Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libarchive 3.0.4-3 has been uploaded to unstable with the only change being an added security patch from upstream for CVE-2013-0211 as proposed in http://bugs.debian.org/703957 by Moritz Muehlenhoff. Debdiff attached. unblock libarchive/3.0.4-3 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (300, 'unstable'), (100, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -Nru libarchive-3.0.4/debian/changelog libarchive-3.0.4/debian/changelog --- libarchive-3.0.4/debian/changelog 2012-05-24 14:50:50.000000000 +0200 +++ libarchive-3.0.4/debian/changelog 2013-03-27 17:14:58.000000000 +0100 @@ -1,3 +1,9 @@ +libarchive (3.0.4-3) unstable; urgency=low + + * Add patch that fixes CVE-2013-0211. (Closes: #703957) + + -- Andreas Henriksson <andr...@fatal.se> Wed, 27 Mar 2013 16:20:36 +0100 + libarchive (3.0.4-2) unstable; urgency=low * Add debian/patches/gcc-4.7-fixes-from-upstream.patch diff -Nru libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch --- libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch 2013-03-27 17:14:09.000000000 +0100 @@ -0,0 +1,21 @@ +Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems +Origin: upstream +Bug-Debian: http://bugs.debian.org/703957 +Forwarded: not-needed + +--- libarchive-3.0.4.orig/libarchive/archive_write.c ++++ libarchive-3.0.4/libarchive/archive_write.c +@@ -665,8 +665,13 @@ static ssize_t + _archive_write_data(struct archive *_a, const void *buff, size_t s) + { + struct archive_write *a = (struct archive_write *)_a; ++ const size_t max_write = INT_MAX; ++ + archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, + ARCHIVE_STATE_DATA, "archive_write_data"); ++ /* In particular, this catches attempts to pass negative values. */ ++ if (s > max_write) ++ s = max_write; + archive_clear_error(&a->archive); + return ((a->format_write_data)(a, buff, s)); + } diff -Nru libarchive-3.0.4/debian/patches/series libarchive-3.0.4/debian/patches/series --- libarchive-3.0.4/debian/patches/series 2012-05-24 14:50:50.000000000 +0200 +++ libarchive-3.0.4/debian/patches/series 2013-03-27 15:32:47.000000000 +0100 @@ -1 +1,2 @@ gcc-4.7-fixes-from-upstream.patch +fix-CVE-2013-0211.patch
