Advisories ยป MGASA-2020-0127

Updated libarchive packages fix security vulnerabilities

Publication date: 06 Mar 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-19221 , CVE-2020-9308


The updated packages fix several issues including security vulnerabilities:

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c
has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call.
For example, bsdtar crashes via a crafted archive. (CVE-2019-19221)

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to
unpack a RAR5 file with an invalid or corrupted header (such as a header
size of zero), leading to a SIGSEGV or possibly unspecified other impact.