Change log for libarchive package in Ubuntu
| 1 → 75 of 115 results | First • Previous • Next • Last |
libarchive (3.7.2-2) unstable; urgency=medium
[ Luca Boccassi ]
* libarchive-dev: depend on -dev packages in an attempt to
fix pkg-config --static --libs
Addresses: 1056317; more work needed on libarchive's own
configure tests
[ Peter Pentchev ]
* Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks!
* Add the year 2024 to my debian/* copyright notice.
* Re-sort the dependencies lists in the debian/control file.
* Switch the pkg-config dependency over to pkgconf.
* Add the robust-error-reporting upstream patch. Closes: #1068047
-- Peter Pentchev <email address hidden> Sat, 30 Mar 2024 20:11:06 +0200
Available diffs
| Superseded in noble-proposed |
libarchive (3.7.2-1.1ubuntu3) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 07:43:52 +0000
Available diffs
- diff from 3.7.2-1.1ubuntu2 to 3.7.2-1.1ubuntu3 (335 bytes)
libarchive (3.7.2-1.1ubuntu2) noble; urgency=medium * Rebuild against new time64_t renamed libraries. -- Gianfranco Costamagna <email address hidden> Thu, 21 Mar 2024 00:19:38 +0100
Available diffs
- diff from 3.7.2-1ubuntu2 to 3.7.2-1.1ubuntu2 (6.1 KiB)
- diff from 3.7.2-1.1ubuntu1 to 3.7.2-1.1ubuntu2 (349 bytes)
| Superseded in noble-proposed |
libarchive (3.7.2-1.1ubuntu1) noble; urgency=medium
* Merge with Debian; remaining changes:
- Run dh_auto_test by default
Available diffs
| Deleted in noble-updates (Reason: superseded by release) |
| Superseded in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
libarchive (3.7.2-1ubuntu2) noble; urgency=medium * armhf (-fstack-clash-protection) breakage rebuild -- Mate Kukri <email address hidden> Thu, 23 Nov 2023 15:10:55 +0000
Available diffs
- diff from 3.7.2-1ubuntu1 to 3.7.2-1ubuntu2 (341 bytes)
libarchive (3.7.2-1ubuntu1) noble; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Run dh_auto_test by default
Available diffs
- diff from 3.6.2-1ubuntu1 to 3.7.2-1ubuntu1 (112.4 KiB)
| Superseded in noble-release |
| Published in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
libarchive (3.6.2-1ubuntu1) lunar; urgency=medium
* Sync with Debian. Remaining change:
- Run dh_auto_test by default
Available diffs
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium * Sync with Debian. (LP: #1967127) - Includes upstream fixes for CVE-2021-36976 * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION * SECURITY UPDATE: possible out-of-bounds read - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init() - CVE-2022-26280
Available diffs
libarchive (3.4.3-2ubuntu0.2) impish-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds
read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
- CVE-2022-26280
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:21:47 -0300
Available diffs
- diff from 3.4.3-2ubuntu0.1 to 3.4.3-2ubuntu0.2 (1008 bytes)
libarchive (3.4.0-2ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds
read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
- CVE-2022-26280
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:33:37 -0300
Available diffs
- diff from 3.4.0-2ubuntu1.1 to 3.4.0-2ubuntu1.2 (1003 bytes)
libarchive (3.5.2-1ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: use-after-free in copy_string
- debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/*.
- debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c, libarchive/test/*.
- CVE-2021-36976
-- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 08:22:57 -0500
Available diffs
libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
- debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
ACLs in libarchive/archive_disk_acl_freebsd.c,
libarchive/archive_disk_acl_linux.c,
libarchive/archive_disk_acl_sunos.c.
- CVE-2021-23177
* SECURITY UPDATE: symbolic links incorrectly followed
- debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
processing the fixup list in Makefile.am,
libarchive/archive_write_disk_posix.c,
libarchive/test/CMakeLists.txt,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
setting file flags on Linux in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
processing the fixup list in libarchive/archive_write_disk_posix.c,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
8a1bd5c in libarchive/archive_write_disk_posix.c.
- CVE-2021-31566
* SECURITY UPDATE: use-after-free in copy_string
- debian/patches/CVE-2021-36976-pre1.patch: verify window size for
solid files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5*.
- debian/patches/CVE-2021-36976-pre2.patch: verify window size for
multivolume archives in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5*.
- debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/*.
- debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c, libarchive/test/*.
- CVE-2021-36976
-- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 09:59:13 -0500
Available diffs
libarchive (3.4.3-2ubuntu0.1) impish-security; urgency=medium
* SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
- debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
ACLs in libarchive/archive_disk_acl_freebsd.c,
libarchive/archive_disk_acl_linux.c,
libarchive/archive_disk_acl_sunos.c.
- CVE-2021-23177
* SECURITY UPDATE: symbolic links incorrectly followed
- debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
processing the fixup list in Makefile.am,
libarchive/archive_write_disk_posix.c,
libarchive/test/CMakeLists.txt,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
setting file flags on Linux in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
processing the fixup list in libarchive/archive_write_disk_posix.c,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
8a1bd5c in libarchive/archive_write_disk_posix.c.
- CVE-2021-31566
* SECURITY UPDATE: use-after-free in copy_string
- debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/*.
- debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c, libarchive/test/*.
- CVE-2021-36976
-- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 08:27:55 -0500
Available diffs
libarchive (3.5.2-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
-- Peter Pentchev <email address hidden> Wed, 22 Dec 2021 19:51:54 +0200
Available diffs
- diff from 3.4.3-2build1 (in Ubuntu) to 3.5.2-1 (313.0 KiB)
| Superseded in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
| Deleted in impish-proposed (Reason: Moved ot jammy) |
libarchive (3.4.3-2build1) impish; urgency=medium * No-change rebuild to build packages with zstd compression. -- Matthias Klose <email address hidden> Thu, 07 Oct 2021 12:14:04 +0200
Available diffs
- diff from 3.4.3-2 (in Debian) to 3.4.3-2build1 (336 bytes)
libarchive (3.2.2-3.1ubuntu0.7) bionic-security; urgency=medium
* Add metadata support to fix issues with gnome-autoar security update
(LP: #1929304)
- debian/patches/metadata_support.patch: support reading metadata from
compressed files.
