UbuntuUpdates.org

Package "libarchive"

Name: libarchive

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Implementation of the 'cpio' program from FreeBSD
  • Implementation of the 'tar' program from FreeBSD

Latest version: 3.1.2-11ubuntu0.16.04.7
Release: xenial (16.04)
Level: updates
Repository: universe

Links

Save this URL for the latest version of "libarchive": https://www.ubuntuupdates.org/libarchive



Other versions of "libarchive" in Xenial

Repository Area Version
base main 3.1.2-11build1
base universe 3.1.2-11build1
security main 3.1.2-11ubuntu0.16.04.7
security universe 3.1.2-11ubuntu0.16.04.7
updates main 3.1.2-11ubuntu0.16.04.7
backports main 3.2.1-2~ubuntu16.04.1
backports universe 3.2.1-2~ubuntu16.04.1
PPA: Xbmc 3.2.2-3.1ubuntu1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.1.2-11ubuntu0.16.04.7 2019-10-29 19:06:23 UTC

  libarchive (3.1.2-11ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2019-18408

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 28 Oct 2019 10:57:06 -0300

Source diff to previous version
CVE-2019-18408 archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED si

Version: 3.1.2-11ubuntu0.16.04.6 2019-02-07 13:07:30 UTC

  libarchive (3.1.2-11ubuntu0.16.04.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000019.patch: fix in
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2019-1000019
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000020.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2019-1000020

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 08:53:41 -0300

Source diff to previous version
CVE-2019-1000019 libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerabil
CVE-2019-1000020 libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Co

Version: 3.1.2-11ubuntu0.16.04.5 2019-01-15 16:06:35 UTC

  libarchive (3.1.2-11ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14502.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2017-14502
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000877.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000877
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000878.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000878

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 14 Jan 2019 09:30:58 -0300

Source diff to previous version
CVE-2017-14502 read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an
CVE-2018-1000877 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in
CVE-2018-1000878 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability

Version: 3.1.2-11ubuntu0.16.04.4 2018-08-13 16:06:42 UTC

  libarchive (3.1.2-11ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10209.patch: fix in
      libarchive/archive_string.c.
    - CVE-2016-10209
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in
      libarchive/archive_read_support_format_cab.c.
    - CVE-2016-10349
    - CVE-2016-10350
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-14166.patch: fix in
      libarchive/archive_read_support_format_xar.c.
    - CVE-2017-14166
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14501.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2017-14501
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14503.patch: fix in
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-14503

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 08 Aug 2018 15:28:16 -0300

Source diff to previous version
CVE-2016-10209 The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL point
CVE-2016-10349 The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-rea
CVE-2016-10350 The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial o
CVE-2017-14166 libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar
CVE-2017-14501 An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted
CVE-2017-14503 libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially craf

Version: 3.1.2-11ubuntu0.16.04.3 2017-03-09 20:07:02 UTC

  libarchive (3.1.2-11ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service and possible code execution when
    writing an ISO9660 archive
    - debian/patches/CVE-2016-6250.patch: check for overflow in
      libarchive/archive_write_set_format_iso9660.c.
    - CVE-2016-6250
  * SECURITY UPDATE: denial of service via recursive decompression
    - debian/patches/CVE-2016-7166.patch: limit number of filters in
      libarchive/archive_read.c, added test to Makefile.am,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_too_many_filters.c,
      libarchive/test/test_read_too_many_filters.gz.uu.
    - CVE-2016-7166
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2017 11:01:45 -0500

CVE-2016-5418 The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to
CVE-2016-6250 Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute
CVE-2016-7166 libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory con
CVE-2016-8687 Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a
CVE-2016-8688 The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial
CVE-2016-8689 The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bound
CVE-2017-5601 An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-o



About   -   Send Feedback to @ubuntu_updates