HELP please re:libarchive version security bug

Forum Forums Orphaned Posts antiX-17 “Heather Heyer, Helen Keller” HELP please re:libarchive version security bug

  • This topic has 2 replies, 2 voices, and was last updated Nov 15-8:32 am by stevesr0.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • November 15, 2019 at 6:40 am #29372
    Member
    stevesr0

      I heard that there is a bug in versions of libarchive that warrants updating to version 3.4.0 (CVE-2019-18408). I am running antix 17 with libarchive3 installed, with a version level of 3.2.2. I don’t see version 3.4.0 available as an alternative.

      I also understand that Debian has updated to version 3.4.

      I just attempted to update by installing from the libarchive.org github site. Configure completed without complaint,but make generated errors in make make ch and make install (see below).
      MAKE:
      “Makefile:6561: recipe for target ‘libarchive/archive_read_support_filter_gzip.lo’ failed
      make[1]: *** [libarchive/archive_read_support_filter_gzip.lo] Error 1
      make[1]: Leaving directory ‘/home/stevesr0/Downloads/libarchive-3.4.0’
      Makefile:3773: recipe for target ‘all’ failed
      make: *** [all] Error 2”

      Make ch:
      $ make ch
      make: *** No rule to make target ‘ch’. Stop.

      Make install:
      libarchive/archive_read_support_filter_gzip.c:247:11: error: dereferencing pointer to incomplete type ‘struct private_data’
      if (state->mtime != 0)
      ^~
      At top level:
      libarchive/archive_read_support_filter_gzip.c:240:1: warning: ‘gzip_read_header’ defined but not used [-Wunused-function]
      gzip_read_header(struct archive_read_filter *self, struct archive_entry *entry)
      ^~~~~~~~~~~~~~~~
      Makefile:6561: recipe for target ‘libarchive/archive_read_support_filter_gzip.lo’ failed
      make[1]: *** [libarchive/archive_read_support_filter_gzip.lo] Error 1
      make[1]: Leaving directory ‘/home/stevesr0/Downloads/libarchive-3.4.0’
      Makefile:14897: recipe for target ‘install’ failed
      make: *** [install] Error 2

      I don’t know if these errors are significant (the new version is not installed and/or the old version has been mucked with).

      I have sought enlightenment from the github site and internet search, but haven’t found anything helpful.

      Comments appreciated.

      I will also recheck whether things are working after reboot.

      stevesr0

      • This topic was modified 3 years, 5 months ago by stevesr0.
      November 15, 2019 at 6:46 am #29373
      Forum Admin
      anticapitalista
        Helpful
        Up
        0
        ::

        It seems there is already a security fix version in Debian stretch

        https://metadata.ftp-master.debian.org/changelogs//main/liba/libarchive/libarchive_3.2.2-2+deb9u2_changelog

        Philosophers have interpreted the world in many ways; the point is to change it.

        antiX with runit - leaner and meaner.

        November 15, 2019 at 8:32 am #29379
        Member
        stevesr0
          Helpful
          Up
          0
          ::

          Hi anticapitalista,

          Thanks for reply. That does seem to address the CVEs of concern.

          I already had that one installed, so my work was unnecessary.

          stevesr0

        • Author
          Posts
        Viewing 3 posts - 1 through 3 (of 3 total)
        • You must be logged in to reply to this topic.