-- Marc Deslauriers <email address hidden> Fri, 04 Jun 2021 10:37:49 -0400
Available diffs
| Superseded in jammy-release |
| Obsolete in impish-release |
| Obsolete in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <email address hidden> Sat, 01 Aug 2020 21:46:12 +0300
Available diffs
libarchive (3.4.3-1build1) groovy; urgency=medium * No change rebuild against new libnettle8 and libhogweed6 ABI. -- Dimitri John Ledkov <email address hidden> Mon, 29 Jun 2020 22:27:25 +0100
Available diffs
- diff from 3.4.2-1 (in Debian) to 3.4.3-1build1 (39.7 KiB)
- diff from 3.4.3-1 (in Debian) to 3.4.3-1build1 (522 bytes)
libarchive (3.4.3-1) unstable; urgency=medium
* New upstream release:
- update the upstream signing key
- update the typos patch, correct some more mistakes
- drop all the upstream-* patches
- add an upstream copyright notice for a new file
* Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.
-- Peter Pentchev <email address hidden> Wed, 03 Jun 2020 16:40:28 +0300
Available diffs
- diff from 3.4.2-1 to 3.4.3-1 (39.4 KiB)
libarchive (3.4.2-1) unstable; urgency=medium
* Minor correction to the debian/watch file to catch up with
the upstream site links.
* New upstream release:
- drop some patches that were taken from upstream:
- upstream-rar-use-after-free
- upstream-rar-uaf-test-eof
- upstream-rar-window-mask
- upstream-rar-window-test
- upstream-rar-filter-beyond
- upstream-archive-read-sparse
- upstream-archive-clean
- upstream-doc-7zip-zip
- upstream-open-without-openat
- upstream-lz4-uint32
- CVE-2020-9308 patch
- drop most of the typos patch - integrated upstream
- update the upstream copyright years
* Add some more corrections to the typos patch.
* Drop the Name and Contact upstream metadata fields.
* Drop the phony "build" target.
* Do not pass "--as-needed" to the linker: recent versions of the Debian
GCC package do that by default. Just in case, add a build dependency on
a recent version so that it is not forgotten e.g. in a backport.
* Add some upstream patches since 3.4.2.
* Update to debhelper compat level 13:
- `dh_missing --fail-missing` is the default now
- use execute_before/execute_after targets
* Drop the local-options file.
-- Peter Pentchev <email address hidden> Sat, 09 May 2020 22:04:02 +0300
Available diffs
- diff from 3.4.0-2ubuntu1 (in Ubuntu) to 3.4.2-1 (398.7 KiB)
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
libarchive (3.4.0-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
Available diffs
libarchive (3.4.0-1ubuntu2) focal; urgency=medium * Make autopkgtests cross-test-friendly. -- Steve Langasek <email address hidden> Wed, 04 Mar 2020 21:47:59 -0800
Available diffs
- diff from 3.4.0-1build1 to 3.4.0-1ubuntu2 (4.1 KiB)
- diff from 3.4.0-1ubuntu1 to 3.4.0-1ubuntu2 (914 bytes)
| Superseded in focal-proposed |
libarchive (3.4.0-1ubuntu1) focal; urgency=medium
* SECURITY UPDATE: Out-of-read and Denial of service
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
* SECURITY UPDATE: SIGSEGV denial of service
- debian/patches/CVE-2020-9308.patch: reject files that
declare invalid header flags fix in
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c,
libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu.
- CVE-2020-9308
-- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Mar 2020 12:32:51 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.8) xenial-security; urgency=medium
* SECURITY UPDATE: Out-of-read and Denial of service
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
-- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:45:19 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.6) bionic-security; urgency=medium
* SECURITY UPDATE: Out-of-read and Denial of service
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
-- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:46:13 -0300
Available diffs
libarchive (3.4.0-1ubuntu0.1) eoan-security; urgency=medium
* SECURITY UPDATE: Out-of-read and Denial of service
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
* SECURITY UPDATE: SIGSEGV denial of service
- debian/patches/CVE-2020-9308.patch: reject files that
declare invalid header flags fix in
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c,
libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu.
- CVE-2020-9308
-- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:58:57 -0300
Available diffs
libarchive (3.4.0-1build1) focal; urgency=medium * No-change rebuild against libnettle7 -- Steve Langasek <email address hidden> Thu, 31 Oct 2019 22:12:00 +0000
Available diffs
- diff from 3.4.0-1 (in Debian) to 3.4.0-1build1 (516 bytes)
libarchive (3.3.3-4ubuntu0.1) disco-security; urgency=medium
* SECURITY UPDATE: Use-after-free
- debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
in libarchive/archive_read_support_format_rar.c.
- CVE-2019-18408
-- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:34:56 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.5) bionic-security; urgency=medium
* SECURITY UPDATE: Use-after-free
- debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
in libarchive/archive_read_support_format_rar.c.
- CVE-2019-18408
-- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:50:50 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: Use-after-free
- debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
in libarchive/archive_read_support_format_rar.c.
- CVE-2019-18408
-- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:57:06 -0300
Available diffs
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to Release) |
libarchive (3.4.0-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0 with no changes.
* Mark the adequate test as superficial and give it a name.
* Update the watch file a bit:
- use the version 4 format placeholders
- drop the "pasv" option, no FTP upstream sites
- add the upstream signing key
* Run all available Salsa CI jobs.
* Drop the bsdtar and bsdcpio transitional packages.
Closes: #940745, #940753
* New upstream version:
- drop all the patches obtained from the upstream Git repository
(CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
zip-nullptr)
- update the library symbols file
* Add some bugfix patches obtained from upstream.
* Add the typos patch to correct some typographical and grammatical
errors.
* Update the upstream copyright information.
-- Peter Pentchev <email address hidden> Sat, 21 Sep 2019 01:44:44 +0300
Available diffs
- diff from 3.3.3-4 to 3.4.0-1 (576.4 KiB)
libarchive (3.2.2-3.1ubuntu0.4) bionic; urgency=medium
* debian/patches/git_zip_directories.patch:
- backport a fix for an issue where files are created instead of
directories (lp: #1830629)
-- Sebastien Bacher <email address hidden> Fri, 28 Jun 2019 21:20:28 +0200
Available diffs
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
libarchive (3.3.3-4) unstable; urgency=medium
* Add three upstream patches:
- CVE-2019-1000019: fix a crash when parsing some 7zip archives
- CVE-2019-1000020: require the RockRidge extension for iso9660
- zip-nullptr: fix a null pointer deference in ZIP files handling
-- Peter Pentchev <email address hidden> Wed, 06 Feb 2019 11:01:25 +0200
Available diffs
- diff from 3.3.3-3 to 3.3.3-4 (1.5 KiB)
libarchive (3.2.2-5ubuntu0.2) cosmic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in
libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:55:41 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.3) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in
libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:54:50 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.6) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in
libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:53:41 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.8) trusty-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in
libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:48:45 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.7) trusty-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14502.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2017-14502
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000877.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000877
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000878.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000878
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:08:38 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.2) bionic-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14502.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2017-14502
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000877.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000877
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000878.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000878
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000880.patch: fix in
libarchive/archive_read_support_format_warc.c.
