Debian Bug report logs -
#651844
libarchive: fix for CVE-2011-1777 and CVE-2011-1778
Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Mon, 12 Dec 2011 15:09:02 UTC
Severity: normal
Tags: patch
Found in version 2.8.5-3
Fixed in version libarchive/2.8.5-5
Done: Andres Mejia <amejia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Libarchive Maintainers <ah-libarchive@debian.org>:
Bug#651844; Package libarchive.
(Mon, 12 Dec 2011 15:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian Libarchive Maintainers <ah-libarchive@debian.org>.
(Mon, 12 Dec 2011 15:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libarchive
Version: 2.8.5-3
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmp_Ru6Y6
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: arbitrary code execution via iso9660 overflows
- debian/patches/CVE-2011-1777.patch: correctly fail on out of memory
conditions in libarchive/archive_read_support_format_iso9660.c.
- CVE-2011-1777
* SECURITY UPDATE: arbitrary code execution via tar overflows
- debian/patches/CVE-2011-1778.patch: correctly fail on out of memory
conditions in libarchive/archive_read_support_format_tar.c
- CVE-2011-1778
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers oneiric-updates
APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric-proposed'), (500, 'oneiric')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmp8ioEsB (text/x-diff, attachment)]
Reply sent
to Andres Mejia <amejia@debian.org>:
You have taken responsibility.
(Wed, 14 Dec 2011 17:36:04 GMT) (full text, mbox, link).
Notification sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer.
(Wed, 14 Dec 2011 17:36:04 GMT) (full text, mbox, link).
Message #10 received at 651844-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 2.8.5-5
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive:
bsdcpio_2.8.5-5_amd64.deb
to main/liba/libarchive/bsdcpio_2.8.5-5_amd64.deb
bsdtar_2.8.5-5_amd64.deb
to main/liba/libarchive/bsdtar_2.8.5-5_amd64.deb
libarchive-dev_2.8.5-5_amd64.deb
to main/liba/libarchive/libarchive-dev_2.8.5-5_amd64.deb
libarchive1_2.8.5-5_amd64.deb
to main/liba/libarchive/libarchive1_2.8.5-5_amd64.deb
libarchive_2.8.5-5.debian.tar.gz
to main/liba/libarchive/libarchive_2.8.5-5.debian.tar.gz
libarchive_2.8.5-5.dsc
to main/liba/libarchive/libarchive_2.8.5-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 651844@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Mejia <amejia@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 14 Dec 2011 12:18:31 -0500
Source: libarchive
Binary: libarchive-dev libarchive1 bsdtar bsdcpio
Architecture: source amd64
Version: 2.8.5-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarchive@debian.org>
Changed-By: Andres Mejia <amejia@debian.org>
Description:
bsdcpio - Implementation of the 'cpio' program from FreeBSD
bsdtar - Implementation of the 'tar' program from FreeBSD
libarchive-dev - Multi-format archive and compression library (development files)
libarchive1 - Multi-format archive and compression library (shared library)
Closes: 651844 651995
Changes:
libarchive (2.8.5-5) unstable; urgency=medium
.
* Backport fixes for fix for CVE-2011-1777 and CVE-2011-1778.
(Closes: #651844)
* Fix build failure for GNU/Hurd. (Closes: #651995)
* Regenerate autoreconf patch.
Checksums-Sha1:
cf92a102e67d7cf1a2dd8e2ac41b3de20ec46bfd 2223 libarchive_2.8.5-5.dsc
5045f02a88fbfb5dd223b4f5fd3927f0bca1cfad 168722 libarchive_2.8.5-5.debian.tar.gz
75a5204a3c1b6baac779d2ead7cc52269dd5694a 234786 libarchive-dev_2.8.5-5_amd64.deb
474357e7a24ff106a2b51d41974c010e2fcad483 121958 libarchive1_2.8.5-5_amd64.deb
9f26ac77a170aca6b7a5c27efc2e36ebb41daedc 152868 bsdtar_2.8.5-5_amd64.deb
21bbd1f800f26aca0ca4636d85206f5e606715cb 130520 bsdcpio_2.8.5-5_amd64.deb
Checksums-Sha256:
567fc79e219712cf20fd05db2cbce70067592ac6a78a54ec48ba7558e46f5e0e 2223 libarchive_2.8.5-5.dsc
187b956945f0256406cd90b68d3139c5307c6fd87eeff67fbbee911f59864aea 168722 libarchive_2.8.5-5.debian.tar.gz
d1870b227313414a80f1c87de418d781a014bfe8a9cf5cdfb3640968c3c11b7d 234786 libarchive-dev_2.8.5-5_amd64.deb
55dd15d6e2d5f8287f480e6ebc500f297b561ed16f66aa605a858d768b1faf2d 121958 libarchive1_2.8.5-5_amd64.deb
9df93dbb93ab1b62b8d77fd4b1ec2e8ad3c449e25e3b553c58f8fb40fe7f9445 152868 bsdtar_2.8.5-5_amd64.deb
1f5aa7568529d0dcff13b32fa9f2bd492a83254a9fb41d75509fd61b4c3e53ee 130520 bsdcpio_2.8.5-5_amd64.deb
Files:
3345e7fb68ad082d1125103122541fc7 2223 libs optional libarchive_2.8.5-5.dsc
18e82cd58314c77cbebab8a29aa1dfa6 168722 libs optional libarchive_2.8.5-5.debian.tar.gz
452e17c29c60516e349ece67edbb64c3 234786 libdevel optional libarchive-dev_2.8.5-5_amd64.deb
50d891f5dc5b613a46d6483860e54728 121958 libs optional libarchive1_2.8.5-5_amd64.deb
502974bfb3e6e15eb054ef4138ed9be9 152868 utils optional bsdtar_2.8.5-5_amd64.deb
cb27b545f4cc913fa24d24a8d7da0e98 130520 utils optional bsdcpio_2.8.5-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJO6NuUAAoJED+5x4pTyFTftJkQAIi1gX9OX4gR8YnYzSLos6Gd
Chm2SG4eSo5U5grYskiZDR3l+qxUHz6NDTgQG2u4UqZtTesEr46Y2j8TP6PPbNtQ
t/zOUr0Zg1B0p8k6pHdSyjLcEkMchLKtquEeXnPFahl10R7FgurcXrjT5v4GAF7M
koqSjpqWPLtDTZyc9qgn+6HkQr0YEdiVbR0RAjr8fX0VQ8lkb7+1YrGPFjRhJd6m
TQ5NauehC7hAOoVOIAnO4FpFOQzWXMPALQ2HLaWNH0clAMoLIMANJrsWYrGc/ozY
LrHApqAl+5LgNwsNNTLoHnkMuQpy60YlJlDLayy+QS12iYozpmcAlAQCMfdCqCgm
6fFs9Yuoa/BdPxKzVvg0OLidvJMxW9IpHfAERn+NqI4xR/sBHoqwG/M3q8I7i1Tn
b8GHeQbrRQuOQijhfoNwJVEjPnQDPsd1pUQe7i6yypIWz7C4H17491Sn47T3WEok
4JieKv7n7jPUbqAMGgmT0ketAyIt0ZFhJutVNui/ZMCeTHxikJuSYpvhQ6FNItCC
RoicapEqN6K3EQG1adylnnHvL6rGYn1K/wcXngrDGxLGRbHMz+NyMAfe3OIinmiN
cxqOa7wcihauB9Zt/872GqxiBzsV6eDH9ARkaXS/gh/s1VeoypJfSXmucooq2YU0
+GcZn1Kf8HG9I7+DB6mA
=GVEm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 17 Jan 2012 07:37:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:40:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon