Bug 29431 - libarchive new security issues fixed upstream in 3.5.2
Summary: libarchive new security issues fixed upstream in 3.5.2
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-09-01 17:45 CEST by David Walser
Modified: 2021-09-17 13:59 CEST (History)
4 users (show)

See Also:
Source RPM: libarchive-3.5.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-09-01 17:45:41 CEST
libarchive 3.5.2 has been released on August 22:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2

It lists a few security fixes in the release announcement.
Comment 1 Nicolas Salguero 2021-09-02 09:10:05 CEST
Suggested advisory:
========================

The updated packages fix several bugs including security vulnerabilities:

Fix handling of symbolic link ACLs on Linux.

Never follow symlinks when setting file flags on Linux.

Do not follow symlinks when processing the fixup list.

References:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.5.2-1.mga8
bsdtar-3.5.2-1.mga8
bsdcpio-3.5.2-1.mga8
lib(64)archive-devel-3.5.2-1.mga8
lib(64)archive13-3.5.2-1.mga8

from SRPM:
libarchive-3.5.2-1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 Brian Rockwell 2021-09-03 20:41:20 CEST
MGA8  - 64bit

okay I installed

installed
bsdcat
bsdtar
lib64archive13-3.5.2-1

I created a link using (ln -s) command

The used bsdtar to archive the folder with the link

The resulting tar file did have the link in it, but did not download the contents of the link into the tar.

I was able to extract using archiver in gnome, it contained the link which still attempted to point to the folder (on another machine.

The tools seems to work, but I'm not sure I comprehend what this fixed.

CC: (none) => brtians1

Comment 3 Herman Viaene 2021-09-15 15:51:42 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 2337 for testing.
$ cd Documenten
$ ls
Charts/  jetty/  main.js  qtwebengin.txt  thumbnail.py  tutorialredis.txt  win10reg/  wiresh/  ziekenhuis/
$ bsdtar -c -f ~/archtar *
Opened archtar with ark, all looks OK
$ cd ~/tmp/
[tester8@mach5 tmp]$ bsdtar -x -f /home/tester8/archtar
Checked contents of tmp: all files and folders are there OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-09-17 13:59:55 CEST
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.