So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:
https://github.com/libarchive/libarchive/pull/1609
The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:
https://github.com/libarchive/libarchive/pull/2101
It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.
Package: libarchive13t64
Version: 3.7.2-1.1
Severity: important
X-Debbugs-Cc: rra@debian.org
So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:
https://github.com/libarchive/libarchive/pull/1609
The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:
https://github.com/libarchive/libarchive/pull/2101
It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:58:59 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,641 |