Bug#823893: marked as done (libarchive: CVE-2016-1541)

[Debian Bug Tracking System]

Your message dated Mon, 16 May 2016 09:53:04 +0000
with message-id <e1b2fcy-0006fd...@franck.debian.org>
and subject line Bug#823893: fixed in libarchive 3.1.2-11.1
has caused the Debian Bug report #823893,
regarding libarchive: CVE-2016-1541
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
823893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libarchive
Version: 3.1.2-11
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 3.2.0-1

Hi,

the following vulnerability was published for libarchive.

CVE-2016-1541[0]:
| Heap-based buffer overflow in the zip_read_mac_metadata function in
| archive_read_support_format_zip.c in libarchive before 3.2.0 allows
| remote attackers to execute arbitrary code via crafted entry-size
| values in a ZIP archive.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1541
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541
[1] https://www.kb.cert.org/vuls/id/862384

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libarchive
Source-Version: 3.1.2-11.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 16 May 2016 09:46:05 +0100
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: amd64 source
Version: 3.1.2-11.1
Distribution: unstable
Urgency: high
Maintainer: Debian Libarchive Maintainers <ah-libarch...@debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 823893 823984
Description: 
 bsdcpio    - Implementation of the 'cpio' program from FreeBSD
 bsdtar     - Implementation of the 'tar' program from FreeBSD
 libarchive13 - Multi-format archive and compression library (shared library)
 libarchive-dev - Multi-format archive and compression library (development 
files)
Changes:
 libarchive (3.1.2-11.1) unstable; urgency=high
 .
   * Non-maintainer upload.
     - Make libarchive/unstable catch up with libarchive/stable
       (Closes: #823984)
 .
   [ Salvatore Bonaccorso ]
   * CVE-2016-1541: heap-based buffer overflow due to improper input
     validation (Closes: #823893)
Checksums-Sha1: 
 ec25d752ead61a1b367f4f24c43d0b6a59284422 2275 libarchive_3.1.2-11.1.dsc
 30a83cc6aff08394efa7215db7d6da6681ecb6d6 15356 
libarchive_3.1.2-11.1.debian.tar.xz
 9644f65bbcf4eb06c9c91eee9f60dd93e8402865 26322 
bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 03e75b7c56b5275d98d2fe745c4fcf0ba3bf442e 39392 bsdcpio_3.1.2-11.1_amd64.deb
 b9e2f714fdecc0c6d7582ad92956ddc3c3a843d9 46360 
bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 b0fb316aa887b8817606c7ec36032046d0918979 53808 bsdtar_3.1.2-11.1_amd64.deb
 ed74ec6eed114c9676b6f8460a64661c84443ed0 429448 
libarchive-dev_3.1.2-11.1_amd64.deb
 7398d14faecca1e45109b24fd7763dd44489c6c8 702668 
libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 7c320688e4231d2feb3fbaed2043bb134a4ae7bf 265848 
libarchive13_3.1.2-11.1_amd64.deb
Checksums-Sha256: 
 7f5453b9e7c8de99bf67e38e67ea63e8ab03518e6b955d625c3d28fcc0d3b327 2275 
libarchive_3.1.2-11.1.dsc
 459cc3b691b5c043b3d8009588d8f9446de12214f994c2b2c3208120a9a563bb 15356 
libarchive_3.1.2-11.1.debian.tar.xz
 6acbe648b855903af0f0696dccfe6f446fd3655aba2466d314a284fa5d391ae4 26322 
bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 cab17d0d430b60b2a92a44a53ff67c61a509730974207ec1dcf4bedbb1e12bec 39392 
bsdcpio_3.1.2-11.1_amd64.deb
 10abfbd8ba6a3a2b7dc0d521fdda61a34530bf96443fc7dc0ee716783839e13e 46360 
bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 7448cea1f7fa178c5ece8caf8fd2fb4706fbcd6f97ed7a7f7a589a6857c3ddda 53808 
bsdtar_3.1.2-11.1_amd64.deb
 60db8b2f6cb54e6c389c8991a016de4d3f4c0ab99a1100b1915ca932ce923b86 429448 
libarchive-dev_3.1.2-11.1_amd64.deb
 c2a111a538bccf60fb950973ce9bb390a1ec9444c02da5aa5238e63ed78b271e 702668 
libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 9974330809fd1ebd3727a710d9d2047cc8b338810e06babae4cc667ce526aba1 265848 
libarchive13_3.1.2-11.1_amd64.deb
Files: 
 08b546cc60e0a478c741bbe38ae68c40 2275 libs optional libarchive_3.1.2-11.1.dsc
 ee19a11a9ed8013467eebb0ae841f40e 15356 libs optional 
libarchive_3.1.2-11.1.debian.tar.xz
 b05a0bb778f67cf7af50f100d6865f13 26322 debug extra 
bsdcpio-dbgsym_3.1.2-11.1_amd64.deb
 3af8b7133aa3cad0ba6eef0445b37713 39392 utils optional 
bsdcpio_3.1.2-11.1_amd64.deb
 84b4dd622e8cf93bc93c1881e8ed24d4 46360 debug extra 
bsdtar-dbgsym_3.1.2-11.1_amd64.deb
 c77bdada19a12ae90d4cbbe08fe543df 53808 utils optional 
bsdtar_3.1.2-11.1_amd64.deb
 f50ca967ebb900ab86747bf6ab7b78cb 429448 libdevel optional 
libarchive-dev_3.1.2-11.1_amd64.deb
 f9d65dc118958b691be6b6307e7e34e5 702668 debug extra 
libarchive13-dbgsym_3.1.2-11.1_amd64.deb
 5e8a36d87a90ad9e06b402c52877f0ca 265848 libs optional 
libarchive13_3.1.2-11.1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXOY5EAAoJEE3o/ypjx8yQeiMP/2y00ud67RDDOuTHG2MAWPRF
2e02vJrlEDL13y5+jp83Td0OP06QI2N4PEGzqRnJ5MVayzJHPXMz5sBMBa/54e0F
zyLnICTMrS9TVQMtqbLEmjm3jmhMwclMQQEYbXnL6hjyNSvQ1qvUlVurZb97Dpe7
/6VCVc4hBB7yg5mf6DRVlu9nNLBDcjf7JcD4966U0DOXK4BN4/ydWQdHN7bsGzIE
Se1JLLWPpGdpqib6IOD0AKqPZICRy5ngcomG9pxVhl1XelnyAsgZGGkJhZ+MPxBI
bhs/MmlEIoDO6PpQFoI1ibsZjnO/eGwVF6U88xjlksfR9f8STED0onissUxC+iGT
s+aF7WiTtPe5d2YQ2jjd2Vh5UTJid8MrZjCauuYdb7q2tA+0vdLwLB2ukw51vwe1
oavkcbmNB7kwjOwuydJDnZPb8aLau9uSQMO1sWaz+R2oRRVcBkcsdGbis6p2mrFb
QRC7419NPVra+eqqNZoIIjl3o2HLrljnHLcRXON2P0cg3Z00fKqrIjGe1Hz3If+q
FypX1Mj3fQWuHRXVp1Lqo+NzdXStaRD1qiCQdt5u65asMMCBmUP30mXwfp1CWD1f
61fZQXK7kc4BGq95nIkObZ4rCsM6XWxXaNn44IoKlHNP3HNrs0xQ2TGaVxmyB1Lo
PJO9gzZeOTG8vbmVD3Hj
=weso
-----END PGP SIGNATURE-----

--- End Message ---