- CVE-2018-1000880
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:53:14 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14502.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2017-14502
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000877.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000877
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000878.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000878
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:30:58 -0300
libarchive (3.2.2-5ubuntu0.1) cosmic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000877.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000877
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000878.patch: fix in
libarchive/archive_read_support_format_rar.c.
- CVE-2018-1000878
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-1000880.patch: fix in
libarchive/archive_read_support_format_warc.c.
- CVE-2018-1000880
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 10:26:10 -0300
Available diffs
libarchive (3.3.3-3) unstable; urgency=medium [ Andreas Henriksson ] * Build-depend on libext2fs-dev instead of e2fslibs-dev (Closes: #890210) * CI: Use the salsa-ci-team pipeline [ Peter Pentchev ] * Declare compliance with Debian Policy 4.3.0 with no changes. * Bump the debhelper compatibility level to 12 with no changes. * Add my copyright notice for debian/*. * Extend Andreas Henriksson's copyright notice all the way to 2019. -- Peter Pentchev <email address hidden> Sat, 05 Jan 2019 19:07:02 +0200
Available diffs
- diff from 3.3.3-2 to 3.3.3-3 (1.1 KiB)
libarchive (3.3.3-2) unstable; urgency=medium
* Add Daniel Axtens's security and reliability patches:
- CVE-2018-1000877.patch: Closes: #916964
- CVE-2018-1000878.patch: Closes: #916963
- CVE-2018-1000879.patch: Closes: #916962
- CVE-2018-1000880.patch: Closes: #916960
- all merged upstream in https://github.com/libarchive/libarchive/pull/1105
Thanks to Salvatore Bonaccorso for filing the Debian bugs!
-- Peter Pentchev <email address hidden> Fri, 21 Dec 2018 18:01:29 +0200
Available diffs
- diff from 3.3.3-1 to 3.3.3-2 (3.3 KiB)
libarchive (3.3.3-1) unstable; urgency=medium
[ Peter Pentchev ]
* Declare compliance with Debian Policy 4.2.1 with no changes.
* Drop the Lintian overrides related to B-D: debhelper-compat -
Lintian 2.5.98 no longer emits these warnings and errors.
* Build with zstd compression support.
* Pass --fail-missing to dh_missing, not to dh_install any more.
[ Andreas Henriksson ]
* New upstream release.
* Drop debian/patches/ now part of upstream release:
- Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch
- Do-something-sensible-for-empty-strings-to-make-fuzz.patch
- Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
- Reject-LHA-archive-entries-with-negative-size.patch
- Reread-the-CAB-header-skipping-the-self-extracting-b.patch
- archive_strncat_l-allocate-and-do-not-convert-if-len.patch
- iso9660-validate-directory-record-length.patch
* Update libarchive13.symbols
-- Peter Pentchev <email address hidden> Sat, 15 Dec 2018 02:01:01 +0200
Available diffs
- diff from 3.2.2-5 to 3.3.3-1 (631.9 KiB)
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
libarchive (3.2.2-5) unstable; urgency=medium
* Acknowledge NMUs; many thanks to Salvatore Bonaccorso!
* Use my Debian e-mail address.
* Declare compliance with Debian Policy 4.2.0:
- add Rules-Requires-Root: no to the source control stanza
- install the upstream release notes (NEWS)
* Drop the duplicate Priority fields for the binary packages.
* Switch to the HTTPS scheme in various upstream and Debian
packaging URLs.
* Drop some trailing whitespace from old changelog entries.
* Bump the debhelper compatibility level to 11 with no changes and
use the B-D: debhelper-compat (= 11) mechanism.
* Add a trivial autopkgtest running adequate on the binary packages.
-- Peter Pentchev <email address hidden> Sat, 25 Aug 2018 18:28:10 +0300
Available diffs
- diff from 3.2.2-4.2 to 3.2.2-5 (2.3 KiB)
libarchive (3.2.2-4.2) unstable; urgency=medium
* Non-maintainer upload.
* iso9660: validate directory record length (CVE-2017-14501)
(Closes: #875966)
-- Salvatore Bonaccorso <email address hidden> Sun, 05 Aug 2018 08:18:10 +0200
Available diffs
- diff from 3.2.2-4.1 to 3.2.2-4.2 (1.6 KiB)
libarchive (3.2.2-3.1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14501.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2017-14501
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14503.patch: fix in
libarchive/archive_read_support_format_lha.c.
- CVE-2017-14503
-- <email address hidden> (Leonidas S. Barbosa) Tue, 07 Aug 2018 15:23:21 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2016-10209.patch: fix in
libarchive/archive_string.c.
- CVE-2016-10209
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in
libarchive/archive_read_support_format_cab.c.
- CVE-2016-10349
- CVE-2016-10350
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-14166.patch: fix in
libarchive/archive_read_support_format_xar.c.
- CVE-2017-14166
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14501.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2017-14501
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14503.patch: fix in
libarchive/archive_read_support_format_lha.c.
- CVE-2017-14503
-- <email address hidden> (Leonidas S. Barbosa) Wed, 08 Aug 2018 15:28:16 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.6) trusty-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2016-10209.patch: fix in
libarchive/archive_string.c.
- CVE-2016-10209
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in
libarchive/archive_read_support_format_cab.c.
- CVE-2016-10349
- CVE-2016-10350
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-14166.patch: fix in
libarchive/archive_read_support_format_xar.c.
- CVE-2017-14166
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14501.patch: fix in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2017-14501
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2017-14503.patch: fix in
libarchive/archive_read_support_format_lha.c.
- CVE-2017-14503
-- <email address hidden> (Leonidas S. Barbosa) Wed, 08 Aug 2018 13:42:39 -0300
Available diffs
libarchive (3.2.2-4.1) unstable; urgency=medium
* Non-maintainer upload.
* Reject LHA archive entries with negative size (CVE-2017-14503)
(Closes: #875960)
* Avoid a read off-by-one error for UTF16 names in RAR archives
(CVE-2017-14502)
(Closes: #875974)
-- Salvatore Bonaccorso <email address hidden> Wed, 25 Jul 2018 21:29:42 +0200
Available diffs
- diff from 3.2.2-4 to 3.2.2-4.1 (1.5 KiB)
libarchive (3.2.2-4) unstable; urgency=medium * Team upload. * debian/control: Update Vcs-* fields for move to salsa.debian.org * debian/control: Replace Priority: extra with optional -- Andreas Henriksson <email address hidden> Thu, 31 May 2018 00:01:28 +0200
Available diffs
- diff from 3.2.2-3.1 to 3.2.2-4 (755 bytes)
| Superseded in cosmic-release |
| Published in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
libarchive (3.2.2-3.1) unstable; urgency=high
* Non-maintainer upload.
* Reupload 3.2.2-2.1 on top of 3.2.2-3
* archive_strncat_l(): allocate and do not convert if length == 0
(CVE-2016-10209) (Closes: #859456)
* Reread the CAB header skipping the self-extracting binary code
(CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
* Do something sensible for empty strings to make fuzzers happy
(CVE-2017-14166)
Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
-- Salvatore Bonaccorso <email address hidden> Thu, 14 Sep 2017 16:02:10 +0200
Available diffs
- diff from 3.2.2-2 to 3.2.2-3.1 (2.6 KiB)
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
libarchive (3.2.2-2) unstable; urgency=medium * Disable tests (Closes: #859455) -- Andreas Henriksson <email address hidden> Mon, 03 Apr 2017 22:20:05 +0200
Available diffs
- diff from 3.2.1-6 to 3.2.2-2 (61.8 KiB)
libarchive (3.0.3-6ubuntu1.4) precise-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via hardlink entries
- debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
pathnames in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-2.patch: fix path handling in
libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
libarchive/test/CMakeLists.txt, libarchive/test/main.c,
libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-4.patch: fix testcases in
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
libarchive/archive_write_disk_posix.c.
- CVE-2016-5418
* SECURITY UPDATE: denial of service and possible code execution when
writing an ISO9660 archive
- debian/patches/CVE-2016-6250.patch: check for overflow in
libarchive/archive_write_set_format_iso9660.c.
- CVE-2016-6250
* SECURITY UPDATE: denial of service via recursive decompression
- debian/patches/CVE-2016-7166.patch: limit number of filters in
libarchive/archive_read.c, added test to Makefile.am,
libarchive/test/CMakeLists.txt,
libarchive/test/test_read_too_many_filters.c,
libarchive/test/test_read_too_many_filters.gz.uu.
- CVE-2016-7166
* SECURITY UPDATE: denial of service via non-printable multibyte
character in a filename
- debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
- CVE-2016-8687
* SECURITY UPDATE: denial of service via multiple long lines
- debian/patches/CVE-2016-8688.patch: fix bounds in
libarchive/archive_read_support_format_mtree.c, added test to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_mtree_crash747.c,
libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
- CVE-2016-8688
* SECURITY UPDATE: denial of service via multiple EmptyStream attributes
- debian/patches/CVE-2016-8689.patch: reject files with multiple
markers in libarchive/archive_read_support_format_7zip.c.
- CVE-2016-8689
* SECURITY UPDATE: denial of service via invalid compressed file size
- debian/patches/CVE-2017-5601.patch: add check to
libarchive/archive_read_support_format_lha.c.
- CVE-2017-5601
-- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:34:04 -0500
Available diffs
libarchive (3.1.2-7ubuntu2.4) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via hardlink entries
- debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
pathnames in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-2.patch: fix path handling in
libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
libarchive/test/CMakeLists.txt, libarchive/test/main.c,
libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-4.patch: fix testcases in
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
libarchive/archive_write_disk_posix.c.
- CVE-2016-5418
* SECURITY UPDATE: denial of service and possible code execution when
writing an ISO9660 archive
- debian/patches/CVE-2016-6250.patch: check for overflow in
libarchive/archive_write_set_format_iso9660.c.
- CVE-2016-6250
* SECURITY UPDATE: denial of service via recursive decompression
- debian/patches/CVE-2016-7166.patch: limit number of filters in
libarchive/archive_read.c, added test to Makefile.am,
libarchive/test/CMakeLists.txt,
libarchive/test/test_read_too_many_filters.c,
libarchive/test/test_read_too_many_filters.gz.uu.
- CVE-2016-7166
* SECURITY UPDATE: denial of service via non-printable multibyte
character in a filename
- debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
- CVE-2016-8687
* SECURITY UPDATE: denial of service via multiple long lines
- debian/patches/CVE-2016-8688.patch: fix bounds in
libarchive/archive_read_support_format_mtree.c, added test to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_mtree_crash747.c,
libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
- CVE-2016-8688
* SECURITY UPDATE: denial of service via multiple EmptyStream attributes
- debian/patches/CVE-2016-8689.patch: reject files with multiple
markers in libarchive/archive_read_support_format_7zip.c.
- CVE-2016-8689
* SECURITY UPDATE: denial of service via invalid compressed file size
- debian/patches/CVE-2017-5601.patch: add check to
libarchive/archive_read_support_format_lha.c.
- CVE-2017-5601
-- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:23:19 -0500
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via hardlink entries
- debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
pathnames in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-2.patch: fix path handling in
libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
libarchive/test/CMakeLists.txt, libarchive/test/main.c,
libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-4.patch: fix testcases in
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
libarchive/archive_write_disk_posix.c.
- CVE-2016-5418
* SECURITY UPDATE: denial of service and possible code execution when
writing an ISO9660 archive
- debian/patches/CVE-2016-6250.patch: check for overflow in
libarchive/archive_write_set_format_iso9660.c.
- CVE-2016-6250
* SECURITY UPDATE: denial of service via recursive decompression
- debian/patches/CVE-2016-7166.patch: limit number of filters in
libarchive/archive_read.c, added test to Makefile.am,
libarchive/test/CMakeLists.txt,
libarchive/test/test_read_too_many_filters.c,
libarchive/test/test_read_too_many_filters.gz.uu.
- CVE-2016-7166
* SECURITY UPDATE: denial of service via non-printable multibyte
character in a filename
- debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
- CVE-2016-8687
* SECURITY UPDATE: denial of service via multiple long lines
- debian/patches/CVE-2016-8688.patch: fix bounds in
libarchive/archive_read_support_format_mtree.c, added test to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_mtree_crash747.c,
libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
- CVE-2016-8688
* SECURITY UPDATE: denial of service via multiple EmptyStream attributes
- debian/patches/CVE-2016-8689.patch: reject files with multiple
markers in libarchive/archive_read_support_format_7zip.c.
- CVE-2016-8689
* SECURITY UPDATE: denial of service via invalid compressed file size
- debian/patches/CVE-2017-5601.patch: add check to
libarchive/archive_read_support_format_lha.c.
