33717 – libarchive new security issues CVE-2024-4895[78]

Bug 33717 - libarchive new security issues CVE-2024-4895[78]

Summary: libarchive new security issues CVE-2024-4895[78]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-11-04 14:24 CET by Nicolas Salguero
Modified:	2024-11-06 20:57 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	libarchive-3.6.2-5.1.mga9.src.rpm
CVE:	CVE-2024-48957, CVE-2024-48958
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-04 14:24:23 CET

Debian has patches for those issues:
https://sources.debian.org/data/main/liba/libarchive/3.6.2-1%2Bdeb12u1/debian/patches/fix-OOB-in-rar-audio-filter-2149.patch (CVE-2024-48957)
https://sources.debian.org/data/main/liba/libarchive/3.6.2-1%2Bdeb12u1/debian/patches/fix-OOB-in-rar-delta-filter-2148.patch (CVE-2024-48958)

Nicolas Salguero 2024-11-04 14:24:53 CET

CVE: (none) => CVE-2024-48957, CVE-2024-48958
Source RPM: (none) => libarchive-3.6.2-5.1.mga9.src.rpm

Comment 1 Lewis Smith 2024-11-04 20:55:15 CET

Great info for the patches for M9.
(Cauldron up-to-date version 3.7.7 recently).

Assigning globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Debian has patches for these issues (given)

Comment 2 Nicolas Salguero 2024-11-05 09:47:05 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. (CVE-2024-48957)

execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. (CVE-2024-48958)

========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.2-5.2.mga9
bsdcpio-3.6.2-5.2.mga9
bsdtar-3.6.2-5.2.mga9
lib(64)archive13-3.6.2-5.2.mga9
lib(64)archive-devel-3.6.2-5.2.mga9

from SRPM:
libarchive-3.6.2-5.2.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Debian has patches for these issues (given) => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2024-11-05 17:40:12 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-11-05 22:59:44 CET

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing bsdtar-3.6.2-5.2.mga9.x86_64.rpm lib64archive13-3.6.2-5.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64archive13        ##################################################################################################
      2/2: bsdtar                ##################################################################################################
      1/2: removing bsdtar-3.6.2-5.1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64archive13-3.6.2-5.1.mga9.x86_64
                                 ##################################################################################################

 LC_ALL=C urpmi bsdcat bsdcpio


installing bsdcpio-3.6.2-5.2.mga9.x86_64.rpm bsdcat-3.6.2-5.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: bsdcat                ##################################################################################################
      2/2: bsdcpio               ##################################################################################################

Reference bug#31179 comment#3

Go to my Image folder

bsdtar -c -f ~/archtar *

examined archtar with ark, all files and folders checked OK

Files and folder are duplicated

rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv

extract with success the content of the rpm

Even when I am not sure if this is related with CVEs I open a rar file with ark and extract without issues

strace zeal shows
openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3

Application works

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-11-06 14:22:50 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-11-06 20:57:47 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0346.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.