Ubuntu Security Notice 2981-1 - It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. It was discovered that libarchive incorrectly handled memory when processing certain tar files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service. Various other issues were also addressed.
cd28623f8a397ad606f6739d1d53e4c06507e985acd72d2147bc28e72c960e56
==========================================================================
Ubuntu Security Notice USN-2981-1
May 17, 2016
libarchive vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
libarchive could be made to crash or run programs if it opened a specially
crafted file.
Software Description:
- libarchive: Library to read/write archive files
Details:
It was discovered that libarchive incorrectly handled certain entry-size
values in ZIP archives. A remote attacker could use this issue to cause
libarchive to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10
and Ubuntu 16.04 LTS. (CVE-2016-1541)
It was discovered that libarchive incorrectly handled memory when
processing certain tar files. A remote attacker could use this issue to
cause libarchive to crash, resulting in a denial of service. (CVE number
pending)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libarchive13 3.1.2-11ubuntu0.16.04.1
Ubuntu 15.10:
libarchive13 3.1.2-11ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libarchive13 3.1.2-7ubuntu2.2
Ubuntu 12.04 LTS:
libarchive12 3.0.3-6ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2981-1
CVE-2016-1541
Package Information:
https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.15.10.1
https://launchpad.net/ubuntu/+source/libarchive/3.1.2-7ubuntu2.2
https://launchpad.net/ubuntu/+source/libarchive/3.0.3-6ubuntu1.2