Your message dated Mon, 03 Oct 2016 22:03:37 +0000 with message-id <e1brbkj-0007cs...@franck.debian.org> and subject line Bug#837714: fixed in libarchive 3.1.2-11+deb8u3 has caused the Debian Bug report #837714, regarding libarchive: CVE-2016-5418: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 837714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837714 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libarchive Version: 3.2.1-2 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for libarchive. CVE-2016-5418[0]: |Archive Entry with type 1 (hardlink), but has a non-zero data size |file overwrite This corresponds to [1] and [2], which is upstream as [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5418 [1] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3 [2] https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3 [3] https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9 Please adjust the affected versions in the BTS as needed. jessie version has not been checked yet, but is probably similar affected. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libarchive Source-Version: 3.1.2-11+deb8u3 We believe that the bug you reported is fixed in the latest version of libarchive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 837...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libarchive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 24 Sep 2016 13:25:26 +0200 Source: libarchive Binary: libarchive-dev libarchive13 bsdtar bsdcpio Architecture: source Version: 3.1.2-11+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian Libarchive Maintainers <ah-libarch...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 837714 Description: bsdcpio - Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compression library (development files) libarchive13 - Multi-format archive and compression library (shared library) Changes: libarchive (3.1.2-11+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-7166: Denial of service using a crafted gzip file * CVE-2016-6250: Integer overflow in the ISO9660 writer * CVE-2016-5418: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite (Closes: #837714) Checksums-Sha1: effe9337181e17f0dbedd313ec796cb59dd66cba 2453 libarchive_3.1.2-11+deb8u3.dsc 518986a94568b2111a1e087a0ca0cd5ebaa9b268 36064 libarchive_3.1.2-11+deb8u3.debian.tar.xz Checksums-Sha256: 5838e99469280cb3e90653d327c5b3b315fba810414591cb45206488017fb598 2453 libarchive_3.1.2-11+deb8u3.dsc ab2c0220d1253675b07a23c6fe8a4eeea9d59168b165bdf59f6a93c78d25fbe0 36064 libarchive_3.1.2-11+deb8u3.debian.tar.xz Files: 3345cb4ec3faea86a57c70d9fffd703e 2453 libs optional libarchive_3.1.2-11+deb8u3.dsc 10b2951cb6feb392bb6d3831797982e2 36064 libs optional libarchive_3.1.2-11+deb8u3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKPBAEBCgB5BQJX54P9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRDHE EACMnMrIj3TPAhWfJ0azDLuFkU7xWZWwaSHGAN87cZ6OjRTg8I3U0VLkpXrATpFA LXrog/M/ahyM3y4obPNroVUbYwz0tk0Yh/UPa9szVKOPfcprJUyW9iXX0u3oP6Zo GtCLLm2ZBlbgs3bCdEOZBUUzlW/FmpfLfylcXeDSrz2SNvoaT4XBYveGBhgqRwAz Ox7sfVbk5Rzpup7jOJJHrV8fWCcbTAdwap/MpJzRHSmrac1tqEwpVGaZLfUQHTgi GuvKkCsU1V6N5A5tH7cqc//xcfpL0KE1x07DzkxgJNru2lhAc0SoFv0PSsK5VRVM DB4frOERNciOwxqu9le9ktivzlyfrzZrw/HK5ZjMyLFMjKv+Pq6iPNRL16dyKRkG LqcDLkAR8HK4uWus1VaJHtpyxiWWbzIuh/kE39EtOMSv3YNrJkKU+J/eBMMATh1n kmGCKEcGeWpYD0Np65jXU/qB5RkyaJoaG8trv4juhZYPTyO9lPqOhqiDQe59jB1M 7iCmFRbM5IjMBSSh1HDnvBIout6QTwzBnCfvGI28gft6FPVUHTD4UiT0ZccZ+VZl BdBUbmCV3Q8DAWiT6rV0qFQjGatbfk2ysomFp8FTAzPjHiAtTzdAmHy6VMq9Nn/O PjVNV2mEH5pYoDDj6p4LfZuZGXC7GUrWN85zHWnEV18I9Q== =DopT -----END PGP SIGNATURE-----
--- End Message ---
