HELP please re:libarchive version security bug

Forum Forums Official Releases antiX-17 “Heather Heyer” HELP please re:libarchive version security bug

  • This topic has 2 replies, 2 voices, and was last updated Nov 15-8:32 am by stevesr0.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • November 15, 2019 at 6:40 am #29372
    Member
    Avatarstevesr0

    I heard that there is a bug in versions of libarchive that warrants updating to version 3.4.0 (CVE-2019-18408). I am running antix 17 with libarchive3 installed, with a version level of 3.2.2. I don’t see version 3.4.0 available as an alternative.

    I also understand that Debian has updated to version 3.4.

    I just attempted to update by installing from the libarchive.org github site. Configure completed without complaint,but make generated errors in make make ch and make install (see below).
    MAKE:
    “Makefile:6561: recipe for target ‘libarchive/archive_read_support_filter_gzip.lo’ failed
    make[1]: *** [libarchive/archive_read_support_filter_gzip.lo] Error 1
    make[1]: Leaving directory ‘/home/stevesr0/Downloads/libarchive-3.4.0’
    Makefile:3773: recipe for target ‘all’ failed
    make: *** [all] Error 2”

    Make ch:
    $ make ch
    make: *** No rule to make target ‘ch’. Stop.

    Make install:
    libarchive/archive_read_support_filter_gzip.c:247:11: error: dereferencing pointer to incomplete type ‘struct private_data’
    if (state->mtime != 0)
    ^~
    At top level:
    libarchive/archive_read_support_filter_gzip.c:240:1: warning: ‘gzip_read_header’ defined but not used [-Wunused-function]
    gzip_read_header(struct archive_read_filter *self, struct archive_entry *entry)
    ^~~~~~~~~~~~~~~~
    Makefile:6561: recipe for target ‘libarchive/archive_read_support_filter_gzip.lo’ failed
    make[1]: *** [libarchive/archive_read_support_filter_gzip.lo] Error 1
    make[1]: Leaving directory ‘/home/stevesr0/Downloads/libarchive-3.4.0’
    Makefile:14897: recipe for target ‘install’ failed
    make: *** [install] Error 2

    I don’t know if these errors are significant (the new version is not installed and/or the old version has been mucked with).

    I have sought enlightenment from the github site and internet search, but haven’t found anything helpful.

    Comments appreciated.

    I will also recheck whether things are working after reboot.

    stevesr0

    • This topic was modified 7 months, 4 weeks ago by stevesr0.
    November 15, 2019 at 6:46 am #29373
    Forum Admin
    anticapitalistaanticapitalista

    It seems there is already a security fix version in Debian stretch

    https://metadata.ftp-master.debian.org/changelogs//main/liba/libarchive/libarchive_3.2.2-2+deb9u2_changelog

    Philosophers have interpreted the world in many ways; the point is to change it.

    antiX with runit - leaner and meaner.

    November 15, 2019 at 8:32 am #29379
    Member
    Avatarstevesr0

    Hi anticapitalista,

    Thanks for reply. That does seem to address the CVEs of concern.

    I already had that one installed, so my work was unnecessary.

    stevesr0

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.