Copied from
ubuntu yakkety in
Private PPA for Ubuntu Security Team
by Ubuntu Archive Robot
Changelog
libarchive (3.2.1-2ubuntu0.1) yakkety-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via hardlink entries
- debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
pathnames in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-2.patch: fix path handling in
libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
libarchive/test/CMakeLists.txt, libarchive/test/main.c,
libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-4.patch: fix testcases in
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
libarchive/archive_write_disk_posix.c.
- CVE-2016-5418
* SECURITY UPDATE: denial of service via non-printable multibyte
character in a filename
- debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
- CVE-2016-8687
* SECURITY UPDATE: denial of service via multiple long lines
- debian/patches/CVE-2016-8688.patch: fix bounds in
libarchive/archive_read_support_format_mtree.c, added test to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_mtree_crash747.c,
libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
- CVE-2016-8688
* SECURITY UPDATE: denial of service via multiple EmptyStream attributes
- debian/patches/CVE-2016-8689.patch: reject files with multiple
markers in libarchive/archive_read_support_format_7zip.c.
- CVE-2016-8689
* SECURITY UPDATE: denial of service via invalid compressed file size
- debian/patches/CVE-2017-5601.patch: add check to
libarchive/archive_read_support_format_lha.c.
- CVE-2017-5601
-- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 10:35:20 -0500