Bug 33154

Summary: libarchive new security issue CVE-2024-26256
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: libarchive-3.6.2-5.mga9.src.rpm CVE: CVE-2024-26256
Status comment:

Description Nicolas Salguero 2024-04-29 11:49:08 CEST 
That CVE was announced here:
https://github.com/advisories/GHSA-2jc9-36w4-pmqw

The following commit fixes the problem:
https://github.com/libarchive/libarchive/pull/2135
Comment 1 Nicolas Salguero 2024-04-29 11:55:47 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Remote Code Execution Vulnerability. (CVE-2024-26256)

References:
https://github.com/advisories/GHSA-2jc9-36w4-pmqw
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.2-5.1.mga9
bsdcpio-3.6.2-5.1.mga9
bsdtar-3.6.2-5.1.mga9
lib(64)archive13-3.6.2-5.1.mga9
lib(64)archive-devel-3.6.2-5.1.mga9

from SRPM:
libarchive-3.6.2-5.1.mga9.src.rpm

Source RPM: (none) => libarchive-3.6.2-5.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2024-26256

katnatek 2024-04-29 18:34:56 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-04-30 03:39:06 CEST 
RH mageia 9 x86
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing lib64archive13-3.6.2-5.1.mga9.x86_64.rpm bsdtar-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64archive13        ##################################################################################################
      2/2: bsdtar                ##################################################################################################
      1/2: removing bsdtar-3.6.2-5.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64archive13-3.6.2-5.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi bsdcat


installing bsdcat-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: bsdcat                ##################################################################################################

LC_ALL=C urpmi bsdcpio


installing bsdcpio-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: bsdcpio               ##################################################################################################

Reference bug#31179 comment#3

Go to my Image folder

bsdtar -c -f ~/archtar *
examined archtar with ark, all files and folders checked OK

cd ~/tmp
bsdtar -x -f  ~/archtar

Files and folder are duplicated

rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv

extract with success the content of the rpm

Looks OK for me

CC: (none) => andrewsfarm

katnatek 2024-04-30 03:39:56 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2024-04-30 21:48:09 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2024-05-01 00:25:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0154.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED