This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============0643237653348571448== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="VpMEc1BSwREwQQBU0iN41uQIxJnhUijP5"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VpMEc1BSwREwQQBU0iN41uQIxJnhUijP5 Content-Type: multipart/mixed; boundary="klrPQEbNJ9j1dPijE7u8k5M6k0P0hFKlr" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <5787EA0C.5090800@canonical.com> Subject: [USN-3033-1] libarchive vulnerabilities
--klrPQEbNJ9j1dPijE7u8k5M6k0P0hFKlr Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3033-1 July 14, 2016
libarchive vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
libarchive could be made to crash or run programs if it opened a specially crafted file.
Software Description: - libarchive: Library to read/write archive files
Details:
Hanno Böck discovered that libarchive contained multiple security issues when processing certain malformed archive files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8916, CVE-2015-8917 CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934, CVE-2016-5844)
Marcin "Icewall" Noga discovered that libarchive contained multiple security issues when processing certain malformed archive files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-4300, CVE-2016-4302)
It was discovered that libarchive incorrectly handled memory allocation with large cpio symlinks. A remote attacker could use this issue to possibly cause libarchive to crash, resulting in a denial of service. (CVE-2016-4809)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 LTS: libarchive13 3.1.2-11ubuntu0.16.04.2
Ubuntu 15.10: libarchive13 3.1.2-11ubuntu0.15.10.2
Ubuntu 14.04 LTS: libarchive13 3.1.2-7ubuntu2.3
Ubuntu 12.04 LTS: libarchive12 3.0.3-6ubuntu1.3
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-3033-1 CVE-2015-8916, CVE-2015-8917, CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934, CVE-2016-4300, CVE-2016-4302, CVE-2016-4809, CVE-2016-5844
Package Information: https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.2 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.15.10.2 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-7ubuntu2.3 https://launchpad.net/ubuntu/+source/libarchive/3.0.3-6ubuntu1.3
--klrPQEbNJ9j1dPijE7u8k5M6k0P0hFKlr--
--VpMEc1BSwREwQQBU0iN41uQIxJnhUijP5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJXh+oQAAoJEGVp2FWnRL6T3KkQAIXtMf4dJl6CNM1TYmvtoWma YASYKlKu35n1z0CuW5yYtwFQObtoOTlgd68O25C8UO/dyZnPI2l+Iri4DzhRoxs4 ZrHkRQBwvFzrpVp/u/FoxewMgaSxyIS2AanYMomq8M+UWyDb4y8h10/CKImke8yk U8uZAGl2Y+77K2JiwUBW2mNWCQrSOSlXqBCfmXMhGUpRfQFG41vj41vkyqGm1PY2 VAie6yK0FFriKCh+DpWeE0B49EP/bP6kG7hGDkinZ6C8ZvFGqxkyOapAezg61h3H wMwcKSQVBZ2BUyLpEjQuP8usIujVoWoxwRSasyPaSxXF6KpUd0+vxEeJMWFRQOeb t0EMlYIbBmOSSQY46HG+emzTtlcpC3ODwHJ+l0KCR8Yxdd5PkTZ66mzJxrbw9SRU hUkXSEzVFyrnlv1gPkrqddsNLFPiN+phSq932lG6yHAy2But73YPdxJRZjEEbA6s +mh6ZvS2VcXdlcLPlhNDZq2lK6VPBlZN0X6146/aeb8U6dAtbcI80Up/UFVjdquB 5+9nI7UkdK7jAtZ8TCc36qVjItw+CS6RutZtBjINLJsY3O4YNAVsllAAFGws7iWU v0Gd126SnpTm1hQNjL0yghi3MYJaqDbgxJY9i9rcjXo/SoMDUSU2pb59ligdwPNn TzMWHKMTOkeuHspJ5G/a =6f5Q -----END PGP SIGNATURE-----
--VpMEc1BSwREwQQBU0iN41uQIxJnhUijP5--
--===============0643237653348571448== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============0643237653348571448==--
|