Advisories » MGASA-2020-0127

Updated libarchive packages fix security vulnerabilities

Publication date: 06 Mar 2020
Modification date: 06 Mar 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-19221 , CVE-2020-9308

Description

The updated packages fix several issues including security vulnerabilities:

In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c
has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call.
For example, bsdtar crashes via a crafted archive. (CVE-2019-19221)

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to
unpack a RAR5 file with an invalid or corrupted header (such as a header
size of zero), leading to a SIGSEGV or possibly unspecified other impact.
(CVE-2020-9308)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26290
• https://usn.ubuntu.com/4293-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19221
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9308

SRPMS

7/core

• libarchive-3.4.0-1.1.mga7