That CVE was announced here: https://github.com/advisories/GHSA-2jc9-36w4-pmqw The following commit fixes the problem: https://github.com/libarchive/libarchive/pull/2135
Suggested advisory: ======================== The updated packages fix a security vulnerability: Remote Code Execution Vulnerability. (CVE-2024-26256) References: https://github.com/advisories/GHSA-2jc9-36w4-pmqw ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.2-5.1.mga9 bsdcpio-3.6.2-5.1.mga9 bsdtar-3.6.2-5.1.mga9 lib(64)archive13-3.6.2-5.1.mga9 lib(64)archive-devel-3.6.2-5.1.mga9 from SRPM: libarchive-3.6.2-5.1.mga9.src.rpm
Source RPM: (none) => libarchive-3.6.2-5.mga9.src.rpmStatus: NEW => ASSIGNEDAssignee: bugsquad => qa-bugsCVE: (none) => CVE-2024-26256
Keywords: (none) => advisory
RH mageia 9 x86 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64archive13-3.6.2-5.1.mga9.x86_64.rpm bsdtar-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64archive13 ################################################################################################## 2/2: bsdtar ################################################################################################## 1/2: removing bsdtar-3.6.2-5.mga9.x86_64 ################################################################################################## 2/2: removing lib64archive13-3.6.2-5.mga9.x86_64 ################################################################################################## LC_ALL=C urpmi bsdcat installing bsdcat-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: bsdcat ################################################################################################## LC_ALL=C urpmi bsdcpio installing bsdcpio-3.6.2-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: bsdcpio ################################################################################################## Reference bug#31179 comment#3 Go to my Image folder bsdtar -c -f ~/archtar * examined archtar with ark, all files and folders checked OK cd ~/tmp bsdtar -x -f ~/archtar Files and folder are duplicated rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv extract with success the content of the rpm Looks OK for me
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0154.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED