Source: libarchive Version: 3.1.2-11 Severity: important Tags: upstream security Forwarded: https://github.com/libarchive/libarchive/issues/842
Hi, the following vulnerability was published for libarchive. CVE-2016-10209[0]: | The archive_wstring_append_from_mbs function in archive_string.c in | libarchive 3.2.2 allows remote attackers to cause a denial of service | (NULL pointer dereference and application crash) via a crafted archive | file. It was reported upstream at [1] and if I'm correct the fix should be [2]. Can you confirm that? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10209 [1] https://github.com/libarchive/libarchive/issues/842 [2] https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0 Please adjust the affected versions in the BTS as needed. Regarding an update, I do not think this would warrant a DSA on it's own but would be great once fixed for sid and stretch, if a fix can as well land in jessie (via a point release as well for the other issues marked currently no-dsa). Regards, Salvatore -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
