DLA-3202-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3202-1.json
Aliases
Published
2022-11-22T00:00:00Z
Modified
2022-11-22T18:28:52.517861Z
Details

Three issues have been found in libarchive, a multi-format archive and compression library.

  • CVE-2019-19221 out-of-bounds read because of an incorrect mbrtowc or mbtowc call
  • CVE-2021-23177 extracting a symlink with ACLs modifies ACLs of target
  • CVE-2021-31566 symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive

For Debian 10 buster, these problems have been fixed in version 3.3.3-4+deb10u2.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / libarchive

libarchive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
3.3.3-4+deb10u2

Affected versions

3.*

3.3.3-4
3.3.3-4+deb10u1