SUSE has issued an advisory on November 23: https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html Mageia 8 is also affected.
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/
Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. (CVE-2022-36227) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36227 https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/ ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.1-1.1.mga8 bsdcpio-3.6.1-1.1.mga8 bsdtar-3.6.1-1.1.mga8 lib(64)archive13-3.6.1-1.1.mga8 lib(64)archive-devel-3.6.1-1.1.mga8 from SRPM: libarchive-3.6.1-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: libarchive-3.6.1-1.mga9.src.rpm => libarchive-3.6.1-1.mga8.src.rpmAssignee: bugsquad => qa-bugsCVE: (none) => CVE-2022-36227Status: NEW => ASSIGNED
Tested in a MGA8-64 VirtualBox Plasma guest. Using qarepo, there were no installation issues. Following Herman's lead from Bug 24337, with a few modifications: $ cd Pictures/Beagle $ ls 1171314392_01b8be2c13_b.jpg* 'Beagle Max2A.xcf'* 'Beagle Max3.jpg'* 'beagle maximus2.jpg'* 'Beagle Max.jpg'* 'beagle poster.pdf'* p4230002.jpg* p4230005.jpg* ...and more, 22 files in all, jpg, png, pdf file types. Mostly photos of Beagle Maximus, a very large special-shape hot air balloon that I once crewed for. $ bsdtar -c -f ~/archtar * examined archtar with ark, all 22 files were there. $ cd /home/tom/tmp $ bsdtar -x -f /home/tom/archtar Viewed all resulting files in tmp with gwenview, all looked good. Deleted the files from tmp, then used ark to extract the contents of archtar to there, and viewed them with gwenview again. They appeared to be identical. Giving this an OK, and validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0453.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED