Advisories » MGASA-2019-0074

Updated libarchive packages fix security vulnerability

Publication date: 13 Feb 2019
Modification date: 13 Feb 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-1000019 , CVE-2019-1000020

Description

libarchive contains an out-of-bounds read vulnerability in 7zip
decompression, archive_read_support_format_7zip.c, header_bytes() that can
result in a crash (denial of service). This attack appears to be
exploitable via the victim opening a specially crafted 7zip file
(CVE-2019-1000019).

libarchive contains an infinite loop vulnerability in the ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that
can result in DoS by infinite loop. This attack appears to be exploitable
via the victim opening a specially crafted ISO9660 file (CVE-2019-1000020).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24337
• https://usn.ubuntu.com/3884-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020

SRPMS

6/core

• libarchive-3.3.1-1.5.mga6