Your message dated Fri, 13 Jul 2007 13:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#432924: fixed in libarchive 2.2.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libarchive1
Version: 2.2.3-1
Tags: security
Severity: grave
FreeBSD has disclosed several security problems in libarchive:
| Several problems have been found in the code used to parse the tar and
| pax interchange formats. These include entering an infinite loop if an
| archive prematurely ends within a pax extension header or if certain
| types of corruption occur in pax extension headers [CVE-2007-3644];
| dereferencing a NULL pointer if an archive prematurely ends within a
| tar header immediately following a pax extension header or if certain
| other types of corruption occur in pax extension headers [CVE-2007-3645];
| and miscomputing the length of a buffer resulting in a buffer overflow
| if yet another type of corruption occurs in a pax extension header
| [CVE-2007-3641].
Please mention the CVE names when fixing these bugs.
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 2.2.4-1
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive:
bsdtar_2.2.4-1_i386.deb
to pool/main/liba/libarchive/bsdtar_2.2.4-1_i386.deb
libarchive-dev_2.2.4-1_i386.deb
to pool/main/liba/libarchive/libarchive-dev_2.2.4-1_i386.deb
libarchive1_2.2.4-1_i386.deb
to pool/main/liba/libarchive/libarchive1_2.2.4-1_i386.deb
libarchive_2.2.4-1.diff.gz
to pool/main/liba/libarchive/libarchive_2.2.4-1.diff.gz
libarchive_2.2.4-1.dsc
to pool/main/liba/libarchive/libarchive_2.2.4-1.dsc
libarchive_2.2.4.orig.tar.gz
to pool/main/liba/libarchive/libarchive_2.2.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John Goerzen <[EMAIL PROTECTED]> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 13 Jul 2007 08:14:00 -0500
Source: libarchive
Binary: libarchive-dev libarchive1 bsdtar
Architecture: source i386
Version: 2.2.4-1
Distribution: unstable
Urgency: high
Maintainer: John Goerzen <[EMAIL PROTECTED]>
Changed-By: John Goerzen <[EMAIL PROTECTED]>
Description:
bsdtar - tar(1) from FreeBSD, using libarchive
libarchive-dev - Single library to read/write tar, cpio, pax, zip, iso9660,
etc.
libarchive1 - Single library to read/write tar, cpio, pax, zip, iso9660, etc.
Closes: 432924
Changes:
libarchive (2.2.4-1) unstable; urgency=high
.
* New upstream version with security fixes. Closes: #432924.
Fixes: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645
Files:
c127391c6c9379894545ce6648c05e1f 697 libs optional libarchive_2.2.4-1.dsc
1dd9d267af446921cf93deb27d1fbe9e 636879 libs optional
libarchive_2.2.4.orig.tar.gz
289fdffab7686eb09c4cf85610eb2929 5048 libs optional libarchive_2.2.4-1.diff.gz
27771af37903d368f850495a5e1d7e5d 129606 libdevel optional
libarchive-dev_2.2.4-1_i386.deb
a34339f519b000d3b8f415e09eae2332 90998 libs optional
libarchive1_2.2.4-1_i386.deb
b4f5672a6ed2e7ef1758689dd974e686 94418 libs optional bsdtar_2.2.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGl3tt0miF3hOB5ikRAjElAKCYz++33rg8BA6oSlNQF6vDyAJfsACfXvPq
I0hOUlloDUR29Kk0LG0s4bs=
=03bK
-----END PGP SIGNATURE-----
--- End Message ---
