UbuntuUpdates.org

Package "libarchive13"

Name: libarchive13

Description:

Multi-format archive and compression library (shared library)

Latest version: 3.4.0-2ubuntu1.4
Release: focal (20.04)
Level: security
Repository: main
Head package: libarchive
Homepage: https://www.libarchive.org/

Links


Download "libarchive13"


Other versions of "libarchive13" in Focal

Repository Area Version
base main 3.4.0-2ubuntu1
updates main 3.4.0-2ubuntu1.4

Changelog

Version: 3.4.0-2ubuntu1.4 2024-10-31 12:06:58 UTC

  libarchive (3.4.0-2ubuntu1.4) focal-security; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden> Tue, 29 Oct 2024 10:06:37 +0100

Source diff to previous version
CVE-2024-20696 Windows libarchive Remote Code Execution Vulnerability

Version: 3.4.0-2ubuntu1.3 2024-10-16 05:07:10 UTC

  libarchive (3.4.0-2ubuntu1.3) focal-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write
      functions
    - CVE-2022-36227

 -- Bruce Cable <email address hidden> Mon, 14 Oct 2024 12:12:43 +1100

Source diff to previous version
CVE-2022-36227 In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the functio

Version: 3.4.0-2ubuntu1.2 2022-04-11 18:06:19 UTC

  libarchive (3.4.0-2ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds
      read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
    - CVE-2022-26280

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:33:37 -0300

Source diff to previous version
CVE-2022-26280 Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

Version: 3.4.0-2ubuntu1.1 2022-02-17 15:06:58 UTC

  libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
    - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
      ACLs in libarchive/archive_disk_acl_freebsd.c,
      libarchive/archive_disk_acl_linux.c,
      libarchive/archive_disk_acl_sunos.c.
    - CVE-2021-23177
  * SECURITY UPDATE: symbolic links incorrectly followed
    - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
      processing the fixup list in Makefile.am,
      libarchive/archive_write_disk_posix.c,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
      setting file flags on Linux in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
      processing the fixup list in libarchive/archive_write_disk_posix.c,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
      8a1bd5c in libarchive/archive_write_disk_posix.c.
    - CVE-2021-31566
  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-pre1.patch: verify window size for
      solid files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-pre2.patch: verify window size for
      multivolume archives in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

 -- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 09:59:13 -0500

CVE-2021-23177 extracting a symlink with ACLs modifies ACLs of target
CVE-2021-31566 symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive
CVE-2021-36976 libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).



About   -   Send Feedback to @ubuntu_updates