<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/libarchive/libarchive.hash, branch 2017.11</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.11</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.11'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-09-09T20:07:04+00:00</updated>
<entry>
<title>libarchive: security bump to version 3.3.2</title>
<updated>2017-09-09T20:07:04+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-09-09T20:02:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=f871b21c89e41dfddd60bb25cf55610cd4081eba'/>
<id>urn:sha1:f871b21c89e41dfddd60bb25cf55610cd4081eba</id>
<content type='text'>
CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function
in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a
denial of service via a crafted non-printable multibyte character in a
filename.

CVE-2016-8688: The mtree bidder in libarchive 3.2.1 does not keep track
of line sizes when extending the read-ahead, which allows remote
attackers to cause a denial of service (crash) via a crafted file, which
triggers an invalid read in the (1) detect_form or (2) bid_entry
function in libarchive/archive_read_support_format_mtree.c.

CVE-2016-8689: The read_Header function in
archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote
attackers to cause a denial of service (out-of-bounds read) via multiple
EmptyStream attributes in a header in a 7zip archive.

CVE-2016-10209: The archive_wstring_append_from_mbs function in
archive_string.c in libarchive 3.2.2 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via a
crafted archive file.

CVE-2016-10349: The archive_le32dec function in archive_endian.h in
libarchive 3.2.2 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted file.

CVE-2016-10350: The archive_read_format_cab_read_header function in
archive_read_support_format_cab.c in libarchive 3.2.2 allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted file.

CVE-2017-5601: An error in the lha_read_file_header_1() function
(archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote
attackers to trigger an out-of-bounds read memory access and
subsequently cause a crash via a specially crafted archive.

Add upstream patch fixing the following issue:

CVE-2017-14166: libarchive 3.3.2 allows remote attackers to cause a
denial of service (xml_data heap-based buffer over-read and application
crash) via a crafted xar archive, related to the mishandling of empty
strings in the atol8 function in archive_read_support_format_xar.c.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libarchive: security bump to version 3.2.1</title>
<updated>2016-06-23T19:13:15+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2016-06-23T00:56:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=25d5aebead19d555cd73bcfa96b43d597ba40f6f'/>
<id>urn:sha1:25d5aebead19d555cd73bcfa96b43d597ba40f6f</id>
<content type='text'>
Fixes:
CVE-2016-4302 - Libarchive Rar RestartModel Code Execution Vulnerability
CVE-2016-4300 - Libarchive 7zip read_SubStreamsInfo Code Execution
Vulnerability
CVE-2016-4809 - Memory allocate error in corrupted cpio archives

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libarchive: bump to version 3.2.0</title>
<updated>2016-06-20T20:29:48+00:00</updated>
<author>
<name>Frank Hunleth</name>
<email>fhunleth@troodon-software.com</email>
</author>
<published>2016-06-20T19:47:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c56bc9dcfab522b5167970ba071d011f055d2011'/>
<id>urn:sha1:c56bc9dcfab522b5167970ba071d011f055d2011</id>
<content type='text'>
The CVE patch is now included in this release.

Signed-off-by: Frank Hunleth &lt;fhunleth@troodon-software.com&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libarchive: add hash and enable lzma support</title>
<updated>2015-06-26T19:26:47+00:00</updated>
<author>
<name>Nimai Mahajan</name>
<email>nimaim@gmail.com</email>
</author>
<published>2015-06-26T15:01:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=eab1756c19c786480ff79a4a9df616c6b635ec8f'/>
<id>urn:sha1:eab1756c19c786480ff79a4a9df616c6b635ec8f</id>
<content type='text'>
Add libarchive hash. Enable lzma support.
Both xz and lzma support are provided by the xz library.

[Thomas: explicitly pass --with-lzma when xz is available.]

Signed-off-by: Nimai Mahajan &lt;nimaim@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
