lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 19 Apr 2013 20:43:29 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: l3thal <l3thal@...shthestack.org>
Cc: noreply@...driva.com,
 "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [ MDVSA-2013:147 ] libarchive

I really wonder if they even read the lists they spam


2013/4/19 l3thal <l3thal@...shthestack.org>

> looks like you are still at it heh...
>
>
> On Fri, Apr 19, 2013 at 11:12 AM, <security@...driva.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>  _______________________________________________________________________
>>
>>  Mandriva Linux Security Advisory                         MDVSA-2013:147
>>  http://www.mandriva.com/en/support/security/
>>  _______________________________________________________________________
>>
>>  Package : libarchive
>>  Date    : April 19, 2013
>>  Affected: Business Server 1.0, Enterprise Server 5.0
>>  _______________________________________________________________________
>>
>>  Problem Description:
>>
>>  A vulnerability has been found and corrected in libarchive:
>>
>>  Fabian Yamaguchi reported a read buffer overflow flaw in
>>  libarchive on 64-bit systems where sizeof(size_t) is equal
>>  to 8. In the archive_write_zip_data() function in libarchive/
>>  archive_write_set_format_zip.c, the &quot;s&quot; parameter is of type
>> size_t
>>  (64 bit, unsigned) and is cast to a 64 bit signed integer. If
>> &quot;s&quot; is
>>  larger than MAX_INT, it will not be set to
>> &quot;zip-&gt;remaining_data_bytes&quot;
>>  even though it is larger than &quot;zip-&gt;remaining_data_bytes&quot;,
>> which
>>  leads to a buffer overflow when calling deflate(). This can lead to a
>>  segfault in an application that uses libarchive to create ZIP archives
>>  (CVE-2013-0211).
>>
>>  The updated packages have been patched to correct this issue.
>>  _______________________________________________________________________
>>
>>  References:
>>
>>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211
>>  https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0119
>>  _______________________________________________________________________
>>
>>  Updated Packages:
>>
>>  Mandriva Enterprise Server 5:
>>  db7909eb958a090af3abeec3e4427f20
>>  mes5/i586/bsdtar-2.5.5-1.2mdvmes5.2.i586.rpm
>>  8ce2a7ce2501bb7bd6a53e3dffd8fd31
>>  mes5/i586/libarchive2-2.5.5-1.2mdvmes5.2.i586.rpm
>>  ba4c4e8717271abf9f2228886617409c
>>  mes5/i586/libarchive-devel-2.5.5-1.2mdvmes5.2.i586.rpm
>>  52d76a6e66d3e63c981b947dc8d58f50
>>  mes5/SRPMS/libarchive-2.5.5-1.2mdvmes5.2.src.rpm
>>
>>  Mandriva Enterprise Server 5/X86_64:
>>  f922a9da676ae2d2de2f717bd5841c73
>>  mes5/x86_64/bsdtar-2.5.5-1.2mdvmes5.2.x86_64.rpm
>>  4218a2812e89dc233b1e1eeb6f407e44
>>  mes5/x86_64/lib64archive2-2.5.5-1.2mdvmes5.2.x86_64.rpm
>>  a928fa095d7cf3f3ef5c4338b1fba506
>>  mes5/x86_64/lib64archive-devel-2.5.5-1.2mdvmes5.2.x86_64.rpm
>>  52d76a6e66d3e63c981b947dc8d58f50
>>  mes5/SRPMS/libarchive-2.5.5-1.2mdvmes5.2.src.rpm
>>
>>  Mandriva Business Server 1/X86_64:
>>  05b377385a447c33cd6e85efeeaa4fd0
>>  mbs1/x86_64/bsdcpio-3.0.3-2.1.mbs1.x86_64.rpm
>>  3ff28cd1ce2047a8dfed99a978d238a2
>>  mbs1/x86_64/bsdtar-3.0.3-2.1.mbs1.x86_64.rpm
>>  4adb27059351ae756462e9e25c87e11e
>>  mbs1/x86_64/lib64archive12-3.0.3-2.1.mbs1.x86_64.rpm
>>  52850e175df3b0b48a307d87c7b5f3ea
>>  mbs1/x86_64/lib64archive-devel-3.0.3-2.1.mbs1.x86_64.rpm
>>  890acf6fa9dafa2303be49bc1d42bdf1
>>  mbs1/SRPMS/libarchive-3.0.3-2.1.mbs1.src.rpm
>>  _______________________________________________________________________
>>
>>  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
>>  of md5 checksums and GPG signatures is performed automatically for you.
>>
>>  All packages are signed by Mandriva for security.  You can obtain the
>>  GPG public key of the Mandriva Security Team by executing:
>>
>>   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
>>
>>  You can view other update advisories for Mandriva Linux at:
>>
>>   http://www.mandriva.com/en/support/security/advisories/
>>
>>  If you want to report vulnerabilities, please contact
>>
>>   security_(at)_mandriva.com
>>  _______________________________________________________________________
>>
>>  Type Bits/KeyID     Date       User ID
>>  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
>>   <security*mandriva.com>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>>
>> iD8DBQFRcTdymqjQ0CJFipgRAs/4AKC3K7COuqRwVL6Ecq8yZ8chXthyWQCg04Q5
>> PRlg9lwbUt4q80+7fmRJ8Kk=
>> =jL85
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>
>
> --
> l3thal - SmashTheStack <http://smashthestack.org>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists