Security update for libarchive

Announcement ID: SUSE-SU-2016:2911-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2016-5418 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2016-5844 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-6250 ( NVD ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  • CVE-2016-8687 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2016-8687 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2016-8688 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-8689 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2
  • SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves seven vulnerabilities can now be installed.

Description:

This update for libarchive fixes several issues.

These security issues were fixed:

  • CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070).
  • CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072).
  • CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076).
  • CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566).
  • CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980).
  • CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1698=1
  • SUSE Linux Enterprise Desktop 12 SP2
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1698=1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
    zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1698=1
  • SUSE Linux Enterprise Software Development Kit 12 SP1
    zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1698=1
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2
    zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1698=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1698=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1698=1
  • SUSE Linux Enterprise High Performance Computing 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1698=1
  • SUSE Linux Enterprise Server 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1698=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1698=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
    • libarchive-devel-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
    • libarchive-devel-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • libarchive13-3.1.2-25.1
    • libarchive13-debuginfo-3.1.2-25.1
    • libarchive-debugsource-3.1.2-25.1

References: