bsdtar-3.2.2-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10127 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z bsdtar-3.2.2-2.1 on GA media These are all security issues fixed in the bsdtar-3.2.2-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10127 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10127 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-0211/ SUSE CVE CVE-2013-0211 page https://www.suse.com/security/cve/CVE-2015-2304/ SUSE CVE CVE-2015-2304 page https://www.suse.com/security/cve/CVE-2015-8917/ SUSE CVE CVE-2015-8917 page https://www.suse.com/security/cve/CVE-2015-8928/ SUSE CVE CVE-2015-8928 page https://www.suse.com/security/cve/CVE-2015-8933/ SUSE CVE CVE-2015-8933 page https://www.suse.com/security/cve/CVE-2015-8934/ SUSE CVE CVE-2015-8934 page https://www.suse.com/security/cve/CVE-2016-1541/ SUSE CVE CVE-2016-1541 page https://www.suse.com/security/cve/CVE-2016-4300/ SUSE CVE CVE-2016-4300 page https://www.suse.com/security/cve/CVE-2016-4301/ SUSE CVE CVE-2016-4301 page https://www.suse.com/security/cve/CVE-2016-4809/ SUSE CVE CVE-2016-4809 page https://www.suse.com/security/cve/CVE-2016-5418/ SUSE CVE CVE-2016-5418 page https://www.suse.com/security/cve/CVE-2016-5844/ SUSE CVE CVE-2016-5844 page https://www.suse.com/security/cve/CVE-2016-6250/ SUSE CVE CVE-2016-6250 page https://www.suse.com/security/cve/CVE-2016-8687/ SUSE CVE CVE-2016-8687 page https://www.suse.com/security/cve/CVE-2016-8688/ SUSE CVE CVE-2016-8688 page https://www.suse.com/security/cve/CVE-2016-8689/ SUSE CVE CVE-2016-8689 page openSUSE Tumbleweed bsdtar-3.2.2-2.1 libarchive-devel-3.2.2-2.1 libarchive13-3.2.2-2.1 libarchive13-32bit-3.2.2-2.1 bsdtar-3.2.2-2.1 as a component of openSUSE Tumbleweed libarchive-devel-3.2.2-2.1 as a component of openSUSE Tumbleweed libarchive13-3.2.2-2.1 as a component of openSUSE Tumbleweed libarchive13-32bit-3.2.2-2.1 as a component of openSUSE Tumbleweed Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow. CVE-2013-0211 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0211.html CVE-2013-0211 https://bugzilla.suse.com/800024 SUSE Bug 800024 https://bugzilla.suse.com/979005 SUSE Bug 979005 Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive. CVE-2015-2304 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2304.html CVE-2015-2304 https://bugzilla.suse.com/920870 SUSE Bug 920870 bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file. CVE-2015-8917 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8917.html CVE-2015-8917 https://bugzilla.suse.com/985691 SUSE Bug 985691 The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. CVE-2015-8928 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8928.html CVE-2015-8928 https://bugzilla.suse.com/985679 SUSE Bug 985679 Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file. CVE-2015-8933 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8933.html CVE-2015-8933 https://bugzilla.suse.com/985688 SUSE Bug 985688 The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file. CVE-2015-8934 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8934.html CVE-2015-8934 https://bugzilla.suse.com/985673 SUSE Bug 985673 Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive. CVE-2016-1541 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1541.html CVE-2016-1541 https://bugzilla.suse.com/979005 SUSE Bug 979005 Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow. CVE-2016-4300 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4300.html CVE-2016-4300 https://bugzilla.suse.com/985832 SUSE Bug 985832 Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file. CVE-2016-4301 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4301.html CVE-2016-4301 https://bugzilla.suse.com/985826 SUSE Bug 985826 The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink. CVE-2016-4809 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4809.html CVE-2016-4809 https://bugzilla.suse.com/984990 SUSE Bug 984990 The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. CVE-2016-5418 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5418.html CVE-2016-5418 https://bugzilla.suse.com/998677 SUSE Bug 998677 Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file. CVE-2016-5844 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5844.html CVE-2016-5844 https://bugzilla.suse.com/986566 SUSE Bug 986566 Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow. CVE-2016-6250 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6250.html CVE-2016-6250 https://bugzilla.suse.com/989980 SUSE Bug 989980 Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename. CVE-2016-8687 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8687.html CVE-2016-8687 https://bugzilla.suse.com/1005070 SUSE Bug 1005070 The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c. CVE-2016-8688 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8688.html CVE-2016-8688 https://bugzilla.suse.com/1005076 SUSE Bug 1005076 The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive. CVE-2016-8689 openSUSE Tumbleweed:bsdtar-3.2.2-2.1 openSUSE Tumbleweed:libarchive-devel-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-3.2.2-2.1 openSUSE Tumbleweed:libarchive13-32bit-3.2.2-2.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8689.html CVE-2016-8689 https://bugzilla.suse.com/1005072 SUSE Bug 1005072