- CVE-2017-5601
-- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:01:45 -0500
Available diffs
libarchive (3.2.1-2ubuntu0.1) yakkety-security; urgency=medium
* SECURITY UPDATE: arbitrary file write via hardlink entries
- debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
pathnames in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-2.patch: fix path handling in
libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
libarchive/test/CMakeLists.txt, libarchive/test/main.c,
libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-4.patch: fix testcases in
libarchive/test/test_write_disk_secure745.c,
libarchive/test/test_write_disk_secure746.c.
- debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
libarchive/archive_write_disk_posix.c.
- CVE-2016-5418
* SECURITY UPDATE: denial of service via non-printable multibyte
character in a filename
- debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
- CVE-2016-8687
* SECURITY UPDATE: denial of service via multiple long lines
- debian/patches/CVE-2016-8688.patch: fix bounds in
libarchive/archive_read_support_format_mtree.c, added test to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_mtree_crash747.c,
libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
- CVE-2016-8688
* SECURITY UPDATE: denial of service via multiple EmptyStream attributes
- debian/patches/CVE-2016-8689.patch: reject files with multiple
markers in libarchive/archive_read_support_format_7zip.c.
- CVE-2016-8689
* SECURITY UPDATE: denial of service via invalid compressed file size
- debian/patches/CVE-2017-5601.patch: add check to
libarchive/archive_read_support_format_lha.c.
- CVE-2017-5601
-- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 10:35:20 -0500
Available diffs
libarchive (3.2.1-6) unstable; urgency=medium
* Add debian/patches/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
- Cherry-pick upstream commit 98dcbbf0bf4854bf987557
"Fail with negative lha->compsize in lha_read_file_header_1()"
Secunia SA74169, CVE-2017-5601 (Closes: #853278)
-- Andreas Henriksson <email address hidden> Tue, 31 Jan 2017 10:25:56 +0100
Available diffs
- diff from 3.2.1-5 to 3.2.1-6 (1011 bytes)
libarchive (3.2.1-5) unstable; urgency=medium
* Cherry-pick upstream commits 7f17c791, eec077f5, e37b620f
- Fixes for upstream issues 747, 761, 767 also known as
CVE-2016-8689, CVE-2016-8688, CVE-2016-8687
(Closes: #840934, #840935, #840936)
-- Andreas Henriksson <email address hidden> Sun, 16 Oct 2016 15:41:59 +0200
Available diffs
- diff from 3.2.1-2 to 3.2.1-5 (17.8 KiB)
| Published in xenial-backports |
libarchive (3.2.1-2~ubuntu16.04.1) xenial-backports; urgency=medium * No-change backport to xenial (LP: #1607385) -- Iain Lane <email address hidden> Thu, 28 Jul 2016 14:28:03 +0100
Available diffs
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
libarchive (3.2.1-2) unstable; urgency=medium
* The "welcome Peter to the team" upload
[ Peter Pentchev ]
* Declare compliancy with Debian Policy 3.9.8 with no changes.
* Remove the "XS-Testsuite: autopkgtest" header from the control file:
it has not been "XS-" for some time, and it is added by default by
dpkg-1.17.11 when debian/tests/control is present.
* Use the HTTPS scheme for the Alioth VCS URLs.
* Switch to Alioth's cgit in the Vcs-Browser source control field.
* Convert the copyright file to the machine-readable format.
* Fill in the upstream metadata file.
* Enable full build hardening.
* Pass --as-needed to the linker to avoid overlinking.
* Bump the debhelper build dependency to version 9 to reflect
the debhelper compatibility level and drop the now-unused Lintian
override.
* Fold the bsdtar and bsdcpio packages into the new libarchive-tools
binary package and install bsdcat into it, too. Make bsdtar and
bsdcpio transitional dummy packages.
* Drop the Breaks and Replaces relations to libarchive1, it's not
even in oldstable any more.
* Drop the misc:Pre-Depends that were needed for the multi-arch
transition; dpkg-dev adds them automatically now.
* Fix a typo in README.Debian.
* Add an upstream patch to replace the use of SIGRTMAX with something
that calculates the exact value of the highest signal actually used;
hopefully this fixes the FTBFS on the GNU Hurd.
* Drop the outdated and unused SONAME mismatch Lintian override.
* Re-enable the use of minitar for extraction, too, in the CI test;
keep the untar test for completeness.
* Add the Typos patch to fix a couple of typographical errors.
* Add the Candidate patch to fix a typographical error in a structure
member field and, consequently, update all references to it.
* Add the CPPCheck patch to fix some issues reported by cppcheck.
[ Andreas Henriksson ]
* Add Peter Pentchev to Uploaders
-- Andreas Henriksson <email address hidden> Mon, 25 Jul 2016 17:54:13 +0200
Available diffs
- diff from 3.2.1-1 to 3.2.1-2 (10.5 KiB)
libarchive (3.0.3-6ubuntu1.3) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed rar or cab files
- debian/patches/CVE-2015-8916.patch: ignore entries with empty
filenames in tar/read.c.
- CVE-2015-8916
- CVE-2015-8917
* SECURITY UPDATE: denial of service via malformed lzh file
- debian/patches/CVE-2015-8919.patch: recognize empty dir name in
libarchive/archive_read_support_format_lha.c.
- CVE-2015-8919
* SECURITY UPDATE: buffer underflow parsing ar header
- debian/patches/CVE-2015-8920.patch: check for empty filenames in
libarchive/archive_read_support_format_ar.c.
- CVE-2015-8920
* SECURITY UPDATE: read past end of string parsing
- debian/patches/CVE-2015-8921.patch: properly calculate string length
in libarchive/archive_entry.c.
- CVE-2015-8921
* SECURITY UPDATE: segfault on malformed 7z archive
- debian/patches/CVE-2015-8922.patch: reject some malformed files in
libarchive/archive_read_support_format_7zip.c, added tests to
Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu,
libarchive/test/test_read_format_7zip_malformed.c,
libarchive/test/test_read_format_7zip_malformed2.7z.uu,
libarchive/test/CMakeLists.txt.
- CVE-2015-8922
* SECURITY UPDATE: segfault on malformed Zip archive
- debian/patches/CVE-2015-8923.patch: properly handle sizes in
libarchive/archive_read_support_format_zip.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_zip_malformed.c,
libarchive/test/test_read_format_zip_malformed1.zip.uu.
- CVE-2015-8923
* SECURITY UPDATE: buffer overflow when processing tar files
- debian/patches/CVE-2015-8924.patch: properly handle empty filenames
in libarchive/archive_read_support_format_tar.c.
- CVE-2015-8924
* SECURITY UPDATE: improper newline parsing
- debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in
libarchive/archive_read_support_format_mtree.c, added tests to
libarchive/test/test_read_format_mtree.c,
libarchive/test/test_read_format_mtree.mtree.uu.
