Debian Bug report logs -
#784213
libarchive: crash or infinite loop via malformed cpio archive
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 4 May 2015 05:30:06 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version libarchive/3.1.2-11
Fixed in version libarchive/3.2.0-1
Done: Andreas Henriksson <andreas@fatal.se>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#784213; Package src:libarchive.
(Mon, 04 May 2015 05:30:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Mon, 04 May 2015 05:30:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
See [0] for details. Upstrema bug [1] references as well the fixing
commit [2].
[0] http://seclists.org/fulldisclosure/2015/Apr/102
[1] https://github.com/libarchive/libarchive/issues/502
[2] https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008
Regards,
Salvatore
Marked as fixed in versions libarchive/3.2.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 10 May 2016 18:15:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#784213; Package src:libarchive.
(Tue, 28 Jun 2016 06:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Tue, 28 Jun 2016 06:48:03 GMT) (full text, mbox, link).
Message #12 received at 784213@bugs.debian.org (full text, mbox, reply):
According to <URL: https://bugzilla.redhat.com/show_bug.cgi?id=1216891 >
this is the same issue as
<URL: https://github.com/libarchive/libarchive/issues/503 > which was
assigned CVE-2015-8915.
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#784213; Package src:libarchive.
(Tue, 28 Jun 2016 08:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Tue, 28 Jun 2016 08:15:04 GMT) (full text, mbox, link).
Message #17 received at 784213@bugs.debian.org (full text, mbox, reply):
Hi Petter,
On Tue, Jun 28, 2016 at 08:40:02AM +0200, Petter Reinholdtsen wrote:
> According to <URL: https://bugzilla.redhat.com/show_bug.cgi?id=1216891 >
> this is the same issue as
> <URL: https://github.com/libarchive/libarchive/issues/503 > which was
> assigned CVE-2015-8915.
Thanks for your investigation! I have updated the tracker and removed
thus the entry with the temporary item only.
Regards,
Salvatore
Reply sent
to Andreas Henriksson <andreas@fatal.se>:
You have taken responsibility.
(Sat, 05 Jan 2019 09:27:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Jan 2019 09:27:05 GMT) (full text, mbox, link).
Message #22 received at 784213-done@bugs.debian.org (full text, mbox, reply):
Hello,
I'm closing this bug report since the problem is already fixed
in stable/testing/unstable (and it seems unlikely someone is interested
in adressing it for oldstable or they would have done so by now).
Regards,
Andreas Henriksson
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Feb 2019 07:26:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:59:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon