[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704080: marked as done (unblock: libarchive/3.0.4-3)

Your message dated Wed, 27 Mar 2013 19:14:33 +0000
with message-id <1364411673.22071.2.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#704080: unblock: libarchive/3.0.4-3
has caused the Debian Bug report #704080,
regarding unblock: libarchive/3.0.4-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
704080: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704080
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libarchive

3.0.4-3	has been uploaded to unstable with the only
change being an added security patch from upstream
for CVE-2013-0211 as proposed in
http://bugs.debian.org/703957 by Moritz Muehlenhoff.

Debdiff attached.

unblock libarchive/3.0.4-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru libarchive-3.0.4/debian/changelog libarchive-3.0.4/debian/changelog
--- libarchive-3.0.4/debian/changelog	2012-05-24 14:50:50.000000000 +0200
+++ libarchive-3.0.4/debian/changelog	2013-03-27 17:14:58.000000000 +0100
@@ -1,3 +1,9 @@
+libarchive (3.0.4-3) unstable; urgency=low
+
+  * Add patch that fixes CVE-2013-0211. (Closes: #703957)
+
+ -- Andreas Henriksson <andreas@fatal.se>  Wed, 27 Mar 2013 16:20:36 +0100
+
 libarchive (3.0.4-2) unstable; urgency=low
 
   * Add debian/patches/gcc-4.7-fixes-from-upstream.patch
diff -Nru libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch
--- libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch	1970-01-01 01:00:00.000000000 +0100
+++ libarchive-3.0.4/debian/patches/fix-CVE-2013-0211.patch	2013-03-27 17:14:09.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/703957
+Forwarded: not-needed
+
+--- libarchive-3.0.4.orig/libarchive/archive_write.c
++++ libarchive-3.0.4/libarchive/archive_write.c
+@@ -665,8 +665,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ 	struct archive_write *a = (struct archive_write *)_a;
++	const size_t max_write = INT_MAX;
++
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ 	    ARCHIVE_STATE_DATA, "archive_write_data");
++	/* In particular, this catches attempts to pass negative values. */
++	if (s > max_write)
++		s = max_write;
+ 	archive_clear_error(&a->archive);
+ 	return ((a->format_write_data)(a, buff, s));
+ }
diff -Nru libarchive-3.0.4/debian/patches/series libarchive-3.0.4/debian/patches/series
--- libarchive-3.0.4/debian/patches/series	2012-05-24 14:50:50.000000000 +0200
+++ libarchive-3.0.4/debian/patches/series	2013-03-27 15:32:47.000000000 +0100
@@ -1 +1,2 @@
 gcc-4.7-fixes-from-upstream.patch
+fix-CVE-2013-0211.patch

--- End Message ---
--- Begin Message --- 
On Wed, 2013-03-27 at 18:18 +0100, Andreas Henriksson wrote:
> Please unblock package libarchive
> 
> 3.0.4-3	has been uploaded to unstable with the only
> change being an added security patch from upstream
> for CVE-2013-0211 as proposed in
> http://bugs.debian.org/703957 by Moritz Muehlenhoff.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: