Scientific Linux Security Update : libarchive on SL6.x i386/x86_64

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

Security Fix(es) :

- A flaw was found in the way libarchive handled hardlink
archive entries of non-zero size. Combined with flaws in
libarchive's file system sandboxing, this issue could
cause an application using libarchive to overwrite
arbitrary files with arbitrary data from the archive.
(CVE-2016-5418)

- Multiple out-of-bounds read flaws were found in
libarchive. Specially crafted AR or MTREE files could
cause the application to read data out of bounds,
potentially disclosing a small amount of application
memory, or causing an application crash. (CVE-2015-8920,
CVE-2015-8921)

- A denial of service vulnerability was found in
libarchive's handling of GZIP streams. A crafted GZIP
file could cause libarchive to allocate an excessive
amount of memory, eventually leading to a crash.
(CVE-2016-7166)

- A denial of service vulnerability was found in
libarchive. A specially crafted CPIO archive containing
a symbolic link to a large target path could cause
memory allocation to fail, causing an application using
libarchive that attempted to view or extract such
archive to crash. (CVE-2016-4809)

- Multiple instances of undefined behavior due to
arithmetic overflow were found in libarchive. Specially
crafted Compress streams or ISO9660 volumes could
potentially cause the application to fail to read the
archive, or to crash. (CVE-2015-8932, CVE-2016-5844)

See also :

http://www.nessus.org/u?42c33147

Solution :

Update the affected libarchive, libarchive-debuginfo and / or
libarchive-devel packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 93453 ()

Bugtraq ID:

CVE ID: CVE-2015-8920
CVE-2015-8921
CVE-2015-8932
CVE-2016-4809
CVE-2016-5418
CVE-2016-5844
CVE-2016-7166

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now