Bug 29431 - libarchive new security issues fixed upstream in 3.5.2 (including CVE-2021-23177)
Summary: libarchive new security issues fixed upstream in 3.5.2 (including CVE-2021-23...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-09-01 17:45 CEST by David Walser
Modified: 2022-02-17 18:48 CET (History)
5 users (show)

See Also:
Source RPM: libarchive-3.5.1-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-09-01 17:45:41 CEST 
libarchive 3.5.2 has been released on August 22:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2

It lists a few security fixes in the release announcement.
Comment 1 Nicolas Salguero 2021-09-02 09:10:05 CEST 
Suggested advisory:
========================

The updated packages fix several bugs including security vulnerabilities:

Fix handling of symbolic link ACLs on Linux.

Never follow symlinks when setting file flags on Linux.

Do not follow symlinks when processing the fixup list.

References:
https://github.com/libarchive/libarchive/releases/tag/v3.5.2
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.5.2-1.mga8
bsdtar-3.5.2-1.mga8
bsdcpio-3.5.2-1.mga8
lib(64)archive-devel-3.5.2-1.mga8
lib(64)archive13-3.5.2-1.mga8

from SRPM:
libarchive-3.5.2-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Brian Rockwell 2021-09-03 20:41:20 CEST 
MGA8  - 64bit

okay I installed

installed
bsdcat
bsdtar
lib64archive13-3.5.2-1

I created a link using (ln -s) command

The used bsdtar to archive the folder with the link

The resulting tar file did have the link in it, but did not download the contents of the link into the tar.

I was able to extract using archiver in gnome, it contained the link which still attempted to point to the folder (on another machine.

The tools seems to work, but I'm not sure I comprehend what this fixed.

CC: (none) => brtians1

Comment 3 Herman Viaene 2021-09-15 15:51:42 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 2337 for testing.
$ cd Documenten
$ ls
Charts/  jetty/  main.js  qtwebengin.txt  thumbnail.py  tutorialredis.txt  win10reg/  wiresh/  ziekenhuis/
$ bsdtar -c -f ~/archtar *
Opened archtar with ark, all looks OK
$ cd ~/tmp/
[tester8@mach5 tmp]$ bsdtar -x -f /home/tester8/archtar
Checked contents of tmp: all files and folders are there OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-09-17 13:59:55 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-09-22 22:40:43 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-09-23 06:52:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0430.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2022-02-17 18:48:41 CET 
One of the security issues fixed in this update is CVE-2021-23177:
https://ubuntu.com/security/notices/USN-5291-1

Summary: libarchive new security issues fixed upstream in 3.5.2 => libarchive new security issues fixed upstream in 3.5.2 (including CVE-2021-23177)
Note You need to log in before you can comment on or make changes to this bug.