Operating System:

[Ubuntu]

Published:

14 August 2018

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2319
                        libarchive vulnerabilities
                              14 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libarchive
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14503 CVE-2017-14501 CVE-2017-14166
                   CVE-2016-10350 CVE-2016-10349 CVE-2016-10209

Reference:         ASB-2017.0219
                   ESB-2017.1972

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3736-1

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3736-1
August 13, 2018

libarchive vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 18.04 LTS
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in libarchive.

Software Description:
- - libarchive: Library to read/write archive files

Details:

It was discovered that libarchive incorrectly handled certain archive
files. A remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-10209, CVE-2016-10349, CVE-2016-10350)

Agostino Sarubbo discovered that libarchive incorrectly handled certain
XAR files. A remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2017-14166)

It was discovered that libarchive incorrectly handled certain files.
A remote attacker could possibly use this issue to get access to
sensitive information. (CVE-2017-14501, CVE-2017-14503)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
 libarchive133.2.2-3.1ubuntu0.1

Ubuntu 16.04 LTS:
 libarchive133.1.2-11ubuntu0.16.04.4

Ubuntu 14.04 LTS:
 libarchive133.1.2-7ubuntu2.6

In general, a standard system update will make all the necessary
changes.

References:
 https://usn.ubuntu.com/usn/usn-3736-1
 CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-14166,
 CVE-2017-14501, CVE-2017-14503

Package Information:
 https://launchpad.net/ubuntu/+source/libarchive/3.2.2-3.1ubuntu0.1
 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.4
 https://launchpad.net/ubuntu/+source/libarchive/3.1.2-7ubuntu2.6

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3IkPmaOgq3Tt24GAQg9FhAAiQZgG9Cm5VkalMvaOY2+iAZczTQp5DKu
MfW9RNtejbaHLixLJapXTA7slaHvIQNlOBHjJxqFoQlr6tjvmIo86O74+XEg6a/v
gNf5hJgNgkamwYr8vWqO5DzK7VT6b/YQ0CspOFOApvoKeuOIrdoFoMM035u5jO08
aaCoY0ydIqdU63GSAcmnAcAb+Y6/BTobRvWUDndmD5rsmO15Pz3QEfMT7A8zblbN
n73GdiOAiN3wABApy4zKtY8CUj55k4J1tsC+oGIgt7R7FMdDaqTlteK1Lvy+rGJS
Ibh6hJY03WMOzc5d73LeoadQFhhFpqVAlKraEDclqzf0EaGLtwUCvzcGi/lspMWk
USA0Gzcqeb+QpZrXbv9jreotKxiebJVsAT0pR2dvDNJuTkGZFHnmsB0V28trRlwJ
NuLIOz6N1nCjEJqJqKY4+Y1zHfN4mTOd2QZ8j50ON/Xlt9VmJYX98zNjX1COUrHw
WhlAr2DR0Rb9oO6nXh3KQTE5q690kGEh1R67+PhoFFjLgWNXpF85mC6WSFinw8Vm
C8bpAlxvrUUSy7dCyjtaJap/gfGemaE5RCpaRuumYwque8w+RyjnhhU+yHZ1bafY
W/M4vPtKCPlepLZkhNXyuKwiJMZIRE5rH1z1VnoMLe06iVFQ11GG8TNe3loyjIr6
wS9A3GUXngE=
=2QFD
-----END PGP SIGNATURE-----