SB2013042405 - Input validation error in libarchive (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2013-0211)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=87822f4ac4adaaafbbee3ffe58ab6eebdc12907e
• https://git.alpinelinux.org/aports/commit/?id=fd77c7aec807195aafce696698671418dff7d932
• https://git.alpinelinux.org/aports/commit/?id=f3f119d328f0cf56437edc38e278ecd7d8424ec3
• https://git.alpinelinux.org/aports/commit/?id=658bcc9c593f1c8d2fa0e7c30347b2ce44327d21
• https://git.alpinelinux.org/aports/commit/?id=8fcb0a179888b5ce69a7ba1939f77397a7453782
• https://git.alpinelinux.org/aports/commit/?id=a5e78a324419db97eabbe6d9e8f9b3ad51c6203a
• https://git.alpinelinux.org/aports/commit/?id=1bf7c975d00a298b60add7e1ec4bfd8f94334d78
• https://git.alpinelinux.org/aports/commit/?id=00162863df7b8b7a3299cb8def2840baeea7d262
• https://git.alpinelinux.org/aports/commit/?id=43ad5a87fe5e8f0a4512dbc80e583df1467af386
• https://git.alpinelinux.org/aports/commit/?id=5a33772c28df0da100009ea671151f7e2c9655fc