Change log for libarchive package in Ubuntu
1 → 75 of 129 results | First • Previous • Next • Last |
libarchive (3.7.4-1.1) unstable; urgency=medium * Non-maintainer upload. * rar4 reader: protect copy_from_lzss_window_to_unp() (CVE-2024-20696) (Closes: #1086155) -- Salvatore Bonaccorso <email address hidden> Fri, 01 Nov 2024 21:30:39 +0100
Available diffs
libarchive (3.6.0-1ubuntu1.3) jammy-security; urgency=medium * SECURITY UPDATE: code execution via negative copy length - debian/patches/CVE-2024-20696.patch: protect copy_from_lzss_window_to_unp() in libarchive/archive_read_support_format_rar.c. - CVE-2024-20696 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:03:06 +0100
Available diffs
libarchive (3.4.0-2ubuntu1.4) focal-security; urgency=medium * SECURITY UPDATE: code execution via negative copy length - debian/patches/CVE-2024-20696.patch: protect copy_from_lzss_window_to_unp() in libarchive/archive_read_support_format_rar.c. - CVE-2024-20696 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:06:37 +0100
Available diffs
libarchive (3.7.4-1ubuntu1) plucky; urgency=medium * SECURITY UPDATE: code execution via negative copy length - debian/patches/CVE-2024-20696.patch: protect copy_from_lzss_window_to_unp() in libarchive/archive_read_support_format_rar.c. - CVE-2024-20696 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:00:09 +0100
Available diffs
libarchive (3.7.2-2ubuntu0.3) noble-security; urgency=medium * SECURITY UPDATE: code execution via negative copy length - debian/patches/CVE-2024-20696.patch: protect copy_from_lzss_window_to_unp() in libarchive/archive_read_support_format_rar.c. - CVE-2024-20696 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:02:44 +0100
Available diffs
libarchive (3.7.4-1ubuntu0.1) oracular-security; urgency=medium * SECURITY UPDATE: code execution via negative copy length - debian/patches/CVE-2024-20696.patch: protect copy_from_lzss_window_to_unp() in libarchive/archive_read_support_format_rar.c. - CVE-2024-20696 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:00:09 +0100
Available diffs
libarchive (3.6.0-1ubuntu1.2) jammy-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write functions - CVE-2022-36227 * SECURITY UPDATE: Out of bounds access - debian/patches/CVE-2024-48957.patch: check dst isn't less than or equal to src in execute_filter_audio - CVE-2024-48957 * SECURITY UPDATE: Out of bounds access - debian/patches/CVE-2024-48958.patch: check dst isn't less than or equal to src in execute_filter_delta - CVE-2024-48958 -- Bruce Cable <email address hidden> Mon, 14 Oct 2024 12:03:12 +1100
Available diffs
libarchive (3.7.2-2ubuntu0.2) noble-security; urgency=medium * SECURITY UPDATE: Out of bounds access - debian/patches/CVE-2024-48957.patch: check dst isn't less than or equal to src in execute_filter_audio - CVE-2024-48957 * SECURITY UPDATE: Out of bounds access - debian/patches/CVE-2024-48958.patch: check dst isn't less than or equal to src in execute_filter_delta - CVE-2024-48958 -- Bruce Cable <email address hidden> Mon, 14 Oct 2024 12:12:50 +1100
Available diffs
libarchive (3.4.0-2ubuntu1.3) focal-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write functions - CVE-2022-36227 -- Bruce Cable <email address hidden> Mon, 14 Oct 2024 12:12:43 +1100
Available diffs
- diff from 3.4.0-2ubuntu1.2 to 3.4.0-2ubuntu1.3 (965 bytes)
Superseded in plucky-release |
Published in oracular-release |
Deleted in oracular-proposed (Reason: Moved to oracular) |
libarchive (3.7.4-1) unstable; urgency=medium * Drop a t64-related Lintian override. * Declare compliance with Policy 4.7.0 with no changes. * Use debhelper compat level 14: - use X-DH-Compat - let debhelper take care of some default dependencies * New upstream version: - use `git rm` in the `upstream` branch to remove two test files that was forgotten in the upstream tarball generation - update the symbols file - drop the fix-OOB-in-rar-e8-filter-2135, iso9660-hash, test-zstd-32bit, and robust-error-reporting patches, they were either taken from upstream or integrated there - refresh the typos patch - refresh the line numbers in the fix-OOB-* patches * Use debputy's X-Style: black. -- Peter Pentchev <email address hidden> Wed, 07 Aug 2024 14:36:27 +0300
Available diffs
- diff from 3.7.2-2.1 to 3.7.4-1 (260.9 KiB)
libarchive (3.7.2-2.1) unstable; urgency=medium * Non-maintainer upload. * fix: OOB in rar e8 filter (CVE-2024-26256) (Closes: #1072107) * fix: OOB in rar delta filter * fix: OOB in rar audio filter -- Salvatore Bonaccorso <email address hidden> Sat, 01 Jun 2024 15:50:51 +0200
Available diffs
- diff from 3.7.2-2 to 3.7.2-2.1 (1.7 KiB)
