Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

Ubuntu 16.04 LTS USN-3225-1 Critical: libarchive Denial of Service

ubuntu
Calendar Grey March 9, 2017
Dist Ubuntu Esm H88
Explore insights regarding Ubuntu 3225-1 security alert that tackles libarchive vulnerabilities and essential patches for safeguarding.
libarchive could be made to crash, overwrite files, or run programs as your login if it opened a specially crafted file.

Summary

libarchive could be made to crash, overwrite files, or run programs as your

login if it opened a specially crafted file.

Software Description:

- libarchive: Library to read/write archive files

Details:

It was discovered that libarchive incorrectly handled hardlink entries when

extracting archives. A remote attacker could possibly use this issue to

overwrite arbitrary files. (CVE-2016-5418)

Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that

libarchive incorrectly handled filename lengths when writing ISO9660

archives. A remote attacker could use this issue to cause libarchive to

crash, resulting in a denial of service, or possibly execute arbitrary

code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and

Ubuntu 16.04 LTS. (CVE-2016-6250)

Alexander Cherepanov discovered that libarchive incorrectly handled

recursive decompressions. A remote attacker could possibly use this issue

to cause libarchive to hang, resulting in a...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  libarchive13                    3.2.1-2ubuntu0.1

Ubuntu 16.04 LTS:
  libarchive13                    3.1.2-11ubuntu0.16.04.3

Ubuntu 14.04 LTS:
  libarchive13                    3.1.2-7ubuntu2.4

Ubuntu 12.04 LTS:
  libarchive12                    3.0.3-6ubuntu1.4

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3225-1

CVE-2016-5418, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687,

CVE-2016-8688, CVE-2016-8689, CVE-2017-5601

Severity
critical
Lowest
Low
Medium
High
Critical

March 09, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.