Security update for libarchive SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3690-1 Final 1 1 2018-11-09T20:00:56Z current 2018-11-09T20:00:56Z 2018-11-09T20:00:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2017-14501: An out-of-bounds read flaw existed in parse_file_info in archive_read_support_format_iso9660.c when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (bsc#1059139) - CVE-2017-14502: read_header in archive_read_support_format_rar.c suffered from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (bsc#1059134) - CVE-2017-14503: libarchive suffered from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (bsc#1059100) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00003.html E-Mail link for openSUSE-SU-2018:3690-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 bsdtar-3.3.2-lp150.2.3.1 libarchive-3.3.2-lp150.2.3.1 libarchive-devel-3.3.2-lp150.2.3.1 libarchive13-3.3.2-lp150.2.3.1 libarchive13-32bit-3.3.2-lp150.2.3.1 bsdtar-3.3.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 libarchive-3.3.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 libarchive-devel-3.3.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 libarchive13-3.3.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 libarchive13-32bit-3.3.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. CVE-2017-14501 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.2.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00003.html https://www.suse.com/security/cve/CVE-2017-14501.html CVE-2017-14501 https://bugzilla.suse.com/1059139 SUSE Bug 1059139 read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. CVE-2017-14502 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.2.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00003.html https://www.suse.com/security/cve/CVE-2017-14502.html CVE-2017-14502 https://bugzilla.suse.com/1059134 SUSE Bug 1059134 libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. CVE-2017-14503 openSUSE Leap 15.0:bsdtar-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive-devel-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-3.3.2-lp150.2.3.1 openSUSE Leap 15.0:libarchive13-32bit-3.3.2-lp150.2.3.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00003.html https://www.suse.com/security/cve/CVE-2017-14503.html CVE-2017-14503 https://bugzilla.suse.com/1059100 SUSE Bug 1059100