Bug 31179 - libarchive new security issue CVE-2022-36227
Summary: libarchive new security issue CVE-2022-36227
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-24 18:10 CET by David Walser
Modified: 2022-12-13 23:10 CET (History)
4 users (show)

See Also:
Source RPM: libarchive-3.6.1-1.mga8.src.rpm
CVE: CVE-2022-36227
Status comment:


Attachments

Description David Walser 2022-11-24 18:10:38 CET
SUSE has issued an advisory on November 23:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html

Mageia 8 is also affected.
Comment 1 David Walser 2022-11-24 18:11:32 CET
Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/

Whiteboard: (none) => MGA8TOO

Comment 2 Nicolas Salguero 2022-11-25 08:47:33 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. (CVE-2022-36227)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36227
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013094.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N4XUJQ5ZT6HWNXMENJI7BA5SJHZCQSOO/
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.1-1.1.mga8
bsdcpio-3.6.1-1.1.mga8
bsdtar-3.6.1-1.1.mga8
lib(64)archive13-3.6.1-1.1.mga8
lib(64)archive-devel-3.6.1-1.1.mga8

from SRPM:
libarchive-3.6.1-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: libarchive-3.6.1-1.mga9.src.rpm => libarchive-3.6.1-1.mga8.src.rpm
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-36227
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2022-12-06 20:16:50 CET
Tested in a MGA8-64 VirtualBox Plasma guest. Using qarepo, there were no installation issues.

Following Herman's lead from Bug 24337, with a few modifications:

$ cd Pictures/Beagle
$ ls
 1171314392_01b8be2c13_b.jpg*  'Beagle Max2A.xcf'*  'Beagle Max3.jpg'*        'beagle maximus2.jpg'*  'Beagle Max.jpg'*       'beagle poster.pdf'*   p4230002.jpg*   p4230005.jpg*
...and more, 22 files in all, jpg, png, pdf file types. Mostly photos of Beagle Maximus, a very large special-shape hot air balloon that I once crewed for.

$ bsdtar -c -f ~/archtar *

examined archtar with ark, all 22 files were there.

$ cd /home/tom/tmp
$ bsdtar -x -f /home/tom/archtar

Viewed all resulting files in tmp with gwenview, all looked good. Deleted the files from tmp, then used ark to extract the contents of archtar to there, and viewed them with gwenview again. They appeared to be identical.

Giving this an OK, and validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-12-13 02:12:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-12-13 23:10:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0453.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.