- CVE-2015-8925
* SECURITY UPDATE: segfault on invalid rar archive
- debian/patches/CVE-2015-8926.patch: properly handle return code in
libarchive/archive_read_support_format_rar.c.
- CVE-2015-8926
* SECURITY UPDATE: segfault via dir loop in malformed ISO
- debian/patches/CVE-2015-8930.patch: limit recursion in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2015-8930
* SECURITY UPDATE: integer overflow parsing time values
- debian/patches/CVE-2015-8931.patch: fix time handling in
libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8931
* SECURITY UPDATE: crash via invalid compressed data
- debian/patches/CVE-2015-8932.patch: add more checks to
libarchive/archive_read_support_filter_compress.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_filter_compress.c.
- CVE-2015-8932
* SECURITY UPDATE: integer overflow via negative-sized sparse blocks
- debian/patches/CVE-2015-8933.patch: add check to
libarchive/archive_read_support_format_tar.c.
- CVE-2015-8933
* SECURITY UPDATE: heap overflow parsing malformed tar archives
- debian/patches/CVE-2015-8934.patch: properly check reading from lzss
decompression buffer in libarchive/archive_read_support_format_rar.c,
added tests to Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_rar_invalid1.c,
libarchive/test/test_read_format_rar_invalid1.rar.uu.
- CVE-2015-8934
* SECURITY UPDATE: overflow reading 7-Zip with large number of substreams
- debian/patches/CVE-2016-4300.patch: add another limit to
libarchive/archive_read_support_format_7zip.c.
- CVE-2016-4300
* SECURITY UPDATE: crash via rar files with zero dictionary size
- debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in
libarchive/archive_ppmd7.c,
libarchive/archive_read_support_format_rar.c.
- CVE-2016-4302
* SECURITY UPDATE: memory allocation issues with large cpio symlinks
- debian/patches/CVE-2016-4809.patch: reject large symlinks in
libarchive/archive_read_support_format_cpio.c.
- CVE-2016-4809
* SECURITY UPDATE: integer overflow when computing volume descriptor
- debian/patches/CVE-2016-5844.patch: fix multiplications in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2016-5844
* debian/control: add dh-autoreconf to Build-Depends.
* debian/rules: add autoreconf.
-- Marc Deslauriers <email address hidden> Wed, 13 Jul 2016 11:52:16 -0400
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed rar or cab files
- debian/patches/CVE-2015-8916.patch: ignore entries with empty
filenames in tar/read.c.
- CVE-2015-8916
- CVE-2015-8917
* SECURITY UPDATE: denial of service via malformed lzh file
- debian/patches/CVE-2015-8919.patch: recognize empty dir name in
libarchive/archive_read_support_format_lha.c.
- CVE-2015-8919
* SECURITY UPDATE: buffer underflow parsing ar header
- debian/patches/CVE-2015-8920.patch: check for empty filenames in
libarchive/archive_read_support_format_ar.c.
- CVE-2015-8920
* SECURITY UPDATE: read past end of string parsing
- debian/patches/CVE-2015-8921.patch: properly calculate string length
in libarchive/archive_entry.c.
- CVE-2015-8921
* SECURITY UPDATE: segfault on malformed 7z archive
- debian/patches/CVE-2015-8922.patch: reject some malformed files in
libarchive/archive_read_support_format_7zip.c, added tests to
Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu,
libarchive/test/test_read_format_7zip_malformed.c,
libarchive/test/test_read_format_7zip_malformed2.7z.uu,
libarchive/test/CMakeLists.txt.
- CVE-2015-8922
* SECURITY UPDATE: segfault on malformed Zip archive
- debian/patches/CVE-2015-8923.patch: properly handle sizes in
libarchive/archive_read_support_format_zip.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_zip_malformed.c,
libarchive/test/test_read_format_zip_malformed1.zip.uu.
- CVE-2015-8923
* SECURITY UPDATE: buffer overflow when processing tar files
- debian/patches/CVE-2015-8924.patch: properly handle empty filenames
in libarchive/archive_read_support_format_tar.c.
- CVE-2015-8924
* SECURITY UPDATE: improper newline parsing
- debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in
libarchive/archive_read_support_format_mtree.c, added tests to
libarchive/test/test_read_format_mtree.c,
libarchive/test/test_read_format_mtree.mtree.uu.
- CVE-2015-8925
* SECURITY UPDATE: segfault on invalid rar archive
- debian/patches/CVE-2015-8926.patch: properly handle return code in
libarchive/archive_read_support_format_rar.c.
- CVE-2015-8926
* SECURITY UPDATE: out-of-bounds read in mtree
- debian/patches/CVE-2015-8928.patch: properly handle filename parsing
in libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8928
* SECURITY UPDATE: segfault via dir loop in malformed ISO
- debian/patches/CVE-2015-8930.patch: limit recursion in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2015-8930
* SECURITY UPDATE: integer overflow parsing time values
- debian/patches/CVE-2015-8931.patch: fix time handling in
libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8931
* SECURITY UPDATE: crash via invalid compressed data
- debian/patches/CVE-2015-8932.patch: add more checks to
libarchive/archive_read_support_filter_compress.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_filter_compress.c.
- CVE-2015-8932
* SECURITY UPDATE: integer overflow via negative-sized sparse blocks
- debian/patches/CVE-2015-8933.patch: add check to
libarchive/archive_read_support_format_tar.c.
- CVE-2015-8933
* SECURITY UPDATE: heap overflow parsing malformed tar archives
- debian/patches/CVE-2015-8934.patch: properly check reading from lzss
decompression buffer in libarchive/archive_read_support_format_rar.c,
added tests to Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_rar_invalid1.c,
libarchive/test/test_read_format_rar_invalid1.rar.uu.
- CVE-2015-8934
* SECURITY UPDATE: overflow reading 7-Zip with large number of substreams
- debian/patches/CVE-2016-4300.patch: add another limit to
libarchive/archive_read_support_format_7zip.c.
- CVE-2016-4300
* SECURITY UPDATE: crash via rar files with zero dictionary size
- debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in
libarchive/archive_ppmd7.c,
libarchive/archive_read_support_format_rar.c.
- CVE-2016-4302
* SECURITY UPDATE: memory allocation issues with large cpio symlinks
- debian/patches/CVE-2016-4809.patch: reject large symlinks in
libarchive/archive_read_support_format_cpio.c.
