Bug 30271 - libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26280)
Summary: libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-04-11 11:52 CEST by Nicolas Salguero
Modified: 2022-04-15 23:36 CEST (History)
5 users (show)

See Also:
Source RPM: libarchive-3.5.3-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2022-04-11 11:52:17 CEST
libarchive 3.6.1 has been released on April 8:
https://github.com/libarchive/libarchive/releases/tag/v3.6.1

It lists a few security fixes in the release announcement.
Nicolas Salguero 2022-04-11 11:52:38 CEST

CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
Source RPM: (none) => libarchive-3.5.3-1.mga8.src.rpm

Comment 1 Nicolas Salguero 2022-04-11 12:04:36 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

7zip reader: fix PPMD read beyond boundary.

ZIP reader: fix possible out of bounds read.

ISO reader: fix possible heap buffer overflow in read_children().

RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0):
  - fix heap use after free in archive_read_format_rar_read_data();
  - fix null dereference in read_data_compressed();
  - fix heap user after free in run_filters().

References:
https://github.com/libarchive/libarchive/releases/tag/v3.6.1
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.1-1.mga8
bsdcpio-3.6.1-1.mga8
bsdtar-3.6.1-1.mga8
lib(64)archive13-3.6.1-1.mga8
lib(64)archive-devel-3.6.1-1.mga8

from SRPM:
libarchive-3.6.1-1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 David Walser 2022-04-12 22:51:58 CEST
Ubuntu has issued an advisory on April 11:
https://ubuntu.com/security/notices/USN-5374-1

Does this update include the fix for CVE-2022-26280?
Comment 3 Len Lawrence 2022-04-12 23:27:04 CEST
mga8, x64

Installed the packages and ran a few commands.
Referred to earlier bug 24337 for testing hints.

Ran the updates.

$ cd ~/qa
$ bsdtar -cf qatest libarchive
$ du -hs libarchive
95M	libarchive
$ ll qatest
-rw-r--r-- 1 lcl lcl 98882048 Apr 12 21:56 qatest
$ cp qatest /data
$ cd /data
$ bsdtar -xf qatest
$ du -hs libarchive
95M	libarchive

Edited list of  `urpmq --whatrequires lib64archive13` :
ardour
ark
bsdcat
bsdtar
elfutils
file-roller
flatpak
hydrogen
icecream
lordsawar
meandmyshadow
midori
mpv
rpm
samba-client
vlc-plugin-common
zeal

$ strace -o mpv.trace mpv TheNarrowWorld.mkv
$ grep archive mpv.trace
openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3

Good enough.  OK for 64 bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Nicolas Salguero 2022-04-13 08:47:19 CEST
(In reply to David Walser from comment #2)
> Ubuntu has issued an advisory on April 11:
> https://ubuntu.com/security/notices/USN-5374-1
> 
> Does this update include the fix for CVE-2022-26280?

Yes, it does.  It is the second point (ZIP reader: fix possible out of bounds read).

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

7zip reader: fix PPMD read beyond boundary.

ZIP reader: fix possible out of bounds read. (CVE-2022-26280)

ISO reader: fix possible heap buffer overflow in read_children().

RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0):
  - fix heap use after free in archive_read_format_rar_read_data();
  - fix null dereference in read_data_compressed();
  - fix heap user after free in run_filters().

References:
https://github.com/libarchive/libarchive/releases/tag/v3.6.1
https://ubuntu.com/security/notices/USN-5374-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26280
David Walser 2022-04-13 16:04:22 CEST

Summary: libarchive new security issues fixed upstream in 3.6.1 => libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26280)

Comment 5 Thomas Andrews 2022-04-14 14:28:17 CEST
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-04-15 22:21:30 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-04-15 23:36:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0142.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.