Debian Bug report logs -
#1001986
libarchive: CVE-2021-23177
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>:
Bug#1001986; Package src:libarchive.
(Sun, 19 Dec 2021 19:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Peter Pentchev <roam@debian.org>.
(Sun, 19 Dec 2021 19:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Version: 3.4.3-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libarchive/libarchive/issues/1565
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libarchive.
CVE-2021-23177[0]:
| extracting a symlink with ACLs modifies ACLs of target
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23177
[1] https://github.com/libarchive/libarchive/issues/1565
[2] https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1001986.
(Tue, 21 Dec 2021 08:36:02 GMT) (full text, mbox, link).
Message #8 received at 1001986-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1001986 in libarchive reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/libarchive/-/commit/05aff70bec1419eae424ed485a7251f48b543616
------------------------------------------------------------------------
Add four upstream fixes for various problems.
Closes: #1001986, #1001990
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1001986
Added tag(s) pending.
Request was from Peter Pentchev <noreply@salsa.debian.org>
to 1001986-submitter@bugs.debian.org.
(Tue, 21 Dec 2021 08:36:03 GMT) (full text, mbox, link).
Reply sent
to Peter Pentchev <roam@debian.org>:
You have taken responsibility.
(Wed, 22 Dec 2021 18:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 Dec 2021 18:36:05 GMT) (full text, mbox, link).
Message #15 received at 1001986-close@bugs.debian.org (full text, mbox, reply):
Source: libarchive
Source-Version: 3.5.2-1
Done: Peter Pentchev <roam@debian.org>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1001986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <roam@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Dec 2021 19:51:54 +0200
Source: libarchive
Architecture: source
Version: 3.5.2-1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Closes: 953931 981654 1001901 1001986 1001990
Changes:
libarchive (3.5.2-1) unstable; urgency=medium
.
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
Checksums-Sha1:
ca58cc5e44d212ef9ee3b57302b1212e8e9e032d 2649 libarchive_3.5.2-1.dsc
57c723a3458572d6e8b581fbbc946566e23e990a 4905416 libarchive_3.5.2.orig.tar.xz
9663d15a9d6f62da05f4518e240a1837d53d43e1 833 libarchive_3.5.2.orig.tar.xz.asc
dec30866c51bf1847a6f3998d861b8f84162e4d3 27232 libarchive_3.5.2-1.debian.tar.xz
Checksums-Sha256:
85b39d391c7a23cda3d782bfc2f887e3d5f239b221e9f2f1721011eaa975f10b 2649 libarchive_3.5.2-1.dsc
f0b19ff39c3c9a5898a219497ababbadab99d8178acc980155c7e1271089b5a0 4905416 libarchive_3.5.2.orig.tar.xz
13daf9668aa83d62250eb89fab1e8109297da0b9fda5901c390ae4b5a0d7aebe 833 libarchive_3.5.2.orig.tar.xz.asc
cd435e783956e304f94a9462e0588e3464d02e5eb2d5836ae2eea5b79cdc93ce 27232 libarchive_3.5.2-1.debian.tar.xz
Files:
3dcc8497562dcdf2f24fc9c96ca055e4 2649 libs optional libarchive_3.5.2-1.dsc
2ba9f1f8c169aa9caf8e2d34dde323be 4905416 libs optional libarchive_3.5.2.orig.tar.xz
2daaf29779c6149c17229924cb4aaecb 833 libs optional libarchive_3.5.2.orig.tar.xz.asc
5c1df59a405fbb06300b1651226a36ef 27232 libs optional libarchive_3.5.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmHDbOIQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE30AD/43TnxFYb7+34UiAtpyER4uK7adAb/3NgpV
jPlp/10k7m8IwjWY1my31SQTDtJBcsQ1S8vB465GR/otjuCCOu5gc9XRy/edsqSy
pu06H9+Vnm5zMrrfOFvn+oMoBz676gk9uiyWmclrrQZh0D4lbNy9F3LtWG4Ih3p5
3VA6IgO7CY2cIFWlZa82WKOVfYgUlm0wNyExMD5zcG3ZlU1dXUhIdKg3fRdZ3vsV
XkbNztqqAAbVhWL35yhRVOVvXvrc/rttnqHiOEPeuR+5z5ENScRZRpMnKuBAJIYy
X77/pXkSOgV4kAquMOxLwaov2LzPsjZGIsstp9GYGix91RYaBCeO8NErlyGl+xXI
xzj6TDRw6VY7iDL953fW0vdpJKKGzyWgkWJZOZTCE5BjgbjCTbE9u3iBSNB30IpV
X4Abib3BrzBo8fw3wLon6reIi1Si+rJqko7i4hX1q+6xaKDzHnvjGCiLqjlmagOw
59rmfLHaaaz0lo2/L1gFwRoIRRwqfiLdHI95RZJjH0JpRKUzrwonjKTYVLEgfOv9
k83gbs4IRFDrQ0y9EHbNV/pmDM4Wr71+iObCnGnbbmRH17Y0RAqpZquv1pq4TesA
U2JtA/9EiQyoNZCnwiFfvwKV36vk5yAKWtJav9tmKRi29G55o1vmEo1nIP+g/Op7
A1Q3nTmggw==
=KL2R
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 22 Jan 2022 07:30:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 26 03:02:25 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.