An out-of-bounds read flaw was found in the way libarchive processed certain CPIO archives. An attacker could create a specially crafted CPIO archive that, when processed by an application using the libarchive library, would cause that application to crash. Additional details: http://seclists.org/fulldisclosure/2015/Apr/102 https://github.com/libarchive/libarchive/issues/502 Upstream patch: https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1216892] Affects: epel-5 [bug 1216893]
libarchive-3.1.2-12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libarchive-3.1.2-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
CVE assignment: http://seclists.org/oss-sec/2016/q2/566 Upstream bug: https://github.com/libarchive/libarchive/issues/503 (identified as duplicate of /issues/502)