Security update for bsdtar

SUSE Security Update: Security update for bsdtar
Announcement ID: SUSE-SU-2019:14233-1
Rating: moderate
References: #1005070 #1059139 #985601 #985706
Cross-References: CVE-2015-8915 CVE-2015-8925 CVE-2016-8687 CVE-2017-14503
Affected Products:
  • SUSE Linux Enterprise Debuginfo 11-SP4

An update that fixes four vulnerabilities is now available.

Description:

This update for bsdtar fixes the following issues:

  • CVE-2015-8915: Fixed an invalid read which could have allowed remote attackers to cause a denial of service (bsc#985601).
  • CVE-2015-8925: Fixed an invalid read which could have allowed remote attackers to cause a denial of service (bsc#985706).
  • CVE-2017-14503: Fixed an out of bounds read within lha_read_data_none() in archive_read_support_format_lha.c (bsc#1059139).
  • CVE-2016-8687: Fixed a buffer overflow when printing a filename (bsc#1005070).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Debuginfo 11-SP4:
    zypper in -t patch dbgsp4-bsdtar-14233=1

Package List:

  • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
    • bsdtar-debuginfo-2.5.5-10.8.1
    • bsdtar-debugsource-2.5.5-10.8.1

References: