| Summary: | libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26280) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libarchive-3.5.3-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2022-04-11 11:52:17 CEST
Nicolas Salguero
2022-04-11 11:52:38 CEST
CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix security vulnerabilities: 7zip reader: fix PPMD read beyond boundary. ZIP reader: fix possible out of bounds read. ISO reader: fix possible heap buffer overflow in read_children(). RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0): - fix heap use after free in archive_read_format_rar_read_data(); - fix null dereference in read_data_compressed(); - fix heap user after free in run_filters(). References: https://github.com/libarchive/libarchive/releases/tag/v3.6.1 ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.1-1.mga8 bsdcpio-3.6.1-1.mga8 bsdtar-3.6.1-1.mga8 lib(64)archive13-3.6.1-1.mga8 lib(64)archive-devel-3.6.1-1.mga8 from SRPM: libarchive-3.6.1-1.mga8.src.rpm Status:
NEW =>
ASSIGNED Ubuntu has issued an advisory on April 11: https://ubuntu.com/security/notices/USN-5374-1 Does this update include the fix for CVE-2022-26280? mga8, x64 Installed the packages and ran a few commands. Referred to earlier bug 24337 for testing hints. Ran the updates. $ cd ~/qa $ bsdtar -cf qatest libarchive $ du -hs libarchive 95M libarchive $ ll qatest -rw-r--r-- 1 lcl lcl 98882048 Apr 12 21:56 qatest $ cp qatest /data $ cd /data $ bsdtar -xf qatest $ du -hs libarchive 95M libarchive Edited list of `urpmq --whatrequires lib64archive13` : ardour ark bsdcat bsdtar elfutils file-roller flatpak hydrogen icecream lordsawar meandmyshadow midori mpv rpm samba-client vlc-plugin-common zeal $ strace -o mpv.trace mpv TheNarrowWorld.mkv $ grep archive mpv.trace openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 Good enough. OK for 64 bits. CC:
(none) =>
tarazed25 (In reply to David Walser from comment #2) > Ubuntu has issued an advisory on April 11: > https://ubuntu.com/security/notices/USN-5374-1 > > Does this update include the fix for CVE-2022-26280? Yes, it does. It is the second point (ZIP reader: fix possible out of bounds read). Suggested advisory: ======================== The updated packages fix security vulnerabilities: 7zip reader: fix PPMD read beyond boundary. ZIP reader: fix possible out of bounds read. (CVE-2022-26280) ISO reader: fix possible heap buffer overflow in read_children(). RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0): - fix heap use after free in archive_read_format_rar_read_data(); - fix null dereference in read_data_compressed(); - fix heap user after free in run_filters(). References: https://github.com/libarchive/libarchive/releases/tag/v3.6.1 https://ubuntu.com/security/notices/USN-5374-1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26280
David Walser
2022-04-13 16:04:22 CEST
Summary:
libarchive new security issues fixed upstream in 3.6.1 =>
libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26280) Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-04-15 22:21:30 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0142.html Resolution:
(none) =>
FIXED |