Hanno Böck has disclosed another Undefined Behaviour (signed integer overflow) on oss-security: http://seclists.org/oss-sec/2016/q2/591 Upstream ticket: https://github.com/libarchive/libarchive/issues/717 Upstream fix (released in libarchive-3.2.1): https://github.com/libarchive/libarchive/commit/3ad08e0 While the UB exists in 3.2.0, an earlier patch seems to mitigate against the issue: https://github.com/libarchive/libarchive/commit/e6c9668f This function is called immediately after the overflow, and will immediately reject a negative skipsize with ARCHIVE_FATAL, skipping all further processing. Previous releases up to and including 3.1.2 (including 2.8.3, 2.8.4) do not include the mitigation and are thus likely vulnerable.
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1352776] Affects: epel-5 [bug 1352775]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1850 https://rhn.redhat.com/errata/RHSA-2016-1850.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html