[3.4] libarchive: Multiple issues (CVE-2015-8934, CVE-2016-4300, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844, CVE-2016-6250)
CVE-2015-8934: out of bounds heap read in RAR parser
Fixed In Version:
libarchive 3.2.1
References:
https://github.com/libarchive/libarchive/issues/521
Patch:
https://github.com/libarchive/libarchive/commit/603454ec03040c29bd051fcc749e3c1433c11a8e
CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo
Fixed In Version:
libarchive 3.2.1
References:
http://www.talosintelligence.com/reports/TALOS-2016-0152/
Patch:
https://github.com/libarchive/libarchive/commit/e79ef306afe332faf22e9b442a2c6b59cb175573
CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality
Fixed In Version:
libarchive 3.2.1
References:
https://github.com/libarchive/libarchive/issues/719
Patch:
https://github.com/libarchive/libarchive/commit/05caadc7eedbef471ac9610809ba683f0c698700
CVE-2016-4809: Memory allocate error with symbolic links in cpio archives
Fixed In Version:
libarchive 3.2.1
References:
https://github.com/libarchive/libarchive/issues/705
Patch:
https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408
CVE-2016-5844: undefined behaviour (integer overflow) in iso parser
Fixed In Version:
libarchive 3.2.1
References:
http://seclists.org/oss-sec/2016/q2/591
https://github.com/libarchive/libarchive/issues/717
Patch:
https://github.com/libarchive/libarchive/commit/3ad08e01b4d253c66ae56414886089684155af22
CVE-2016-6250: Buffer overflow when writing large iso9660 containers
Fixed In Version:
libarchive 3.2.1
References:
https://github.com/libarchive/libarchive/issues/711
Patch:
https://github.com/libarchive/libarchive/commit/3014e19820ea53c15c90f9d447ca3e668a0b76c6
(from redmine: issue id 5971, created on 2016-07-26, closed on 2016-08-09)
- Relations:
- parent #5970 (closed)
- Changesets:
- Revision 1245e3e7 on 2016-08-05T14:45:26Z:
main/libarchive: security upgrade to 3.2.1. Fixes #5971
CVE-2015-8934: out of bounds heap read in RAR parser
CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo
CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality
CVE-2016-4809: Memory allocate error with symbolic links in cpio archives
CVE-2016-5844: undefined behaviour (integer overflow) in iso parser
CVE-2016-6250: Buffer overflow when writing large iso9660 containers