libarchive 3.6.1 has been released on April 8: https://github.com/libarchive/libarchive/releases/tag/v3.6.1 It lists a few security fixes in the release announcement.
CC: (none) => nicolas.salgueroAssignee: bugsquad => nicolas.salgueroSource RPM: (none) => libarchive-3.5.3-1.mga8.src.rpm
Suggested advisory: ======================== The updated packages fix security vulnerabilities: 7zip reader: fix PPMD read beyond boundary. ZIP reader: fix possible out of bounds read. ISO reader: fix possible heap buffer overflow in read_children(). RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0): - fix heap use after free in archive_read_format_rar_read_data(); - fix null dereference in read_data_compressed(); - fix heap user after free in run_filters(). References: https://github.com/libarchive/libarchive/releases/tag/v3.6.1 ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.1-1.mga8 bsdcpio-3.6.1-1.mga8 bsdtar-3.6.1-1.mga8 lib(64)archive13-3.6.1-1.mga8 lib(64)archive-devel-3.6.1-1.mga8 from SRPM: libarchive-3.6.1-1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Ubuntu has issued an advisory on April 11: https://ubuntu.com/security/notices/USN-5374-1 Does this update include the fix for CVE-2022-26280?
mga8, x64 Installed the packages and ran a few commands. Referred to earlier bug 24337 for testing hints. Ran the updates. $ cd ~/qa $ bsdtar -cf qatest libarchive $ du -hs libarchive 95M libarchive $ ll qatest -rw-r--r-- 1 lcl lcl 98882048 Apr 12 21:56 qatest $ cp qatest /data $ cd /data $ bsdtar -xf qatest $ du -hs libarchive 95M libarchive Edited list of `urpmq --whatrequires lib64archive13` : ardour ark bsdcat bsdtar elfutils file-roller flatpak hydrogen icecream lordsawar meandmyshadow midori mpv rpm samba-client vlc-plugin-common zeal $ strace -o mpv.trace mpv TheNarrowWorld.mkv $ grep archive mpv.trace openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 Good enough. OK for 64 bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
(In reply to David Walser from comment #2) > Ubuntu has issued an advisory on April 11: > https://ubuntu.com/security/notices/USN-5374-1 > > Does this update include the fix for CVE-2022-26280? Yes, it does. It is the second point (ZIP reader: fix possible out of bounds read). Suggested advisory: ======================== The updated packages fix security vulnerabilities: 7zip reader: fix PPMD read beyond boundary. ZIP reader: fix possible out of bounds read. (CVE-2022-26280) ISO reader: fix possible heap buffer overflow in read_children(). RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0): - fix heap use after free in archive_read_format_rar_read_data(); - fix null dereference in read_data_compressed(); - fix heap user after free in run_filters(). References: https://github.com/libarchive/libarchive/releases/tag/v3.6.1 https://ubuntu.com/security/notices/USN-5374-1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26280
Summary: libarchive new security issues fixed upstream in 3.6.1 => libarchive new security issues fixed upstream in 3.6.1 (including CVE-2022-26280)
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0142.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED