Tags: upstream confirmed
Moritz Muehlenhoff wrote...
> Hi,
> please see:
Thanks for the heads-up, we'll try to get this fixed as soon as
possible. For the moment, I'm somewhat confused about the affected
distributions as listed in the security tracker. Could you please check?
> CVE-2017-15873
> The get_next_block function in archival/libarchive/decompress_bunzip2.c
> in BusyBox 1.27.2 has an Integer Overflow that may lead to a write
> access violation.
The reproducer works for all distributions here, back to and including
wheezy.
> CVE-2017-15874
> archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer
> Underflow that leads to a read access violation.
This one works for sid and buster only. Otherwise, it just returns
"lzma: unexpected EOF".
Also, I noticed upstream did not provide a fix yet. I'll try to help,
details in the upstream bug tracker soon-ish.
Christoph
Attachment:
signature.asc
Description: Digital signature