a4732419611d8408b56e4b0bb0599b11b51fe7a486510cea0a2598c6418f1 10485 libarchive_3.0.4-3.debian.tar.gz
e88f23a7c353b02c3a42a108c45c47c5cb44917a9e3259c48d8c11373c95a28c 472080 libarchive-dev_3.0.4-3_amd64.deb
04a2cd31bdb55aa92f2a1397f23afb75206961d5409ef35515536b2584753743 303302 libarchive12_3.0.4-3_amd64.deb
c4edb84294dbd1ef29bcb12ac90638ec9942406e2c404524dcc94725830c5c72 54464 bsdtar_3.0.4-3_amd64.deb
d685078862097671873298def027079a33e0a1f836a33709b6666d8e2853ab63 40920 bsdcpio_3.0.4-3_amd64.deb
Files:
f7140c88c796b9c6a30b0d75e3afc307 1612 libs optional libarchive_3.0.4-3.dsc
5976b01ba059e84275d61ddcaf734aee 10485 libs optional libarchive_3.0.4-3.debian.tar.gz
1fd4f80bc06255544495c3f42de3e9e7 472080 libdevel optional libarchive-dev_3.0.4-3_amd64.deb
b71d9a0730764de352ffd38c70911fc4 303302 libs optional libarchive12_3.0.4-3_amd64.deb
41031b90dad3c53e039d5e7e0ccef96c 54464 utils optional bsdtar_3.0.4-3_amd64.deb
9cb778371675459d448d5ab66dbfa329 40920 utils optional bsdcpio_3.0.4-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlFTH6oACgkQcgQ2cL3l8e730ACgqWy5msPksM3e1A8k7FbsNs4d
PhIAoLBqtwT4/9IcdQtBK07ghcohTb0M
=teum
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#703957; Package libarchive.
(Wed, 27 Mar 2013 17:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Prach Pongpanich <prachpub@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Wed, 27 Mar 2013 17:03:04 GMT) (full text, mbox, link).
Message #27 received at 703957@bugs.debian.org (full text, mbox, reply):
Hi Andreas,
On Wed, Mar 27, 2013 at 11:30 PM, Andreas Henriksson <andreas@fatal.se> wrote:
> It deviates from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4 and doesn't build though....
>
> Where did you get the patch from or why did you modify it?
I got it from https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4
I fail to build from source: libarchive_3.0.4-2
dget http://http.debian.net/debian/pool/main/liba/libarchive/libarchive_3.0.4-2.dsc
pbuilder build libarchive_3.0.4-2.dsc
-------------------
configure: exit 77
dh_auto_configure: ./configure --build=x86_64-linux-gnu --prefix=/usr
--includedir=${prefix}/include --mandir=${prefix}/share/man
--infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var
--libdir=${prefix}/lib/x86_64-linux-gnu
--libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode
--disable-dependency-tracking --without-openssl --with-nettle
--enable-bsdtar=shared --enable-bsdcpio=shared returned exit code 77
make[1]: *** [override_dh_auto_configure] Error 255
make[1]: Leaving directory `/tmp/buildd/libarchive-3.0.4'
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
Regrads,
--
Prach Pongpanich
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 25 Apr 2013 07:28:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:39:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon