ELA-603-1 libarchive security update

out-of-bounds read and incorrect symlink handling

2022-04-30
Packagelibarchive
Version3.1.2-11+deb8u9
Related CVEs CVE-2019-19221 CVE-2021-23177 CVE-2021-31566

Three issues have been found in libarchive, a multi-format archive and compression library.

CVE-2021-31566 symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive

CVE-2021-23177 extracting a symlink with ACLs modifies ACLs of target

CVE-2019-19221 out-of-bounds read because of an incorrect mbrtowc or mbtowc call

For Debian 8 jessie, these problems have been fixed in version 3.1.2-11+deb8u9.

We recommend that you upgrade your libarchive packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/