libarchive (3.7.2-2ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: Remove code execution - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter in libarchive/archive_read_support_format_rar.c. - CVE-2024-26256 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 30 May 2024 11:57:56 -0300
Available diffs
libarchive (3.6.2-1ubuntu1.1) mantic-security; urgency=medium * SECURITY UPDATE: Remove code execution - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter in libarchive/archive_read_support_format_rar.c. - CVE-2024-26256 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 30 May 2024 13:53:54 -0300
Available diffs
libarchive (3.6.0-1ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: Remove code execution - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter in libarchive/archive_read_support_format_rar.c. - CVE-2024-26256 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 30 May 2024 16:05:48 -0300
Available diffs
Superseded in oracular-release |
Published in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
libarchive (3.7.2-2) unstable; urgency=medium [ Luca Boccassi ] * libarchive-dev: depend on -dev packages in an attempt to fix pkg-config --static --libs Addresses: 1056317; more work needed on libarchive's own configure tests [ Peter Pentchev ] * Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks! * Add the year 2024 to my debian/* copyright notice. * Re-sort the dependencies lists in the debian/control file. * Switch the pkg-config dependency over to pkgconf. * Add the robust-error-reporting upstream patch. Closes: #1068047 -- Peter Pentchev <email address hidden> Sat, 30 Mar 2024 20:11:06 +0200
Available diffs
Superseded in noble-proposed |
libarchive (3.7.2-1.1ubuntu3) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 07:43:52 +0000
Available diffs
- diff from 3.7.2-1.1ubuntu2 to 3.7.2-1.1ubuntu3 (335 bytes)
libarchive (3.7.2-1.1ubuntu2) noble; urgency=medium * Rebuild against new time64_t renamed libraries. -- Gianfranco Costamagna <email address hidden> Thu, 21 Mar 2024 00:19:38 +0100
Available diffs
- diff from 3.7.2-1ubuntu2 to 3.7.2-1.1ubuntu2 (6.1 KiB)
- diff from 3.7.2-1.1ubuntu1 to 3.7.2-1.1ubuntu2 (349 bytes)
Superseded in noble-proposed |
libarchive (3.7.2-1.1ubuntu1) noble; urgency=medium * Merge with Debian; remaining changes: - Run dh_auto_test by default
Available diffs
Deleted in noble-updates (Reason: superseded by release) |
Superseded in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
libarchive (3.7.2-1ubuntu2) noble; urgency=medium * armhf (-fstack-clash-protection) breakage rebuild -- Mate Kukri <email address hidden> Thu, 23 Nov 2023 15:10:55 +0000
Available diffs
- diff from 3.7.2-1ubuntu1 to 3.7.2-1ubuntu2 (341 bytes)
libarchive (3.7.2-1ubuntu1) noble; urgency=medium * Merge with Debian unstable. Remaining changes: - Run dh_auto_test by default
Available diffs
- diff from 3.6.2-1ubuntu1 to 3.7.2-1ubuntu1 (112.4 KiB)
Superseded in noble-release |
Published in mantic-release |
Published in lunar-release |
Deleted in lunar-proposed (Reason: Moved to lunar) |
libarchive (3.6.2-1ubuntu1) lunar; urgency=medium * Sync with Debian. Remaining change: - Run dh_auto_test by default
Available diffs
Superseded in lunar-release |
Obsolete in kinetic-release |
Published in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium * Sync with Debian. (LP: #1967127) - Includes upstream fixes for CVE-2021-36976 * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION * SECURITY UPDATE: possible out-of-bounds read - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init() - CVE-2022-26280
Available diffs
libarchive (3.4.3-2ubuntu0.2) impish-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c. - CVE-2022-26280 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:21:47 -0300
Available diffs
- diff from 3.4.3-2ubuntu0.1 to 3.4.3-2ubuntu0.2 (1008 bytes)
libarchive (3.4.0-2ubuntu1.2) focal-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c. - CVE-2022-26280 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:33:37 -0300
Available diffs
- diff from 3.4.0-2ubuntu1.1 to 3.4.0-2ubuntu1.2 (1003 bytes)
libarchive (3.5.2-1ubuntu1) jammy; urgency=medium * SECURITY UPDATE: use-after-free in copy_string - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/*. - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5.c, libarchive/test/*. - CVE-2021-36976 -- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 08:22:57 -0500
Available diffs
libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link ACLs in libarchive/archive_disk_acl_freebsd.c, libarchive/archive_disk_acl_linux.c, libarchive/archive_disk_acl_sunos.c. - CVE-2021-23177 * SECURITY UPDATE: symbolic links incorrectly followed - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when processing the fixup list in Makefile.am, libarchive/archive_write_disk_posix.c, libarchive/test/CMakeLists.txt, libarchive/test/test_write_disk_fixup.c. - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when setting file flags on Linux in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when processing the fixup list in libarchive/archive_write_disk_posix.c, libarchive/test/test_write_disk_fixup.c. - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in 8a1bd5c in libarchive/archive_write_disk_posix.c. - CVE-2021-31566 * SECURITY UPDATE: use-after-free in copy_string - debian/patches/CVE-2021-36976-pre1.patch: verify window size for solid files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5*. - debian/patches/CVE-2021-36976-pre2.patch: verify window size for multivolume archives in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5*. - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/*. - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5.c, libarchive/test/*. - CVE-2021-36976 -- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 09:59:13 -0500
Available diffs
libarchive (3.4.3-2ubuntu0.1) impish-security; urgency=medium * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link ACLs in libarchive/archive_disk_acl_freebsd.c, libarchive/archive_disk_acl_linux.c, libarchive/archive_disk_acl_sunos.c. - CVE-2021-23177 * SECURITY UPDATE: symbolic links incorrectly followed - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when processing the fixup list in Makefile.am, libarchive/archive_write_disk_posix.c, libarchive/test/CMakeLists.txt, libarchive/test/test_write_disk_fixup.c. - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when setting file flags on Linux in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when processing the fixup list in libarchive/archive_write_disk_posix.c, libarchive/test/test_write_disk_fixup.c. - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in 8a1bd5c in libarchive/archive_write_disk_posix.c. - CVE-2021-31566 * SECURITY UPDATE: use-after-free in copy_string - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/*. - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in some files in Makefile.am, libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5.c, libarchive/test/*. - CVE-2021-36976 -- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 08:27:55 -0500
Available diffs
libarchive (3.5.2-1) unstable; urgency=medium * Declare compliance with Debian Policy 4.6.0 with no changes. * Add the year 2021 to my debian/* copyright notice. * Drop the Breaks/Replaces relations for pre-oldstable versions of bsdtar and bsdcpio. * Fix some shellcheck complaints about the minitar autopkgtest. * Use a comma, not a semicolon, in the Origin DEP-3 header. * Annotate the sharutils build dependency with <!nocheck>. Closes: #981654 * Drop the obsolete libattr1-dev build dependency. At the moment it is still pulled in by libacl1-dev, but there is no reason for us not to do the right thing, so that everything goes right when libacl1-dev corrects its build dependency. Closes: #953931 * New upstream version: - fix handling of symlink ACLs; Closes: 1001986 - never follow symlinks when setting file flags; Closes: 1001990 - update the upstream copyright information - drop some patches that were taken from the upstream source: - upstream-cpio-hardlink-type - upstream-cpio-rdev - upstream-unneeded-strlen - upstream-hardlink-to-self - upstream-set-format-error - upstream-rar-read-format - upstream-memory-stdlib - upstream-max-comp-level - upstream-isint-w - update the library symbols file * Add the lzip-large-dict patch to support larger lzip dictionaries. Closes: #1001901 * Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and upstream-fix-32bit-size-cast patches, importing three upstream post-3.5.2 commits. -- Peter Pentchev <email address hidden> Wed, 22 Dec 2021 19:51:54 +0200
Available diffs
- diff from 3.4.3-2build1 (in Ubuntu) to 3.5.2-1 (313.0 KiB)
Superseded in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
Deleted in impish-proposed (Reason: Moved ot jammy) |
libarchive (3.4.3-2build1) impish; urgency=medium * No-change rebuild to build packages with zstd compression. -- Matthias Klose <email address hidden> Thu, 07 Oct 2021 12:14:04 +0200
Available diffs
- diff from 3.4.3-2 (in Debian) to 3.4.3-2build1 (336 bytes)
libarchive (3.2.2-3.1ubuntu0.7) bionic-security; urgency=medium * Add metadata support to fix issues with gnome-autoar security update (LP: #1929304) - debian/patches/metadata_support.patch: support reading metadata from compressed files. -- Marc Deslauriers <email address hidden> Fri, 04 Jun 2021 10:37:49 -0400
Available diffs
Superseded in jammy-release |
Obsolete in impish-release |
Obsolete in hirsute-release |
Obsolete in groovy-release |
Deleted in groovy-proposed (Reason: moved to Release) |
libarchive (3.4.3-2) unstable; urgency=medium * Add some more upstream patches: - upstream-isint-w - upstream-unneeded-strlen - upstream-hardlink-to-self - upstream-set-format-error (with a typo corrected) - upstream-rar-read-format - upstream-memory-stdlib - upstream-max-comp-level * Drop the unused liblzo2 build dependency. According to upstream, distributing libarchive binaries linked against liblzo2 violates the liblzo2 GPL license, so libarchive does not even use it unless explicitly requested, which we do not do anyway. * Fix two problems related to cross-building libarchive. Closes: #966637 - drop the gcc B-D that I added as a reminder that dropping --as-needed was because it is handled automatically - annotate the test dependencies with <!nocheck>; since we never run the upstream test suite automatically, but only if the non-standard "check" build option is specified, this has no effect on normal builds, but it will fix cross-builds -- Peter Pentchev <email address hidden> Sat, 01 Aug 2020 21:46:12 +0300
Available diffs
libarchive (3.4.3-1build1) groovy; urgency=medium * No change rebuild against new libnettle8 and libhogweed6 ABI. -- Dimitri John Ledkov <email address hidden> Mon, 29 Jun 2020 22:27:25 +0100
Available diffs
- diff from 3.4.2-1 (in Debian) to 3.4.3-1build1 (39.7 KiB)
- diff from 3.4.3-1 (in Debian) to 3.4.3-1build1 (522 bytes)
libarchive (3.4.3-1) unstable; urgency=medium * New upstream release: - update the upstream signing key - update the typos patch, correct some more mistakes - drop all the upstream-* patches - add an upstream copyright notice for a new file * Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches. -- Peter Pentchev <email address hidden> Wed, 03 Jun 2020 16:40:28 +0300
Available diffs
- diff from 3.4.2-1 to 3.4.3-1 (39.4 KiB)
libarchive (3.4.2-1) unstable; urgency=medium * Minor correction to the debian/watch file to catch up with the upstream site links. * New upstream release: - drop some patches that were taken from upstream: - upstream-rar-use-after-free - upstream-rar-uaf-test-eof - upstream-rar-window-mask - upstream-rar-window-test - upstream-rar-filter-beyond - upstream-archive-read-sparse - upstream-archive-clean - upstream-doc-7zip-zip - upstream-open-without-openat - upstream-lz4-uint32 - CVE-2020-9308 patch - drop most of the typos patch - integrated upstream - update the upstream copyright years * Add some more corrections to the typos patch. * Drop the Name and Contact upstream metadata fields. * Drop the phony "build" target. * Do not pass "--as-needed" to the linker: recent versions of the Debian GCC package do that by default. Just in case, add a build dependency on a recent version so that it is not forgotten e.g. in a backport. * Add some upstream patches since 3.4.2. * Update to debhelper compat level 13: - `dh_missing --fail-missing` is the default now - use execute_before/execute_after targets * Drop the local-options file. -- Peter Pentchev <email address hidden> Sat, 09 May 2020 22:04:02 +0300
Available diffs
- diff from 3.4.0-2ubuntu1 (in Ubuntu) to 3.4.2-1 (398.7 KiB)
Superseded in groovy-release |
Published in focal-release |
Deleted in focal-proposed (Reason: moved to Release) |
libarchive (3.4.0-2ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221
Available diffs
libarchive (3.4.0-1ubuntu2) focal; urgency=medium * Make autopkgtests cross-test-friendly. -- Steve Langasek <email address hidden> Wed, 04 Mar 2020 21:47:59 -0800
Available diffs
- diff from 3.4.0-1build1 to 3.4.0-1ubuntu2 (4.1 KiB)
- diff from 3.4.0-1ubuntu1 to 3.4.0-1ubuntu2 (914 bytes)
Superseded in focal-proposed |
libarchive (3.4.0-1ubuntu1) focal; urgency=medium * SECURITY UPDATE: Out-of-read and Denial of service - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221 * SECURITY UPDATE: SIGSEGV denial of service - debian/patches/CVE-2020-9308.patch: reject files that declare invalid header flags fix in libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5.c, libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu. - CVE-2020-9308 -- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Mar 2020 12:32:51 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.8) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-read and Denial of service - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221 -- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:45:19 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.6) bionic-security; urgency=medium * SECURITY UPDATE: Out-of-read and Denial of service - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221 -- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:46:13 -0300
Available diffs