- CVE-2016-4809
* SECURITY UPDATE: integer overflow when computing volume descriptor
- debian/patches/CVE-2016-5844.patch: fix multiplications in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2016-5844
-- Marc Deslauriers <email address hidden> Wed, 13 Jul 2016 09:20:10 -0400
Available diffs
libarchive (3.1.2-11ubuntu0.15.10.2) wily-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed rar or cab files
- debian/patches/CVE-2015-8916.patch: ignore entries with empty
filenames in tar/read.c.
- CVE-2015-8916
- CVE-2015-8917
* SECURITY UPDATE: denial of service via malformed lzh file
- debian/patches/CVE-2015-8919.patch: recognize empty dir name in
libarchive/archive_read_support_format_lha.c.
- CVE-2015-8919
* SECURITY UPDATE: buffer underflow parsing ar header
- debian/patches/CVE-2015-8920.patch: check for empty filenames in
libarchive/archive_read_support_format_ar.c.
- CVE-2015-8920
* SECURITY UPDATE: read past end of string parsing
- debian/patches/CVE-2015-8921.patch: properly calculate string length
in libarchive/archive_entry.c.
- CVE-2015-8921
* SECURITY UPDATE: segfault on malformed 7z archive
- debian/patches/CVE-2015-8922.patch: reject some malformed files in
libarchive/archive_read_support_format_7zip.c, added tests to
Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu,
libarchive/test/test_read_format_7zip_malformed.c,
libarchive/test/test_read_format_7zip_malformed2.7z.uu,
libarchive/test/CMakeLists.txt.
- CVE-2015-8922
* SECURITY UPDATE: segfault on malformed Zip archive
- debian/patches/CVE-2015-8923.patch: properly handle sizes in
libarchive/archive_read_support_format_zip.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_zip_malformed.c,
libarchive/test/test_read_format_zip_malformed1.zip.uu.
- CVE-2015-8923
* SECURITY UPDATE: buffer overflow when processing tar files
- debian/patches/CVE-2015-8924.patch: properly handle empty filenames
in libarchive/archive_read_support_format_tar.c.
- CVE-2015-8924
* SECURITY UPDATE: improper newline parsing
- debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in
libarchive/archive_read_support_format_mtree.c, added tests to
libarchive/test/test_read_format_mtree.c,
libarchive/test/test_read_format_mtree.mtree.uu.
- CVE-2015-8925
* SECURITY UPDATE: segfault on invalid rar archive
- debian/patches/CVE-2015-8926.patch: properly handle return code in
libarchive/archive_read_support_format_rar.c.
- CVE-2015-8926
* SECURITY UPDATE: out-of-bounds read in mtree
- debian/patches/CVE-2015-8928.patch: properly handle filename parsing
in libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8928
* SECURITY UPDATE: segfault via dir loop in malformed ISO
- debian/patches/CVE-2015-8930.patch: limit recursion in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2015-8930
* SECURITY UPDATE: integer overflow parsing time values
- debian/patches/CVE-2015-8931.patch: fix time handling in
libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8931
* SECURITY UPDATE: crash via invalid compressed data
- debian/patches/CVE-2015-8932.patch: add more checks to
libarchive/archive_read_support_filter_compress.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_filter_compress.c.
- CVE-2015-8932
* SECURITY UPDATE: integer overflow via negative-sized sparse blocks
- debian/patches/CVE-2015-8933.patch: add check to
libarchive/archive_read_support_format_tar.c.
- CVE-2015-8933
* SECURITY UPDATE: heap overflow parsing malformed tar archives
- debian/patches/CVE-2015-8934.patch: properly check reading from lzss
decompression buffer in libarchive/archive_read_support_format_rar.c,
added tests to Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_rar_invalid1.c,
libarchive/test/test_read_format_rar_invalid1.rar.uu.
- CVE-2015-8934
* SECURITY UPDATE: overflow reading 7-Zip with large number of substreams
- debian/patches/CVE-2016-4300.patch: add another limit to
libarchive/archive_read_support_format_7zip.c.
- CVE-2016-4300
* SECURITY UPDATE: crash via rar files with zero dictionary size
- debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in
libarchive/archive_ppmd7.c,
libarchive/archive_read_support_format_rar.c.
- CVE-2016-4302
* SECURITY UPDATE: memory allocation issues with large cpio symlinks
- debian/patches/CVE-2016-4809.patch: reject large symlinks in
libarchive/archive_read_support_format_cpio.c.
- CVE-2016-4809
* SECURITY UPDATE: integer overflow when computing volume descriptor
- debian/patches/CVE-2016-5844.patch: fix multiplications in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2016-5844
-- Marc Deslauriers <email address hidden> Wed, 13 Jul 2016 11:17:13 -0400
Available diffs
libarchive (3.1.2-7ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed rar or cab files
- debian/patches/CVE-2015-8916.patch: ignore entries with empty
filenames in tar/read.c.
- CVE-2015-8916
- CVE-2015-8917
* SECURITY UPDATE: denial of service via malformed lzh file
- debian/patches/CVE-2015-8919.patch: recognize empty dir name in
libarchive/archive_read_support_format_lha.c.
- CVE-2015-8919
* SECURITY UPDATE: buffer underflow parsing ar header
- debian/patches/CVE-2015-8920.patch: check for empty filenames in
libarchive/archive_read_support_format_ar.c.
- CVE-2015-8920
* SECURITY UPDATE: read past end of string parsing
- debian/patches/CVE-2015-8921.patch: properly calculate string length
in libarchive/archive_entry.c.
- CVE-2015-8921
* SECURITY UPDATE: segfault on malformed 7z archive
- debian/patches/CVE-2015-8922.patch: reject some malformed files in
libarchive/archive_read_support_format_7zip.c, added tests to
Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu,
libarchive/test/test_read_format_7zip_malformed.c,
libarchive/test/test_read_format_7zip_malformed2.7z.uu,
libarchive/test/CMakeLists.txt.
- CVE-2015-8922
* SECURITY UPDATE: segfault on malformed Zip archive
- debian/patches/CVE-2015-8923.patch: properly handle sizes in
libarchive/archive_read_support_format_zip.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_zip_malformed.c,
libarchive/test/test_read_format_zip_malformed1.zip.uu.
- CVE-2015-8923
* SECURITY UPDATE: buffer overflow when processing tar files
- debian/patches/CVE-2015-8924.patch: properly handle empty filenames
in libarchive/archive_read_support_format_tar.c.
- CVE-2015-8924
* SECURITY UPDATE: improper newline parsing
- debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in
libarchive/archive_read_support_format_mtree.c, added tests to
libarchive/test/test_read_format_mtree.c,
libarchive/test/test_read_format_mtree.mtree.uu.
