Your message dated Wed, 18 May 2016 21:49:42 +0000 with message-id <e1b39la-0000tt...@franck.debian.org> and subject line Bug#823893: fixed in libarchive 3.1.2-11+deb8u1 has caused the Debian Bug report #823893, regarding libarchive: CVE-2016-1541 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 823893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823893 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libarchive Version: 3.1.2-11 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Control: fixed -1 3.2.0-1 Hi, the following vulnerability was published for libarchive. CVE-2016-1541[0]: | Heap-based buffer overflow in the zip_read_mac_metadata function in | archive_read_support_format_zip.c in libarchive before 3.2.0 allows | remote attackers to execute arbitrary code via crafted entry-size | values in a ZIP archive. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541 [1] https://www.kb.cert.org/vuls/id/862384 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libarchive Source-Version: 3.1.2-11+deb8u1 We believe that the bug you reported is fixed in the latest version of libarchive, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 823...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libarchive package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 May 2016 07:00:10 +0200 Source: libarchive Binary: libarchive-dev libarchive13 bsdtar bsdcpio Architecture: source Version: 3.1.2-11+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Libarchive Maintainers <ah-libarch...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 823893 Description: bsdcpio - Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compression library (development files) libarchive13 - Multi-format archive and compression library (shared library) Changes: libarchive (3.1.2-11+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1541: heap-based buffer overflow due to improper input validation (Closes: #823893) Checksums-Sha1: 56561a3f3227fa6f2e067c3559de0a6f212f62fb 2313 libarchive_3.1.2-11+deb8u1.dsc 6a991777ecb0f890be931cec4aec856d1a195489 4527540 libarchive_3.1.2.orig.tar.gz f3bb9955faead9fa982e393b4e234afc551ed3ea 15364 libarchive_3.1.2-11+deb8u1.debian.tar.xz Checksums-Sha256: a61675199a98d083baf893ec781074db10739fca6cf6d7e731560858daf5e104 2313 libarchive_3.1.2-11+deb8u1.dsc eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e 4527540 libarchive_3.1.2.orig.tar.gz ae686924466df35cd920fc039cab38b04f05ea1c3d9d9b4b9d5ed8a4fc5d9908 15364 libarchive_3.1.2-11+deb8u1.debian.tar.xz Files: f7d91690d81bd1bfb3dbe233a0a8f47f 2313 libs optional libarchive_3.1.2-11+deb8u1.dsc efad5a503f66329bb9d2f4308b5de98a 4527540 libs optional libarchive_3.1.2.orig.tar.gz bbfcc04ec4fca51c50a8aeff847f5f03 15364 libs optional libarchive_3.1.2-11+deb8u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXMW9HAAoJEAVMuPMTQ89EUYIP/jdqNV0Z6m6kh+e87MR1tsKC K6AilJ+UfKppfvDAo6WligA/2yhaT32PJ0vGIG6jaO2JsitIggZqrbTmrqjwChdq 2Rr+71eu83R/lkvZHdQHU1v3yL6UjxCr5LciJNhEbAOHV60sQ5RuNO14k+LqTvQe zDkqENasSCk4oXEbkwp3hZoJbhoPdVkwMK+LSQ1+B3pni+2UbXA9XhP2xErCL0dB sF7fllvCE550xtXG3BIcvIe6WaUxefUYZwsl1j3YP6IyHEDOrkjIBRSexqXC7kFO uqP2FISDpE/UJrI2z4eS+nJfNfKGCga4bOE8y1SITmdTGf/B+WFqHSYquCBJs3Cy sL609MV080j/BF3XCUzy10TsFbu9jhDx8AjVG+6ZZeIjJMxn49SrdUXUKXlu7mGV WjgFUWdW5uvqpDeoh54ziZMRE6K5197d0kgnU6lg0F9Vn5Uedas4mqb957RZtYDu rLQQt1bo0+xhlnPKr6nTuY0V2edZbBoecXvwbEXFiaJZAkEM/hUzs6A5dGLAUftN JnZwUADbTljRN3d7rIoYFYFf3DLSeKevgJIFMvlazIUaRfPQdUqcKfCRHR3A+Dbt Y5K5JVzoVSHxJFJouSBD2kok2Cu3BXuA+iWVHHh+Lpc2sr0Se5ACMPgwcUBgmu+y EaxdwiSw9nZiktNb3thp =MEYg -----END PGP SIGNATURE-----
--- End Message ---
