Bug#704080: unblock: libarchive/3.0.4-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#704080: unblock: libarchive/3.0.4-3
From: Andreas Henriksson <andreas@fatal.se>
Date: Wed, 27 Mar 2013 18:18:55 +0100
Message-id: <[🔎] 20130327171855.20326.3917.reportbug@amd64.fatal.se>
Reply-to: Andreas Henriksson <andreas@fatal.se>, 704080@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libarchive

3.0.4-3	has been uploaded to unstable with the only
change being an added security patch from upstream
for CVE-2013-0211 as proposed in
http://bugs.debian.org/703957 by Moritz Muehlenhoff.

Debdiff attached.

unblock libarchive/3.0.4-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru libarchive-3.0.4/debian/changelog libarchive-3.0.4/debian/changelog
--- libarchive-3.0.4/debian/changelog	2012-05-24 14:50:50.000000000 +0200
+++ libarchive-3.0.4/debian/changelog	2013-03-27 17:14:58.000000000 +0100
@@ -1,3 +1,9 @@
+libarchive (3.0.4-3) unstable; urgency=low
+
+  * Add patch that fixes CVE-2013-0211. (Closes: #703957)
+
+ -- Andreas Henriksson <andreas@fatal.se>  Wed, 27 Mar 2013 16:20:36 +0100
+
 libarchive (3.0.4-2) unstable; urgency=low
 
   * Add debian/patches/gcc-4.7-fixes-from-upstream.patch
diff -Nru libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch
--- libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch	1970-01-01 01:00:00.000000000 +0100
+++ libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch	2013-03-27 17:14:09.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/703957
+Forwarded: not-needed
+
+--- libarchive-3.0.4.orig/libarchive/archive_write.c
++++ libarchive-3.0.4/libarchive/archive_write.c
+@@ -665,8 +665,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ 	struct archive_write *a = (struct archive_write *)_a;
++	const size_t max_write = INT_MAX;
++
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ 	    ARCHIVE_STATE_DATA, "archive_write_data");
++	/* In particular, this catches attempts to pass negative values. */
++	if (s > max_write)
++		s = max_write;
+ 	archive_clear_error(&a->archive);
+ 	return ((a->format_write_data)(a, buff, s));
+ }
diff -Nru libarchive-3.0.4/debian/patches/series libarchive-3.0.4/debian/patches/series
--- libarchive-3.0.4/debian/patches/series	2012-05-24 14:50:50.000000000 +0200
+++ libarchive-3.0.4/debian/patches/series	2013-03-27 15:32:47.000000000 +0100
@@ -1 +1,2 @@
 gcc-4.7-fixes-from-upstream.patch
+fix-CVE-2013-0211.patch

Reply to:

Follow-Ups:
- Bug#704080: marked as done (unblock: libarchive/3.0.4-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: non-free license: requires to obey US export regulation even, when not in the US
Next by Date: Bug#697078: tpu: xdotool/1:2.20100701.2961-3+deb7u1
Previous by thread: Bug#704074: marked as done (unblock: furiusisomount/0.11.3.1~repack1-0.1)
Next by thread: Bug#704080: marked as done (unblock: libarchive/3.0.4-3)
Index(es):
- Date
- Thread