Updated libarchive packages fix security vulnerabilities
Publication date: 11 Jan 2019Modification date: 11 Jan 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-14502 , CVE-2018-1000877 , CVE-2018-1000878 , CVE-2018-1000879 , CVE-2018-1000880
Description
read_header in archive_read_support_format_rar.c in libarchive 3.3.2
suffers from an off-by-one error for UTF-16 names in RAR archives,
leading to an out-of-bounds read in archive_read_format_rar_read_header
(CVE-2017-14502).
Multiple security issues were found in libarchive: Processing malformed
RAR archives could result in denial of service or the execution of
arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could
result in denial of service (CVE-2018-1000877, CVE-2018-1000878,
CVE-2018-1000879, CVE-2018-1000880).
References
- https://bugs.mageia.org/show_bug.cgi?id=24075
- http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html
- https://www.debian.org/security/2018/dsa-4360
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880
SRPMS
6/core
- libarchive-3.3.1-1.4.mga6