libarchive (3.4.0-1ubuntu0.1) eoan-security; urgency=medium * SECURITY UPDATE: Out-of-read and Denial of service - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221 * SECURITY UPDATE: SIGSEGV denial of service - debian/patches/CVE-2020-9308.patch: reject files that declare invalid header flags fix in libarchive/archive_read_support_format_rar5.c, libarchive/test/test_read_format_rar5.c, libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu. - CVE-2020-9308 -- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Feb 2020 14:58:57 -0300
Available diffs
libarchive (3.4.0-1build1) focal; urgency=medium * No-change rebuild against libnettle7 -- Steve Langasek <email address hidden> Thu, 31 Oct 2019 22:12:00 +0000
Available diffs
- diff from 3.4.0-1 (in Debian) to 3.4.0-1build1 (516 bytes)
libarchive (3.3.3-4ubuntu0.1) disco-security; urgency=medium * SECURITY UPDATE: Use-after-free - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free in libarchive/archive_read_support_format_rar.c. - CVE-2019-18408 -- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:34:56 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.5) bionic-security; urgency=medium * SECURITY UPDATE: Use-after-free - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free in libarchive/archive_read_support_format_rar.c. - CVE-2019-18408 -- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:50:50 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: Use-after-free - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free in libarchive/archive_read_support_format_rar.c. - CVE-2019-18408 -- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:57:06 -0300
Available diffs
Superseded in focal-release |
Obsolete in eoan-release |
Deleted in eoan-proposed (Reason: moved to Release) |
libarchive (3.4.0-1) unstable; urgency=medium * Declare compliance with Debian Policy 4.4.0 with no changes. * Mark the adequate test as superficial and give it a name. * Update the watch file a bit: - use the version 4 format placeholders - drop the "pasv" option, no FTP upstream sites - add the upstream signing key * Run all available Salsa CI jobs. * Drop the bsdtar and bsdcpio transitional packages. Closes: #940745, #940753 * New upstream version: - drop all the patches obtained from the upstream Git repository (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879, CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and zip-nullptr) - update the library symbols file * Add some bugfix patches obtained from upstream. * Add the typos patch to correct some typographical and grammatical errors. * Update the upstream copyright information. -- Peter Pentchev <email address hidden> Sat, 21 Sep 2019 01:44:44 +0300
Available diffs
- diff from 3.3.3-4 to 3.4.0-1 (576.4 KiB)
libarchive (3.2.2-3.1ubuntu0.4) bionic; urgency=medium * debian/patches/git_zip_directories.patch: - backport a fix for an issue where files are created instead of directories (lp: #1830629) -- Sebastien Bacher <email address hidden> Fri, 28 Jun 2019 21:20:28 +0200
Available diffs
Superseded in eoan-release |
Obsolete in disco-release |
Deleted in disco-proposed (Reason: moved to release) |
libarchive (3.3.3-4) unstable; urgency=medium * Add three upstream patches: - CVE-2019-1000019: fix a crash when parsing some 7zip archives - CVE-2019-1000020: require the RockRidge extension for iso9660 - zip-nullptr: fix a null pointer deference in ZIP files handling -- Peter Pentchev <email address hidden> Wed, 06 Feb 2019 11:01:25 +0200
Available diffs
- diff from 3.3.3-3 to 3.3.3-4 (1.5 KiB)
libarchive (3.2.2-5ubuntu0.2) cosmic-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c. - CVE-2019-1000019 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2019-1000020 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:55:41 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.3) bionic-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c. - CVE-2019-1000019 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2019-1000020 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:54:50 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.6) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c. - CVE-2019-1000019 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2019-1000020 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:53:41 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.8) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c. - CVE-2019-1000019 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2019-1000020 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:48:45 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.7) trusty-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14502.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2017-14502 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000877.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000877 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000878.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000878 -- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:08:38 -0300
Available diffs
libarchive (3.2.2-3.1ubuntu0.2) bionic-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14502.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2017-14502 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000877.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000877 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000878.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000878 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000880.patch: fix in libarchive/archive_read_support_format_warc.c. - CVE-2018-1000880 -- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:53:14 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.5) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14502.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2017-14502 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000877.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000877 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000878.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000878 -- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:30:58 -0300
libarchive (3.2.2-5ubuntu0.1) cosmic-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000877.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000877 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000878.patch: fix in libarchive/archive_read_support_format_rar.c. - CVE-2018-1000878 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000880.patch: fix in libarchive/archive_read_support_format_warc.c. - CVE-2018-1000880 -- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 10:26:10 -0300
Available diffs
libarchive (3.3.3-3) unstable; urgency=medium [ Andreas Henriksson ] * Build-depend on libext2fs-dev instead of e2fslibs-dev (Closes: #890210) * CI: Use the salsa-ci-team pipeline [ Peter Pentchev ] * Declare compliance with Debian Policy 4.3.0 with no changes. * Bump the debhelper compatibility level to 12 with no changes. * Add my copyright notice for debian/*. * Extend Andreas Henriksson's copyright notice all the way to 2019. -- Peter Pentchev <email address hidden> Sat, 05 Jan 2019 19:07:02 +0200
Available diffs
- diff from 3.3.3-2 to 3.3.3-3 (1.1 KiB)
libarchive (3.3.3-2) unstable; urgency=medium * Add Daniel Axtens's security and reliability patches: - CVE-2018-1000877.patch: Closes: #916964 - CVE-2018-1000878.patch: Closes: #916963 - CVE-2018-1000879.patch: Closes: #916962 - CVE-2018-1000880.patch: Closes: #916960 - all merged upstream in https://github.com/libarchive/libarchive/pull/1105 Thanks to Salvatore Bonaccorso for filing the Debian bugs! -- Peter Pentchev <email address hidden> Fri, 21 Dec 2018 18:01:29 +0200
Available diffs
- diff from 3.3.3-1 to 3.3.3-2 (3.3 KiB)
libarchive (3.3.3-1) unstable; urgency=medium [ Peter Pentchev ] * Declare compliance with Debian Policy 4.2.1 with no changes. * Drop the Lintian overrides related to B-D: debhelper-compat - Lintian 2.5.98 no longer emits these warnings and errors. * Build with zstd compression support. * Pass --fail-missing to dh_missing, not to dh_install any more. [ Andreas Henriksson ] * New upstream release. * Drop debian/patches/ now part of upstream release: - Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch - Do-something-sensible-for-empty-strings-to-make-fuzz.patch - Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch - Reject-LHA-archive-entries-with-negative-size.patch - Reread-the-CAB-header-skipping-the-self-extracting-b.patch - archive_strncat_l-allocate-and-do-not-convert-if-len.patch - iso9660-validate-directory-record-length.patch * Update libarchive13.symbols -- Peter Pentchev <email address hidden> Sat, 15 Dec 2018 02:01:01 +0200
Available diffs
- diff from 3.2.2-5 to 3.3.3-1 (631.9 KiB)
Superseded in disco-release |
Obsolete in cosmic-release |
Deleted in cosmic-proposed (Reason: moved to release) |
libarchive (3.2.2-5) unstable; urgency=medium * Acknowledge NMUs; many thanks to Salvatore Bonaccorso! * Use my Debian e-mail address. * Declare compliance with Debian Policy 4.2.0: - add Rules-Requires-Root: no to the source control stanza - install the upstream release notes (NEWS) * Drop the duplicate Priority fields for the binary packages. * Switch to the HTTPS scheme in various upstream and Debian packaging URLs. * Drop some trailing whitespace from old changelog entries. * Bump the debhelper compatibility level to 11 with no changes and use the B-D: debhelper-compat (= 11) mechanism. * Add a trivial autopkgtest running adequate on the binary packages. -- Peter Pentchev <email address hidden> Sat, 25 Aug 2018 18:28:10 +0300
