Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201701-03 ] libarchive: Multiple vulnerabilities
Date: Sun, 01 Jan 2017 14:35:09
Message-Id: 9973c1a2-bd38-0f1f-fee9-ed35e6e03c4d@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201701-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: libarchive: Multiple vulnerabilities
9 Date: January 01, 2017
10 Bugs: #548110, #552646, #582526, #586086, #586182, #596568, #598950
11 ID: 201701-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in libarchive, the worst of
19 which allows for the remote execution of arbitrary code.
20
21 Background
22 ==========
23
24 libarchive is a library for manipulating different streaming archive
25 formats, including certain tar variants, several cpio formats, and both
26 BSD and GNU ar variants.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 app-arch/libarchive < 3.2.2 >= 3.2.2
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in libarchive. Please
40 review the CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to open a specially crafted
46 archive file possibly resulting in the execution of arbitrary code with
47 the privileges of the process or a Denial of Service condition.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All libarchive users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.2.2"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2015-2304
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2304
67 [ 2 ] CVE-2015-8915
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8915
69 [ 3 ] CVE-2015-8916
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8916
71 [ 4 ] CVE-2015-8917
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8917
73 [ 5 ] CVE-2015-8918
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8918
75 [ 6 ] CVE-2015-8919
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8919
77 [ 7 ] CVE-2015-8920
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8920
79 [ 8 ] CVE-2015-8921
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8921
81 [ 9 ] CVE-2015-8922
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8922
83 [ 10 ] CVE-2015-8923
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8923
85 [ 11 ] CVE-2015-8924
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8924
87 [ 12 ] CVE-2015-8925
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8925
89 [ 13 ] CVE-2015-8926
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8926
91 [ 14 ] CVE-2015-8927
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8927
93 [ 15 ] CVE-2015-8928
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8928
95 [ 16 ] CVE-2015-8929
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8929
97 [ 17 ] CVE-2015-8930
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8930
99 [ 18 ] CVE-2015-8931
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8931
101 [ 19 ] CVE-2015-8932
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8932
103 [ 20 ] CVE-2015-8933
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8933
105 [ 21 ] CVE-2015-8934
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8934
107 [ 22 ] CVE-2016-1541
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1541
109 [ 23 ] CVE-2016-4300
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4300
111 [ 24 ] CVE-2016-4301
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4301
113 [ 25 ] CVE-2016-4302
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4302
115 [ 26 ] CVE-2016-4809
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4809
117 [ 27 ] CVE-2016-5418
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418
119 [ 28 ] CVE-2016-5844
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5844
121 [ 29 ] CVE-2016-6250
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6250
123 [ 30 ] CVE-2016-7166
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7166
125 [ 31 ] CVE-2016-8687
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8687
127 [ 32 ] CVE-2016-8688
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8688
129 [ 33 ] CVE-2016-8689
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8689
131
132 Availability
133 ============
134
135 This GLSA and any updates to it are available for viewing at
136 the Gentoo Security Website:
137
138 https://security.gentoo.org/glsa/201701-03
139
140 Concerns?
141 =========
142
143 Security is a primary focus of Gentoo Linux and ensuring the
144 confidentiality and security of our users' machines is of utmost
145 importance to us. Any security concerns should be addressed to
146 security@g.o or alternatively, you may file a bug at
147 https://bugs.gentoo.org.
148
149 License
150 =======
151
152 Copyright 2017 Gentoo Foundation, Inc; referenced text
153 belongs to its owner(s).
154
155 The contents of this document are licensed under the
156 Creative Commons - Attribution / Share Alike license.
157
158 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature