MGASA-2019-0030 - Updated libarchive packages fix security vulnerabilities

Publication date: 11 Jan 2019
URL: https://advisories.mageia.org/MGASA-2019-0030.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2017-14502,
     CVE-2018-1000877,
     CVE-2018-1000878,
     CVE-2018-1000879,
     CVE-2018-1000880

read_header in archive_read_support_format_rar.c in libarchive 3.3.2
suffers from an off-by-one error for UTF-16 names in RAR archives,
leading to an out-of-bounds read in archive_read_format_rar_read_header
(CVE-2017-14502).

Multiple security issues were found in libarchive: Processing malformed
RAR archives could result in denial of service or the execution of
arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could
result in denial of service (CVE-2018-1000877, CVE-2018-1000878,
CVE-2018-1000879, CVE-2018-1000880).

References:
- https://bugs.mageia.org/show_bug.cgi?id=24075
- http://lists.suse.com/pipermail/sle-security-updates/2018-December/004927.html
- https://www.debian.org/security/2018/dsa-4360
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000879
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880

SRPMS:
- 6/core/libarchive-3.3.1-1.4.mga6