Univention Bugzilla – Bug 50440
libarchive: Multiple issues (4.4)
Last modified: 2019-11-06 14:41:06 CET
New Debian libarchive 3.2.2-2+deb9u2 fixes: This update addresses the following issues: * archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. (CVE-2019-18408) * Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service (CVE-2019-1000019) * Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service (CVE-2019-1000020)
--- mirror/ftp/4.4/unmaintained/4.4-0/source/libarchive_3.2.2-2+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-2/source/libarchive_3.2.2-2+deb9u2.dsc @@ -1,3 +1,16 @@ +3.2.2-2+deb9u2 [Sun, 27 Oct 2019 10:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS team. + * CVE-2019-18408 + Fix use after free in case parts of the archive are corrupt but + the archive contains several headers. + * Fix CVE-2019-1000019 + Out-of-bounds Read vulnerability in 7zip decompression, that can + result in a crash (denial of service, CWE-125) + * Fix CVE-2019-1000020 + vulnerability in ISO9660 parser that can result in DoS by infinite + loop (CWE-835) + 3.2.2-2+deb9u1 [Fri, 21 Dec 2018 21:11:50 +0100] Markus Koschany <apo@debian.org>: * Non-maintainer upload. <http://10.200.17.11/4.4-2/#5965341833369857384>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-2] b3f4b66685 Bug #50440: libarchive 3.2.2-2+deb9u2 doc/errata/staging/libarchive.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [4.4-2] f09dae33ab Bug #50440: libarchive 3.2.2-2+deb9u2 doc/errata/staging/libarchive.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)
<http://errata.software-univention.de/ucs/4.4/329.html>