Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:1909-1 Final 1 1 2016-07-29T08:20:09Z current 2016-07-29T08:20:09Z 2016-07-29T08:20:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive libarchive was updated to fix 20 security issues. These security issues were fixed: - CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698). - CVE-2015-8919: Heap out of bounds read in LHA/LZH parser (bsc#985697). - CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675). - CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682). - CVE-2015-8922: Null pointer access in 7z parser (bsc#985685). - CVE-2015-8923: Unclear crashes in ZIP parser (bsc#985703). - CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609). - CVE-2015-8925: Unclear invalid memory read in mtree parser (bsc#985706). - CVE-2015-8926: NULL pointer access in RAR parser (bsc#985704). - CVE-2015-8928: Heap out of bounds read in mtree parser (bsc#985679). - CVE-2015-8929: Memory leak in tar parser (bsc#985669). - CVE-2015-8930: Endless loop in ISO parser (bsc#985700). - CVE-2015-8931: Undefined behavior / signed integer overflow in mtree parser (bsc#985689). - CVE-2015-8932: Compress handler left shifting larger than int size (bsc#985665). - CVE-2015-8933: Undefined behavior / signed integer overflow in TAR parser (bsc#985688). - CVE-2015-8934: Out of bounds read in RAR (bsc#985673). - CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo (bsc#985832). - CVE-2016-4301: Stack buffer overflow in the mtree parse_device (bsc#985826). - CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality (bsc#985835). - CVE-2016-4809: Memory allocate error with symbolic links in cpio archives (bsc#984990). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2016-1123,SUSE-SLE-SDK-12-SP1-2016-1123,SUSE-SLE-SERVER-12-SP1-2016-1123 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ Link for SUSE-SU-2016:1909-1 https://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html E-Mail link for SUSE-SU-2016:1909-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/984990 SUSE Bug 984990 https://bugzilla.suse.com/985609 SUSE Bug 985609 https://bugzilla.suse.com/985665 SUSE Bug 985665 https://bugzilla.suse.com/985669 SUSE Bug 985669 https://bugzilla.suse.com/985673 SUSE Bug 985673 https://bugzilla.suse.com/985675 SUSE Bug 985675 https://bugzilla.suse.com/985679 SUSE Bug 985679 https://bugzilla.suse.com/985682 SUSE Bug 985682 https://bugzilla.suse.com/985685 SUSE Bug 985685 https://bugzilla.suse.com/985688 SUSE Bug 985688 https://bugzilla.suse.com/985689 SUSE Bug 985689 https://bugzilla.suse.com/985697 SUSE Bug 985697 https://bugzilla.suse.com/985698 SUSE Bug 985698 https://bugzilla.suse.com/985700 SUSE Bug 985700 https://bugzilla.suse.com/985703 SUSE Bug 985703 https://bugzilla.suse.com/985704 SUSE Bug 985704 https://bugzilla.suse.com/985706 SUSE Bug 985706 https://bugzilla.suse.com/985826 SUSE Bug 985826 https://bugzilla.suse.com/985832 SUSE Bug 985832 https://bugzilla.suse.com/985835 SUSE Bug 985835 https://www.suse.com/security/cve/CVE-2015-8918/ SUSE CVE CVE-2015-8918 page https://www.suse.com/security/cve/CVE-2015-8919/ SUSE CVE CVE-2015-8919 page https://www.suse.com/security/cve/CVE-2015-8920/ SUSE CVE CVE-2015-8920 page https://www.suse.com/security/cve/CVE-2015-8921/ SUSE CVE CVE-2015-8921 page https://www.suse.com/security/cve/CVE-2015-8922/ SUSE CVE CVE-2015-8922 page https://www.suse.com/security/cve/CVE-2015-8923/ SUSE CVE CVE-2015-8923 page https://www.suse.com/security/cve/CVE-2015-8924/ SUSE CVE CVE-2015-8924 page https://www.suse.com/security/cve/CVE-2015-8925/ SUSE CVE CVE-2015-8925 page https://www.suse.com/security/cve/CVE-2015-8926/ SUSE CVE CVE-2015-8926 page https://www.suse.com/security/cve/CVE-2015-8928/ SUSE CVE CVE-2015-8928 page https://www.suse.com/security/cve/CVE-2015-8929/ SUSE CVE CVE-2015-8929 page https://www.suse.com/security/cve/CVE-2015-8930/ SUSE CVE CVE-2015-8930 page https://www.suse.com/security/cve/CVE-2015-8931/ SUSE CVE CVE-2015-8931 page https://www.suse.com/security/cve/CVE-2015-8932/ SUSE CVE CVE-2015-8932 page https://www.suse.com/security/cve/CVE-2015-8933/ SUSE CVE CVE-2015-8933 page https://www.suse.com/security/cve/CVE-2015-8934/ SUSE CVE CVE-2015-8934 page https://www.suse.com/security/cve/CVE-2016-4300/ SUSE CVE CVE-2016-4300 page https://www.suse.com/security/cve/CVE-2016-4301/ SUSE CVE CVE-2016-4301 page https://www.suse.com/security/cve/CVE-2016-4302/ SUSE CVE CVE-2016-4302 page https://www.suse.com/security/cve/CVE-2016-4809/ SUSE CVE CVE-2016-4809 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP1 libarchive13-3.1.2-22.1 libarchive-devel-3.1.2-22.1 libarchive13-3.1.2-22.