[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3202-1] libarchive security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3202-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 22, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libarchive
Version        : 3.3.3-4+deb10u2
CVE ID         : CVE-2019-19221 CVE-2021-23177 CVE-2021-31566
Debian Bug     : 945287 1001986 1001990

Three issues have been found in libarchive, a multi-format archive and
compression library.

CVE-2019-19221

    out-of-bounds read because of an incorrect mbrtowc or mbtowc call

CVE-2021-23177

    extracting a symlink with ACLs modifies ACLs of target

CVE-2021-31566

    symbolic links incorrectly followed when changing modes, times,
    ACL and flags of a file while extracting an archive


For Debian 10 buster, these problems have been fixed in version
3.3.3-4+deb10u2.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmN9Bu4ACgkQDTl9HeUl
XjDUjQ/+NGbGgjThmyII2G23jsXane7reVJJHfL4kmL1KCduNgJBDvr+Wk6VN3Wv
Sy6YVANQvvec/6+CVGpFwEldQGjgv1ocnspV8mG7/2tccEXtZjSZ40jbTLxa7oP7
j+43AHdUkv+wzYW+RdeMY/lQZn1FzM7lKpKAl1AZTxPhg/5rWpGNnp691W913b5U
byoWUKE9LSB76YrhgjlTFm9S4Hbc7nTLx91YSUw28kLDb5sJ0mPXoNla9ySn3+oh
Q3COKmyP0x9ty+e98jq9SPUSrMHxOp6dY5A5Q0/3tdvMHNDEyXlqW2CZZY/zFlCC
ulfJi+2E5jCfb0uNTQkDDFRoCuLnRTO/akujkSRiVvRkOni0U5LGckkrwW5hfi0u
5Ms1CO91iKx4Gpanv3uRCrKmzvp2FGnnKW/apUEIufPZgqutI+tSBS05Gq/nF4MS
rRpmjngi8vq2XsVuR4ToP0fFV1QL8/9xSx+iTGQCwvN9bq3rmH0CH4hVjfWe8BRU
lEEQcuooxDZjVTLHwES6Xj9zSv8R0W2XgtcpJSIwpep8HLJxO+nMBRa2fNvpnWei
GqhF/EsmfWkqM87VzwbkS3/SgxGAF4Yto/zxGeJR9K+KRegcKS0acDYV7yHE5wAv
Lr/mRNY6gnpVfuRBpY/0jv84gqVArvkPtO0AZl1tt1QRWeOa1y4=
=kmTA
-----END PGP SIGNATURE-----


Reply to: