https://www.zdnet.com/article/libarchiv ... sd-netbsd/A compression library included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD distros, contains a vulnerability that can allow hackers to execute code on user machines.
The vulnerability impacts Libarchive, a library for reading and creating compressed files. It is a powerful all-in-one toolkit for working with archive files that also bundles other Linux/BSD utilities like tar, cpio, and cat, making it ideal for a wide variety of operations, and the reason it's so widely adopted across operating systems.
Last week, details about a major bug impacting the library have been made public after several Linux and FreeBSD distros rolled out updates containing patches for the Libarchive version they had been shipping out to users.
The bug, tracked under the CVE-2019-18408 identifier, allows an attacker to execute code on a user's system via a malformed archive file.
Libarchive vulnerability CVE-2019-18408
Libarchive vulnerability CVE-2019-18408
-
perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
Looking at the packages in bionicpup32 19.03 woof-installed-packages I see libarchive13_3.2.2 (version 3.2.2) that would need
updating to the June update ̶t̶h̶a̶t̶ ̶b̶r̶o̶u̶g̶h̶t̶ ̶t̶h̶e̶ ̶f̶i̶x̶e̶d̶ ̶v̶e̶r̶s̶i̶o̶n̶ ̶t̶o̶ ̶3̶.̶4̶0̶
Latest fixed sources
https://github.com/libarchive/libarchive/tree/v3.4.0
Let the fun begin,
-------------------
Edit: This package updated 10-28-19
Here is a link to the page where you can get the updated 32-bit ubuntu-bionic deb - about halfway down the page listed under "Download"
https://ubuntu.pkgs.org/18.04/ubuntu-up ... 6.deb.html
Thanks to 666philb for explaining in the post following this one that we do not have to jump to version 3.4.0
.
updating to the June update ̶t̶h̶a̶t̶ ̶b̶r̶o̶u̶g̶h̶t̶ ̶t̶h̶e̶ ̶f̶i̶x̶e̶d̶ ̶v̶e̶r̶s̶i̶o̶n̶ ̶t̶o̶ ̶3̶.̶4̶0̶
Latest fixed sources
https://github.com/libarchive/libarchive/tree/v3.4.0
Let the fun begin,
-------------------
Edit: This package updated 10-28-19
Here is a link to the page where you can get the updated 32-bit ubuntu-bionic deb - about halfway down the page listed under "Download"
https://ubuntu.pkgs.org/18.04/ubuntu-up ... 6.deb.html
Thanks to 666philb for explaining in the post following this one that we do not have to jump to version 3.4.0
.
Last edited by perdido on Sat 16 Nov 2019, 04:15, edited 1 time in total.
for xenialpup & bionicpup first update the PPM, then type libarchive into the find box, scroll down and it will show libarchive already installed. click on this and re-install to get the latest patched version.
note that in ubuntu pups the version number stays the same but it has been patched
note that in ubuntu pups the version number stays the same but it has been patched
you can right click on /usr/lib/libarchive.so.13.2.2 choose properties and the modify time should be 28 Oct 20192019-10-28 - Leonidas S. Barbosa <leo.barbosa@canonical.com>
libarchive (3.1.2-11ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: Use-after-free
- debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
in libarchive/archive_read_support_format_rar.c.
- CVE-2019-18408
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331