Available diffs
- diff from 3.2.2-4.2 to 3.2.2-5 (2.3 KiB)
libarchive (3.2.2-4.2) unstable; urgency=medium * Non-maintainer upload. * iso9660: validate directory record length (CVE-2017-14501) (Closes: #875966) -- Salvatore Bonaccorso <email address hidden> Sun, 05 Aug 2018 08:18:10 +0200
Available diffs
- diff from 3.2.2-4.1 to 3.2.2-4.2 (1.6 KiB)
libarchive (3.2.2-3.1ubuntu0.1) bionic-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14501.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2017-14501 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14503.patch: fix in libarchive/archive_read_support_format_lha.c. - CVE-2017-14503 -- <email address hidden> (Leonidas S. Barbosa) Tue, 07 Aug 2018 15:23:21 -0300
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.4) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2016-10209.patch: fix in libarchive/archive_string.c. - CVE-2016-10209 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in libarchive/archive_read_support_format_cab.c. - CVE-2016-10349 - CVE-2016-10350 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2017-14166.patch: fix in libarchive/archive_read_support_format_xar.c. - CVE-2017-14166 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14501.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2017-14501 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14503.patch: fix in libarchive/archive_read_support_format_lha.c. - CVE-2017-14503 -- <email address hidden> (Leonidas S. Barbosa) Wed, 08 Aug 2018 15:28:16 -0300
Available diffs
libarchive (3.1.2-7ubuntu2.6) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2016-10209.patch: fix in libarchive/archive_string.c. - CVE-2016-10209 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in libarchive/archive_read_support_format_cab.c. - CVE-2016-10349 - CVE-2016-10350 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2017-14166.patch: fix in libarchive/archive_read_support_format_xar.c. - CVE-2017-14166 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14501.patch: fix in libarchive/archive_read_support_format_iso9660.c. - CVE-2017-14501 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2017-14503.patch: fix in libarchive/archive_read_support_format_lha.c. - CVE-2017-14503 -- <email address hidden> (Leonidas S. Barbosa) Wed, 08 Aug 2018 13:42:39 -0300
Available diffs
libarchive (3.2.2-4.1) unstable; urgency=medium * Non-maintainer upload. * Reject LHA archive entries with negative size (CVE-2017-14503) (Closes: #875960) * Avoid a read off-by-one error for UTF16 names in RAR archives (CVE-2017-14502) (Closes: #875974) -- Salvatore Bonaccorso <email address hidden> Wed, 25 Jul 2018 21:29:42 +0200
Available diffs
- diff from 3.2.2-4 to 3.2.2-4.1 (1.5 KiB)
libarchive (3.2.2-4) unstable; urgency=medium * Team upload. * debian/control: Update Vcs-* fields for move to salsa.debian.org * debian/control: Replace Priority: extra with optional -- Andreas Henriksson <email address hidden> Thu, 31 May 2018 00:01:28 +0200
Available diffs
- diff from 3.2.2-3.1 to 3.2.2-4 (755 bytes)
Superseded in cosmic-release |
Published in bionic-release |
Obsolete in artful-release |
Deleted in artful-proposed (Reason: moved to release) |
libarchive (3.2.2-3.1) unstable; urgency=high * Non-maintainer upload. * Reupload 3.2.2-2.1 on top of 3.2.2-3 * archive_strncat_l(): allocate and do not convert if length == 0 (CVE-2016-10209) (Closes: #859456) * Reread the CAB header skipping the self-extracting binary code (CVE-2016-10349, CVE-2016-10350) (Closes: #861609) * Do something sensible for empty strings to make fuzzers happy (CVE-2017-14166) Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539) -- Salvatore Bonaccorso <email address hidden> Thu, 14 Sep 2017 16:02:10 +0200
Available diffs
- diff from 3.2.2-2 to 3.2.2-3.1 (2.6 KiB)
Superseded in artful-release |
Obsolete in zesty-release |
Deleted in zesty-proposed (Reason: moved to release) |
libarchive (3.2.2-2) unstable; urgency=medium * Disable tests (Closes: #859455) -- Andreas Henriksson <email address hidden> Mon, 03 Apr 2017 22:20:05 +0200
Available diffs
- diff from 3.2.1-6 to 3.2.2-2 (61.8 KiB)
libarchive (3.0.3-6ubuntu1.4) precise-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service and possible code execution when writing an ISO9660 archive - debian/patches/CVE-2016-6250.patch: check for overflow in libarchive/archive_write_set_format_iso9660.c. - CVE-2016-6250 * SECURITY UPDATE: denial of service via recursive decompression - debian/patches/CVE-2016-7166.patch: limit number of filters in libarchive/archive_read.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_too_many_filters.c, libarchive/test/test_read_too_many_filters.gz.uu. - CVE-2016-7166 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:34:04 -0500