- CVE-2015-8925
* SECURITY UPDATE: segfault on invalid rar archive
- debian/patches/CVE-2015-8926.patch: properly handle return code in
libarchive/archive_read_support_format_rar.c.
- CVE-2015-8926
* SECURITY UPDATE: out-of-bounds read in mtree
- debian/patches/CVE-2015-8928.patch: properly handle filename parsing
in libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8928
* SECURITY UPDATE: segfault via dir loop in malformed ISO
- debian/patches/CVE-2015-8930.patch: limit recursion in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2015-8930
* SECURITY UPDATE: integer overflow parsing time values
- debian/patches/CVE-2015-8931.patch: fix time handling in
libarchive/archive_read_support_format_mtree.c.
- CVE-2015-8931
* SECURITY UPDATE: crash via invalid compressed data
- debian/patches/CVE-2015-8932.patch: add more checks to
libarchive/archive_read_support_filter_compress.c, added tests to
Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_filter_compress.c.
- CVE-2015-8932
* SECURITY UPDATE: integer overflow via negative-sized sparse blocks
- debian/patches/CVE-2015-8933.patch: add check to
libarchive/archive_read_support_format_tar.c.
- CVE-2015-8933
* SECURITY UPDATE: heap overflow parsing malformed tar archives
- debian/patches/CVE-2015-8934.patch: properly check reading from lzss
decompression buffer in libarchive/archive_read_support_format_rar.c,
added tests to Makefile.am, libarchive/test/CMakeLists.txt,
libarchive/test/test_read_format_rar_invalid1.c,
libarchive/test/test_read_format_rar_invalid1.rar.uu.
- CVE-2015-8934
* SECURITY UPDATE: overflow reading 7-Zip with large number of substreams
- debian/patches/CVE-2016-4300.patch: add another limit to
libarchive/archive_read_support_format_7zip.c.
- CVE-2016-4300
* SECURITY UPDATE: crash via rar files with zero dictionary size
- debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in
libarchive/archive_ppmd7.c,
libarchive/archive_read_support_format_rar.c.
- CVE-2016-4302
* SECURITY UPDATE: memory allocation issues with large cpio symlinks
- debian/patches/CVE-2016-4809.patch: reject large symlinks in
libarchive/archive_read_support_format_cpio.c.
- CVE-2016-4809
* SECURITY UPDATE: integer overflow when computing volume descriptor
- debian/patches/CVE-2016-5844.patch: fix multiplications in
libarchive/archive_read_support_format_iso9660.c.
- CVE-2016-5844
-- Marc Deslauriers <email address hidden> Wed, 13 Jul 2016 11:23:39 -0400
Available diffs
libarchive (3.2.1-1) unstable; urgency=medium * New upstream release. * Add patch cherry-picked from upstream fixing build with xz-utils < 5.2 -- Andreas Henriksson <email address hidden> Sun, 26 Jun 2016 21:28:27 +0200
Available diffs
- diff from 3.1.2-11ubuntu1 (in Ubuntu) to 3.2.1-1 (1.5 MiB)
- diff from 3.2.0-2 to 3.2.1-1 (28.8 KiB)
libarchive (3.2.0-2) unstable; urgency=medium * Add CVE identifiers to previous changelog entry. * Upload to unstable. -- Andreas Henriksson <email address hidden> Wed, 01 Jun 2016 07:34:12 +0200
Available diffs
libarchive (3.1.2-11ubuntu0.15.10.1) wily-security; urgency=medium
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
-- Marc Deslauriers <email address hidden> Fri, 13 May 2016 09:24:48 -0400
Available diffs
libarchive (3.0.3-6ubuntu1.2) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
-- Marc Deslauriers <email address hidden> Fri, 13 May 2016 10:15:48 -0400
Available diffs
libarchive (3.1.2-7ubuntu2.2) trusty-security; urgency=medium
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
-- Marc Deslauriers <email address hidden> Fri, 13 May 2016 10:08:06 -0400
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
-- Marc Deslauriers <email address hidden> Fri, 13 May 2016 09:24:48 -0400
Available diffs
libarchive (3.1.2-11ubuntu1) yakkety; urgency=medium
* SECURITY UPDATE: code execution via incorrect compressed size
- debian/patches/CVE-2016-1541.patch: check sizes in
libarchive/archive_read_support_format_zip.c.
- CVE-2016-1541
* SECURITY UPDATE: denial of service via malformed cpio archive
- debian/patches/issue502.patch: fix implicit cast in
libarchive/archive_read_support_format_cpio.c, reject attempts to
move the file pointer by a negative amount in
libarchive/archive_read.c.
- CVE number pending.
-- Marc Deslauriers <email address hidden> Fri, 13 May 2016 09:24:48 -0400
Available diffs
| Superseded in yakkety-release |
| Published in xenial-release |
| Obsolete in wily-release |
| Deleted in wily-proposed (Reason: moved to release) |
libarchive (3.1.2-11build1) wily; urgency=medium * Rebuild for the libnettle6 transition. -- Adam Conrad <email address hidden> Sun, 14 Jun 2015 01:30:37 -0600
Available diffs
- diff from 3.1.2-11 (in Debian) to 3.1.2-11build1 (362 bytes)
libarchive (3.1.2-9ubuntu0.1) utopic-security; urgency=medium
* SECURITY UPDATE: absolute path traversal vulnerability in bsdcpio
- debian/patches/CVE-2015-2304.patch: don't allow absolute paths by
default in cpio/cpio.c, libarchive/archive.h,
libarchive/archive_write_disk_posix.c, added test to
libarchive/test/test_write_disk_secure.c, updated documentation in
cpio/bsdcpio.1, libarchive/archive_write_disk.3.
- CVE-2015-2304
-- Marc Deslauriers <email address hidden> Tue, 24 Mar 2015 12:39:18 -0400
Available diffs
libarchive (3.0.3-6ubuntu1.1) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via integer signedness error
- debian/patches/CVE-2013-0211.patch: limit write requests in
libarchive/archive_write.c.
- CVE-2013-0211
* SECURITY UPDATE: absolute path traversal vulnerability in bsdcpio
- debian/patches/CVE-2015-2304.patch: don't allow absolute paths by
default in cpio/cpio.c, libarchive/archive.h,
libarchive/archive_write_disk_posix.c, added test to
libarchive/test/test_write_disk_secure.c, updated documentation in
cpio/bsdcpio.1, libarchive/archive_write_disk.3.
- CVE-2015-2304
-- Marc Deslauriers <email address hidden> Tue, 24 Mar 2015 12:46:05 -0400
Available diffs
| 1 → 75 of 115 results | First • Previous • Next • Last |