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libarchive13-3.1.2-22.1 as a component of SUSE Linux Enterprise Server 12 SP1 libarchive13-3.1.2-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libarchive-devel-3.1.2-22.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to "overlapping memcpy." CVE-2015-8918 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8918.html CVE-2015-8918 https://bugzilla.suse.com/985698 SUSE Bug 985698 The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file. CVE-2015-8919 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8919.html CVE-2015-8919 https://bugzilla.suse.com/985697 SUSE Bug 985697 The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file. CVE-2015-8920 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8920.html CVE-2015-8920 https://bugzilla.suse.com/985675 SUSE Bug 985675 The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. CVE-2015-8921 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8921.html CVE-2015-8921 https://bugzilla.suse.com/985682 SUSE Bug 985682 The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct. CVE-2015-8922 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8922.html CVE-2015-8922 https://bugzilla.suse.com/985685 SUSE Bug 985685 The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file. CVE-2015-8923 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8923.html CVE-2015-8923 https://bugzilla.suse.com/985703 SUSE Bug 985703 The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file. CVE-2015-8924 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8924.html CVE-2015-8924 https://bugzilla.suse.com/985609 SUSE Bug 985609 The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing. CVE-2015-8925 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8925.html CVE-2015-8925 https://bugzilla.suse.com/985706 SUSE Bug 985706 The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive. CVE-2015-8926 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8926.html CVE-2015-8926 https://bugzilla.suse.com/985704 SUSE Bug 985704 The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. CVE-2015-8928 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8928.html CVE-2015-8928 https://bugzilla.suse.com/985679 SUSE Bug 985679 Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file. CVE-2015-8929 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8929.html CVE-2015-8929 https://bugzilla.suse.com/985669 SUSE Bug 985669 bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself. CVE-2015-8930 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8930.html CVE-2015-8930 https://bugzilla.suse.com/985700 SUSE Bug 985700 Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior. CVE-2015-8931 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8931.html CVE-2015-8931 https://bugzilla.suse.com/985689 SUSE Bug 985689 The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift. CVE-2015-8932 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8932.html CVE-2015-8932 https://bugzilla.suse.com/985665 SUSE Bug 985665 Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file. CVE-2015-8933 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8933.html CVE-2015-8933 https://bugzilla.suse.com/985688 SUSE Bug 985688 The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file. CVE-2015-8934 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2015-8934.html CVE-2015-8934 https://bugzilla.suse.com/985673 SUSE Bug 985673 Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow. CVE-2016-4300 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2016-4300.html CVE-2016-4300 https://bugzilla.suse.com/985832 SUSE Bug 985832 Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file. CVE-2016-4301 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2016-4301.html CVE-2016-4301 https://bugzilla.suse.com/985826 SUSE Bug 985826 Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary. CVE-2016-4302 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2016-4302.html CVE-2016-4302 https://bugzilla.suse.com/985835 SUSE Bug 985835 The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink. CVE-2016-4809 SUSE Linux Enterprise Desktop 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libarchive13-3.1.2-22.1 SUSE Linux Enterprise Software Development Kit 12 SP1:libarchive-devel-3.1.2-22.1 important 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161909-1/ https://www.suse.com/security/cve/CVE-2016-4809.html CVE-2016-4809 https://bugzilla.suse.com/984990 SUSE Bug 984990