Available diffs
libarchive (3.1.2-7ubuntu2.4) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service and possible code execution when writing an ISO9660 archive - debian/patches/CVE-2016-6250.patch: check for overflow in libarchive/archive_write_set_format_iso9660.c. - CVE-2016-6250 * SECURITY UPDATE: denial of service via recursive decompression - debian/patches/CVE-2016-7166.patch: limit number of filters in libarchive/archive_read.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_too_many_filters.c, libarchive/test/test_read_too_many_filters.gz.uu. - CVE-2016-7166 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:23:19 -0500
Available diffs
libarchive (3.1.2-11ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service and possible code execution when writing an ISO9660 archive - debian/patches/CVE-2016-6250.patch: check for overflow in libarchive/archive_write_set_format_iso9660.c. - CVE-2016-6250 * SECURITY UPDATE: denial of service via recursive decompression - debian/patches/CVE-2016-7166.patch: limit number of filters in libarchive/archive_read.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_too_many_filters.c, libarchive/test/test_read_too_many_filters.gz.uu. - CVE-2016-7166 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:01:45 -0500
Available diffs
libarchive (3.2.1-2ubuntu0.1) yakkety-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 10:35:20 -0500
Available diffs
libarchive (3.2.1-6) unstable; urgency=medium * Add debian/patches/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch - Cherry-pick upstream commit 98dcbbf0bf4854bf987557 "Fail with negative lha->compsize in lha_read_file_header_1()" Secunia SA74169, CVE-2017-5601 (Closes: #853278) -- Andreas Henriksson <email address hidden> Tue, 31 Jan 2017 10:25:56 +0100
Available diffs
- diff from 3.2.1-5 to 3.2.1-6 (1011 bytes)
libarchive (3.2.1-5) unstable; urgency=medium * Cherry-pick upstream commits 7f17c791, eec077f5, e37b620f - Fixes for upstream issues 747, 761, 767 also known as CVE-2016-8689, CVE-2016-8688, CVE-2016-8687 (Closes: #840934, #840935, #840936) -- Andreas Henriksson <email address hidden> Sun, 16 Oct 2016 15:41:59 +0200
Available diffs
- diff from 3.2.1-2 to 3.2.1-5 (17.8 KiB)
Published in xenial-backports |
libarchive (3.2.1-2~ubuntu16.04.1) xenial-backports; urgency=medium * No-change backport to xenial (LP: #1607385) -- Iain Lane <email address hidden> Thu, 28 Jul 2016 14:28:03 +0100
Available diffs
Superseded in zesty-release |
Obsolete in yakkety-release |
Deleted in yakkety-proposed (Reason: moved to release) |
libarchive (3.2.1-2) unstable; urgency=medium * The "welcome Peter to the team" upload [ Peter Pentchev ] * Declare compliancy with Debian Policy 3.9.8 with no changes. * Remove the "XS-Testsuite: autopkgtest" header from the control file: it has not been "XS-" for some time, and it is added by default by dpkg-1.17.11 when debian/tests/control is present. * Use the HTTPS scheme for the Alioth VCS URLs. * Switch to Alioth's cgit in the Vcs-Browser source control field. * Convert the copyright file to the machine-readable format. * Fill in the upstream metadata file. * Enable full build hardening. * Pass --as-needed to the linker to avoid overlinking. * Bump the debhelper build dependency to version 9 to reflect the debhelper compatibility level and drop the now-unused Lintian override. * Fold the bsdtar and bsdcpio packages into the new libarchive-tools binary package and install bsdcat into it, too. Make bsdtar and bsdcpio transitional dummy packages. * Drop the Breaks and Replaces relations to libarchive1, it's not even in oldstable any more. * Drop the misc:Pre-Depends that were needed for the multi-arch transition; dpkg-dev adds them automatically now. * Fix a typo in README.Debian. * Add an upstream patch to replace the use of SIGRTMAX with something that calculates the exact value of the highest signal actually used; hopefully this fixes the FTBFS on the GNU Hurd. * Drop the outdated and unused SONAME mismatch Lintian override. * Re-enable the use of minitar for extraction, too, in the CI test; keep the untar test for completeness. * Add the Typos patch to fix a couple of typographical errors. * Add the Candidate patch to fix a typographical error in a structure member field and, consequently, update all references to it. * Add the CPPCheck patch to fix some issues reported by cppcheck. [ Andreas Henriksson ] * Add Peter Pentchev to Uploaders -- Andreas Henriksson <email address hidden> Mon, 25 Jul 2016 17:54:13 +0200
Available diffs
- diff from 3.2.1-1 to 3.2.1-2 (10.5 KiB)
1 → 75 of 129 results | First • Previous • Next • Last |