[Secure-testing-team] Bug#861609: libarchive: CVE-2016-10349 CVE-2016-10350
Salvatore Bonaccorso
carnil at debian.org
Mon May 1 13:16:09 UTC 2017
Source: libarchive
Version: 3.1.2-11
Severity: important
Tags: security patch upstream
Hi,
the following vulnerabilities were published for libarchive.
CVE-2016-10349[0]:
| The archive_le32dec function in archive_endian.h in libarchive 3.2.2
| allows remote attackers to cause a denial of service (heap-based buffer
| over-read and application crash) via a crafted file.
CVE-2016-10350[1]:
| The archive_read_format_cab_read_header function in
| archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via a crafted file.
The issue is found back to 3.1.2, and verifiable with an ASAN build,
the upstream reports [2] and [3] contain details, and fixed with [4].
I did bisect the upstream repo to try confirm that:
I'm yet unsure if we want a DSA for those, please check back with
team at security.debian.org, it defintively would be great to see the fix
for stretch.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349
[1] https://security-tracker.debian.org/tracker/CVE-2016-10350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350
[2] https://github.com/libarchive/libarchive/issues/834
[3] https://github.com/libarchive/libarchive/issues/835
[4] https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3
Regards,
Salvatore
More information about the Secure-testing-team
mailing list