Bug 783375 - CVE-2011-1777 Libarchive multiple security issues (Regression) [rhel-6.3]
Summary: CVE-2011-1777 Libarchive multiple security issues (Regression) [rhel-6.3]
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libarchive
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tomáš Bžatek
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 782008
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-20 07:07 UTC by Ramon de C Valle
Modified: 2015-03-03 23:04 UTC (History)
8 users (show)

Fixed In Version: libarchive-2.8.3-4.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 782008
Environment:
Last Closed: 2012-10-09 12:42:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Ramon de C Valle 2012-01-20 07:14:59 UTC 
This is a regression from Bug 705849 in latest version of libarchive package
released via RHSA-2011:1507. The CVE-2011-1777.patch attached to Bug 705849
breaks ISO support. This regression was found by Mageia QA:
https://bugs.mageia.org/show_bug.cgi?id=3941.

The original Security, SecurityTracking, ZStream is Bug 739940.
Comment 2 Tomáš Bžatek 2012-03-26 10:17:52 UTC 
This bugreport only tracks a regression in ISO9660 reader, created by a fix of one of the CVEs in libarchive-2.8.3-3.el6. Other formats are untouched.

Reproduced with Fedora-16-x86_64-Live-Desktop.iso - the old (-3) build fails to list contents of this ISO image, the new build (-4) works fine. Can be reproduced using gvfsd-archive (automatically spawned by Nautilus by opening an ISO archive).
Comment 3 Jiri Pallich 2012-10-09 12:42:41 UTC 
Since this is a parent bug of an issue that has already been released via Z-Stream (e.g. rhel-6.3.z), this bug is going to be CLOSED as CURRENTRELEASE.
Note You need to log in before you can comment on or make changes to this bug.