Security update for libarchive

Announcement ID:	SUSE-SU-2016:1909-1
Rating:	important
References:	bsc#984990 bsc#985609 bsc#985665 bsc#985669 bsc#985673 bsc#985675 bsc#985679 bsc#985682 bsc#985685 bsc#985688 bsc#985689 bsc#985697 bsc#985698 bsc#985700 bsc#985703 bsc#985704 bsc#985706 bsc#985826 bsc#985832 bsc#985835
Cross-References:	CVE-2015-8918 CVE-2015-8919 CVE-2015-8920 CVE-2015-8921 CVE-2015-8922 CVE-2015-8923 CVE-2015-8924 CVE-2015-8925 CVE-2015-8926 CVE-2015-8928 CVE-2015-8929 CVE-2015-8930 CVE-2015-8931 CVE-2015-8932 CVE-2015-8933 CVE-2015-8934 CVE-2016-4300 CVE-2016-4301 CVE-2016-4302 CVE-2016-4809
CVSS scores:	CVE-2015-8918 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-8919 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-8920 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2015-8921 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-8922 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2015-8923 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2015-8924 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-4300 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-4301 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-4302 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-4809 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves 20 vulnerabilities can now be installed.

Description:

libarchive was updated to fix 20 security issues.

These security issues were fixed: - CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698). - CVE-2015-8919: Heap out of bounds read in LHA/LZH parser (bsc#985697). - CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675). - CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682). - CVE-2015-8922: Null pointer access in 7z parser (bsc#985685). - CVE-2015-8923: Unclear crashes in ZIP parser (bsc#985703). - CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609). - CVE-2015-8925: Unclear invalid memory read in mtree parser (bsc#985706). - CVE-2015-8926: NULL pointer access in RAR parser (bsc#985704). - CVE-2015-8928: Heap out of bounds read in mtree parser (bsc#985679). - CVE-2015-8929: Memory leak in tar parser (bsc#985669). - CVE-2015-8930: Endless loop in ISO parser (bsc#985700). - CVE-2015-8931: Undefined behavior / signed integer overflow in mtree parser (bsc#985689). - CVE-2015-8932: Compress handler left shifting larger than int size (bsc#985665). - CVE-2015-8933: Undefined behavior / signed integer overflow in TAR parser (bsc#985688). - CVE-2015-8934: Out of bounds read in RAR (bsc#985673). - CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo (bsc#985832). - CVE-2016-4301: Stack buffer overflow in the mtree parse_device (bsc#985826). - CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality (bsc#985835). - CVE-2016-4809: Memory allocate error with symbolic links in cpio archives (bsc#984990).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1123=1
• SUSE Linux Enterprise Software Development Kit 12 SP1
  zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1123=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1123=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1123=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • libarchive13-3.1.2-22.1
  • libarchive-debugsource-3.1.2-22.1
  • libarchive13-debuginfo-3.1.2-22.1
• SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
  • libarchive-debugsource-3.1.2-22.1
  • libarchive-devel-3.1.2-22.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • libarchive13-3.1.2-22.1
  • libarchive-debugsource-3.1.2-22.1
  • libarchive13-debuginfo-3.1.2-22.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • libarchive13-3.1.2-22.1
  • libarchive-debugsource-3.1.2-22.1
  • libarchive13-debuginfo-3.1.2-22.1

References:

• https://www.suse.com/security/cve/CVE-2015-8918.html
• https://www.suse.com/security/cve/CVE-2015-8919.html
• https://www.suse.com/security/cve/CVE-2015-8920.html
• https://www.suse.com/security/cve/CVE-2015-8921.html
• https://www.suse.com/security/cve/CVE-2015-8922.html
• https://www.suse.com/security/cve/CVE-2015-8923.html
• https://www.suse.com/security/cve/CVE-2015-8924.html
• https://www.suse.com/security/cve/CVE-2015-8925.html
• https://www.suse.com/security/cve/CVE-2015-8926.html
• https://www.suse.com/security/cve/CVE-2015-8928.html
• https://www.suse.com/security/cve/CVE-2015-8929.html
• https://www.suse.com/security/cve/CVE-2015-8930.html
• https://www.suse.com/security/cve/CVE-2015-8931.html
• https://www.suse.com/security/cve/CVE-2015-8932.html
• https://www.suse.com/security/cve/CVE-2015-8933.html
• https://www.suse.com/security/cve/CVE-2015-8934.html
• https://www.suse.com/security/cve/CVE-2016-4300.html
• https://www.suse.com/security/cve/CVE-2016-4301.html
• https://www.suse.com/security/cve/CVE-2016-4302.html
• https://www.suse.com/security/cve/CVE-2016-4809.html
• https://bugzilla.suse.com/show_bug.cgi?id=984990
• https://bugzilla.suse.com/show_bug.cgi?id=985609
• https://bugzilla.suse.com/show_bug.cgi?id=985665
• https://bugzilla.suse.com/show_bug.cgi?id=985669
• https://bugzilla.suse.com/show_bug.cgi?id=985673
• https://bugzilla.suse.com/show_bug.cgi?id=985675
• https://bugzilla.suse.com/show_bug.cgi?id=985679
• https://bugzilla.suse.com/show_bug.cgi?id=985682
• https://bugzilla.suse.com/show_bug.cgi?id=985685
• https://bugzilla.suse.com/show_bug.cgi?id=985688
• https://bugzilla.suse.com/show_bug.cgi?id=985689
• https://bugzilla.suse.com/show_bug.cgi?id=985697
• https://bugzilla.suse.com/show_bug.cgi?id=985698
• https://bugzilla.suse.com/show_bug.cgi?id=985700
• https://bugzilla.suse.com/show_bug.cgi?id=985703
• https://bugzilla.suse.com/show_bug.cgi?id=985704
• https://bugzilla.suse.com/show_bug.cgi?id=985706
• https://bugzilla.suse.com/show_bug.cgi?id=985826
• https://bugzilla.suse.com/show_bug.cgi?id=985832
• https://bugzilla.suse.com/show_bug.cgi?id=985835