Public bug reported:
Please sync libarchive 3.2.0-2 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
I verified in the code that both of the above security fixes are present in the
new upstream release in unstable.
Changelog entries since current yakkety version 3.1.2-11ubuntu1:
libarchive (3.2.0-2) unstable; urgency=medium
* Add CVE identifiers to previous changelog entry.
* Upload to unstable.
-- Andreas Henriksson <andr...@fatal.se> Wed, 01 Jun 2016 07:34:12
+0200
libarchive (3.2.0-1) experimental; urgency=medium
* CVE-2016-1541: heap-based buffer overflow due to improper input
validation (Closes: #823893)
* New upstream test release (3.1.901a).
* Add liblz4-dev build-dependency to enable lz4 support.
* Enable new bsdcat utility in separate package
* Drop all patches, now included in release.
* Add pkg-config build-dependency
* Have dh-autoreconf use upstream build/autogen.sh
* New upstream release (3.2.0).
-- Andreas Henriksson <andr...@fatal.se> Fri, 06 May 2016 10:08:56
+0200
** Affects: libarchive (Ubuntu)
Importance: Wishlist
Status: New
** Changed in: libarchive (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libarchive in Ubuntu.
https://bugs.launchpad.net/bugs/1590235
Title:
Sync libarchive 3.2.0-2 (main) from Debian unstable (main)
Status in libarchive package in Ubuntu:
New
Bug description:
Please sync libarchive 3.2.0-2 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
I verified in the code that both of the above security fixes are present in
the new upstream release in unstable.
Changelog entries since current yakkety version 3.1.2-11ubuntu1:
libarchive (3.2.0-2) unstable; urgency=medium
* Add CVE identifiers to previous changelog entry.
* Upload to unstable.
-- Andreas Henriksson <andr...@fatal.se> Wed, 01 Jun 2016 07:34:12
+0200
libarchive (3.2.0-1) experimental; urgency=medium
* CVE-2016-1541: heap-based buffer overflow due to improper input
validation (Closes: #823893)
* New upstream test release (3.1.901a).
* Add liblz4-dev build-dependency to enable lz4 support.
* Enable new bsdcat utility in separate package
* Drop all patches, now included in release.
* Add pkg-config build-dependency
* Have dh-autoreconf use upstream build/autogen.sh
* New upstream release (3.2.0).
-- Andreas Henriksson <andr...@fatal.se> Fri, 06 May 2016 10:08:56
+0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1590235/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
