Bug 31179

Summary: libarchive new security issue CVE-2022-36227
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libarchive-3.6.1-1.mga8.src.rpm CVE: CVE-2022-36227
Status comment:

Description David Walser 2022-11-24 18:10:38 CET 
SUSE has issued an advisory on November 23:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html

Mageia 8 is also affected.
Comment 1 David Walser 2022-11-24 18:11:32 CET 
Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/

Whiteboard: (none) => MGA8TOO

Comment 2 Nicolas Salguero 2022-11-25 08:47:33 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. (CVE-2022-36227)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36227
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.1-1.1.mga8
bsdcpio-3.6.1-1.1.mga8
bsdtar-3.6.1-1.1.mga8
lib(64)archive13-3.6.1-1.1.mga8
lib(64)archive-devel-3.6.1-1.1.mga8

from SRPM:
libarchive-3.6.1-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: libarchive-3.6.1-1.mga9.src.rpm => libarchive-3.6.1-1.mga8.src.rpm
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-36227
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2022-12-06 20:16:50 CET 
Tested in a MGA8-64 VirtualBox Plasma guest. Using qarepo, there were no installation issues.

Following Herman's lead from Bug 24337, with a few modifications:

$ cd Pictures/Beagle
$ ls
 1171314392_01b8be2c13_b.jpg*  'Beagle Max2A.xcf'*  'Beagle Max3.jpg'*        'beagle maximus2.jpg'*  'Beagle Max.jpg'*       'beagle poster.pdf'*   p4230002.jpg*   p4230005.jpg*
...and more, 22 files in all, jpg, png, pdf file types. Mostly photos of Beagle Maximus, a very large special-shape hot air balloon that I once crewed for.

$ bsdtar -c -f ~/archtar *

examined archtar with ark, all 22 files were there.

$ cd /home/tom/tmp
$ bsdtar -x -f /home/tom/archtar

Viewed all resulting files in tmp with gwenview, all looked good. Deleted the files from tmp, then used ark to extract the contents of archtar to there, and viewed them with gwenview again. They appeared to be identical.

Giving this an OK, and validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-12-13 02:12:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-12-13 23:10:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0453.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED