This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============1701931420660936870== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="m6lucU8eDCtV7tUIdgpTv7WSPDQt5iSVS"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --m6lucU8eDCtV7tUIdgpTv7WSPDQt5iSVS Content-Type: multipart/mixed; boundary="f20KJPEr3AitBauIBqxFpPeoHBDGgMExV" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <19d34818-a7ba-c6e9-d78b-7d7ad526999e@canonical.com> Subject: [USN-3225-1] libarchive vulnerabilities
--f20KJPEr3AitBauIBqxFpPeoHBDGgMExV Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3225-1 March 09, 2017
libarchive vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
libarchive could be made to crash, overwrite files, or run programs as your login if it opened a specially crafted file.
Software Description: - libarchive: Library to read/write archive files
Details:
It was discovered that libarchive incorrectly handled hardlink entries when extracting archives. A remote attacker could possibly use this issue to overwrite arbitrary files. (CVE-2016-5418)
Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that libarchive incorrectly handled filename lengths when writing ISO9660 archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6250)
Alexander Cherepanov discovered that libarchive incorrectly handled recursive decompressions. A remote attacker could possibly use this issue to cause libarchive to hang, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-7166)
It was discovered that libarchive incorrectly handled non-printable multibyte characters in filenames. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8687)
It was discovered that libarchive incorrectly handled line sizes when extracting certain archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8688)
It was discovered that libarchive incorrectly handled multiple EmptyStream attributes when extracting certain 7zip archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8689)
Jakub Jirasek discovered that libarchive incorrectly handled memory when extracting certain archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2017-5601)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.10: libarchive13 3.2.1-2ubuntu0.1
Ubuntu 16.04 LTS: libarchive13 3.1.2-11ubuntu0.16.04.3
Ubuntu 14.04 LTS: libarchive13 3.1.2-7ubuntu2.4
Ubuntu 12.04 LTS: libarchive12 3.0.3-6ubuntu1.4
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-3225-1 CVE-2016-5418, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, CVE-2017-5601
Package Information: https://launchpad.net/ubuntu/+source/libarchive/3.2.1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.3 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-7ubuntu2.4 https://launchpad.net/ubuntu/+source/libarchive/3.0.3-6ubuntu1.4
--f20KJPEr3AitBauIBqxFpPeoHBDGgMExV--
--m6lucU8eDCtV7tUIdgpTv7WSPDQt5iSVS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJYwaSJAAoJEGVp2FWnRL6TH0MP/RAmYbhlRQpKGm7E6QFlTukb X+bpgdlqcITSVc37hoNu/3kX2Ews9WuaY0Kl3z2XfisNTBFOIy23FJybwJ0JjKxV BzO0NLvOyxXAWsJiwkvPR9dJ8NX5zGkgtUUjkatXu4KXgnjxCOYL0GkC6tgNDTGU YpUPRtDSJ30uSoK1QIac0Owm2WLhPzTscguMBVxyR2dZkJ0KcWSzLye/IGkPlw8u IWRM5sDpmxd8BMSvklzawArCvpgerTQHfWJzvkK7KkIVXQdXMsc4IH8xSb5koV4N 8uSw/moQvgNo5yTw1vi6pUtw2I2L9Dmufm/aDy8j9nlzGSjHcBz35brBQjTA++IQ AXbYtzTQii2ugbx9BbsBnlkYnRJcwGCBwENDzYlJxCm/I0S6MShZ3VNYlqegBv1T hL4HS1cDIWL3LnRMo7s9GFIfgF/eYTztbERO/qRkstN1EH3a4DIuhQYQ1LGgWDvy aceXiAE4eFcuGRxNlt6Pk37G7mUN2BCi7D3xkt4PxeT8aXOFbZybtzVwXNFAdldn Zuyf+tydwVu4zyA2vSMQsxDPIJtF95mHiTB7jrH3vDez4edI3gOm6/LuvgSdFBjx PMzHz1dFXlySS4GBnVlv2sFXv9scfXrjsp6yIGBtRBZ3u86vYye3m59ZVKRFJfAr 759oAYrnZUNsewScOBq+ =td3m -----END PGP SIGNATURE-----
--m6lucU8eDCtV7tUIdgpTv7WSPDQt5iSVS--
--===============1701931420660936870== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============1701931420660936870==--
|