Bug 30023

Summary: libarchive new security issues CVE-2021-31566 and CVE-2021-36976
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libarchive-3.5.2-1.mga8.src.rpm CVE: CVE-2021-31566, CVE-2021-36976
Status comment:

Description Nicolas Salguero 2022-02-10 11:55:13 CET 
Upstream has released version 3.5.3 on February, 8:
https://github.com/libarchive/libarchive/releases/tag/v3.5.3
Nicolas Salguero 2022-02-10 11:56:13 CET

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-31566, CVE-2021-36976
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => libarchive-3.5.2-1.mga8.src.rpm
Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2022-02-10 12:22:26 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Processing fixup entries may follow symbolic links. (CVE-2021-31566)

libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). (CVE-2021-36976)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36976
https://github.com/libarchive/libarchive/releases/tag/v3.5.3
========================

Updated packages in core/updates_testing:
========================
bsdcpio-3.5.3-1.mga8
bsdcat-3.5.3-1.mga8
bsdtar-3.5.3-1.mga8
lib(64)archive13-3.5.3-1.mga8
lib(64)archive-devel-3.5.3-1.mga8

from SRPM:
libarchive-3.5.3-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 2 Herman Viaene 2022-02-11 16:32:17 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
ref bug 29431 for test
cd Documenten
$ ls
 bugs/        gnucash.dbm       libcairo.txt     libzapojit.txt   mirror.readme                                  OLVvSnieuw.dbm         plib.txt             SOFTWARE*       tutorialredis.txt
 Charts/      hello.go          libhiredis.txt   log4j_t1.7z      nodejstar.js                                   OLVvSnieuw_fixed.dbm   pocapachecompress/   testkicad/      volkstuintjes/
 cryptest_v   helloworld.java   libtinyxml.txt   lxmltxt          node_modules/                                  package-lock.json      qtwebengin.txt       testmodel.dbm   wiresh/
 gmp.txt      jetty/            libtox.txt       main.js         'OKRA DATABANK OLV Smarten 22.11.2021.accdb'*   php/                   SFboeken.tc          thumbnail.py    ziekenhuis/
$  bsdtar -c -f ~/archtar *
Opened archtar with ark, all looks OK
$ cd ~/tmp/
$ bsdtar -x -f /home/tester8/archtar
Checked contents of tmp: all files and folders are there OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-02-11 21:19:20 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-12 17:36:05 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-02-12 18:32:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0060.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 5 David Walser 2022-02-25 16:29:00 CET 
Fedora has issued an advisory for this on February 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SE5NJQNM22ZE5Z55LPAGCUHSBQZBKMKC/