Bug 29431

Summary: libarchive new security issues fixed upstream in 3.5.2 (including CVE-2021-23177)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libarchive-3.5.1-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-09-01 17:45:41 CEST 
libarchive 3.5.2 has been released on August 22:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2

It lists a few security fixes in the release announcement.
Comment 1 Nicolas Salguero 2021-09-02 09:10:05 CEST 
Suggested advisory:
========================

The updated packages fix several bugs including security vulnerabilities:

Fix handling of symbolic link ACLs on Linux.

Never follow symlinks when setting file flags on Linux.

Do not follow symlinks when processing the fixup list.

References:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.5.2-1.mga8
bsdtar-3.5.2-1.mga8
bsdcpio-3.5.2-1.mga8
lib(64)archive-devel-3.5.2-1.mga8
lib(64)archive13-3.5.2-1.mga8

from SRPM:
libarchive-3.5.2-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Brian Rockwell 2021-09-03 20:41:20 CEST 
MGA8  - 64bit

okay I installed

installed
bsdcat
bsdtar
lib64archive13-3.5.2-1

I created a link using (ln -s) command

The used bsdtar to archive the folder with the link

The resulting tar file did have the link in it, but did not download the contents of the link into the tar.

I was able to extract using archiver in gnome, it contained the link which still attempted to point to the folder (on another machine.

The tools seems to work, but I'm not sure I comprehend what this fixed.

CC: (none) => brtians1

Comment 3 Herman Viaene 2021-09-15 15:51:42 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 2337 for testing.
$ cd Documenten
$ ls
Charts/  jetty/  main.js  qtwebengin.txt  thumbnail.py  tutorialredis.txt  win10reg/  wiresh/  ziekenhuis/
$ bsdtar -c -f ~/archtar *
Opened archtar with ark, all looks OK
$ cd ~/tmp/
[tester8@mach5 tmp]$ bsdtar -x -f /home/tester8/archtar
Checked contents of tmp: all files and folders are there OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-09-17 13:59:55 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-09-22 22:40:43 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-09-23 06:52:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0430.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2022-02-17 18:48:41 CET 
One of the security issues fixed in this update is CVE-2021-23177:
https://ubuntu.com/security/notices/USN-5291-1

Summary: libarchive new security issues fixed upstream in 3.5.2 => libarchive new security issues fixed upstream in 3.5.2 (including CVE-2021-23177)