[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UTCym-0000wL-PT@titan.mandriva.com>
Date: Fri, 19 Apr 2013 17:12:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2013:147 ] libarchive
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:147
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libarchive
Date : April 19, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in libarchive:
Fabian Yamaguchi reported a read buffer overflow flaw in
libarchive on 64-bit systems where sizeof(size_t) is equal
to 8. In the archive_write_zip_data() function in libarchive/
archive_write_set_format_zip.c, the "s" parameter is of type size_t
(64 bit, unsigned) and is cast to a 64 bit signed integer. If "s" is
larger than MAX_INT, it will not be set to "zip->remaining_data_bytes"
even though it is larger than "zip->remaining_data_bytes", which
leads to a buffer overflow when calling deflate(). This can lead to a
segfault in an application that uses libarchive to create ZIP archives
(CVE-2013-0211).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0119
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
db7909eb958a090af3abeec3e4427f20 mes5/i586/bsdtar-2.5.5-1.2mdvmes5.2.i586.rpm
8ce2a7ce2501bb7bd6a53e3dffd8fd31 mes5/i586/libarchive2-2.5.5-1.2mdvmes5.2.i586.rpm
ba4c4e8717271abf9f2228886617409c mes5/i586/libarchive-devel-2.5.5-1.2mdvmes5.2.i586.rpm
52d76a6e66d3e63c981b947dc8d58f50 mes5/SRPMS/libarchive-2.5.5-1.2mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
f922a9da676ae2d2de2f717bd5841c73 mes5/x86_64/bsdtar-2.5.5-1.2mdvmes5.2.x86_64.rpm
4218a2812e89dc233b1e1eeb6f407e44 mes5/x86_64/lib64archive2-2.5.5-1.2mdvmes5.2.x86_64.rpm
a928fa095d7cf3f3ef5c4338b1fba506 mes5/x86_64/lib64archive-devel-2.5.5-1.2mdvmes5.2.x86_64.rpm
52d76a6e66d3e63c981b947dc8d58f50 mes5/SRPMS/libarchive-2.5.5-1.2mdvmes5.2.src.rpm
Mandriva Business Server 1/X86_64:
05b377385a447c33cd6e85efeeaa4fd0 mbs1/x86_64/bsdcpio-3.0.3-2.1.mbs1.x86_64.rpm
3ff28cd1ce2047a8dfed99a978d238a2 mbs1/x86_64/bsdtar-3.0.3-2.1.mbs1.x86_64.rpm
4adb27059351ae756462e9e25c87e11e mbs1/x86_64/lib64archive12-3.0.3-2.1.mbs1.x86_64.rpm
52850e175df3b0b48a307d87c7b5f3ea mbs1/x86_64/lib64archive-devel-3.0.3-2.1.mbs1.x86_64.rpm
890acf6fa9dafa2303be49bc1d42bdf1 mbs1/SRPMS/libarchive-3.0.3-2.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRcTdymqjQ0CJFipgRAs/4AKC3K7COuqRwVL6Ecq8yZ8chXthyWQCg04Q5
PRlg9lwbUt4q80+7fmRJ8Kk=
=jL85
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists