Security update for libarchive SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0568-1 Final 1 1 2015-03-15T20:34:22Z current 2015-03-15T20:34:22Z 2015-03-15T20:34:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive libarchive was updated to fix a directory traversal in the bsdcpio tool, which allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304) Also, a integer overflow was fixed that could also overflow buffers. (CVE-2013-0211) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html E-Mail link for openSUSE-SU-2015:0568-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings bsdtar-3.1.2-3.5.1 libarchive-3.1.2-3.5.1 libarchive-devel-3.1.2-3.5.1 libarchive13-3.1.2-3.5.1 libarchive13-32bit-3.1.2-3.5.1 Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow. CVE-2013-0211 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html https://www.suse.com/security/cve/CVE-2013-0211.html CVE-2013-0211 https://bugzilla.suse.com/800024 SUSE Bug 800024 https://bugzilla.suse.com/979005 SUSE Bug 979005 Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive. CVE-2015-2304 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html https://www.suse.com/security/cve/CVE-2015-2304.html CVE-2015-2304 https://bugzilla.suse.com/920870 SUSE Bug 920870