libarchive-3.4.0

[Douglas R. Reno]

New minor version

​https://github.com/libarchive/libarchive/releases - look here, I was tipped off by Arch

Libarchive 3.4.0 is a feature and security release.

Feature higlights:

    Support for file and directory symlinks on Windows
    Read support for RAR 5.0 archives
    Read support for ZIPX archives with xz, lzma, ppmd8 and bzip2 compression
    Support for non-recursive list and extract
    New tar option: --exclude-vcs
    Improved file attribute support on Linux and file flags support on FreeBSD
    64-bit ar format support

Important bugfixes:

    fix reading Android APK archives (#1055 )
    fix problems related to unreadable directories (#1167)
    patches from OpenBSD to libarchive_fe/passphrase.c
    support extracting ACLs with in-entry comments (#1096)
    support extracting extattrs as non-root on non-user-writable files (#1023)
    a two-digit number of OSS-Fuzz issues was resolved in this release
    various resource leak, use-after-free and crash fixes

Thanks to all contributors and bug reporters for making libarchive such a great piece of software.
Special thanks to @antekone for implementing RAR 5.0 reader and ZIPX decompression support.

​https://github.com/libarchive/libarchive/issues/1216 - explanation as to why we can't find it

CVE-2018-1000877

A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the parse_codes() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause a call to realloc with a size of 0, effectively freeing the memory which will be freed again at a later time.

CVE-2018-1000878

A use-after-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the archive_read_format_rar_read_header() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause the vulnerable function to free the buffer and allocate a new one, causing the ppmd7 decoder to continue reading from and writing to the freed buffer.

CVE-2018-1000879

A NULL-pointer dereference issue has been found in libarchive >= 3.3.0 and <=3.3.3, in the archive_acl_from_text_l() function in archive_acl.c. An attacker can use a specially crafted archive file to cause a crash via a malformed ACL.

CVE-2018-1000880

A resource consumption issue has been found in libarchive >= 3.2.0 and <=3.3.3, in the _warc_read() function in archive_read_support_format_warm.c. An attacker can use a specially crafted WARC file to cause quasi-infinite run time and disk usage from a tiny file.

CVE-2019-1000019

libarchive version >=v3.0.2 contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.

CVE-2019-1000020

libarchive version >=v2.8.0 contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

[Xi Ruoyao]

Fixed at r21746.

[Bruce Dubbs]

Milestone renamed