33757 – libarchive new security issue CVE-2024-20696

Bug 33757 - libarchive new security issue CVE-2024-20696

Summary: libarchive new security issue CVE-2024-20696

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-11-12 09:54 CET by Nicolas Salguero
Modified:	2024-11-13 19:48 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	libarchive-3.6.2-5.2.mga9.src.rpm
CVE:	CVE-2024-20696
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-12 09:54:52 CET

Debian has issued an advisory on November 9:
https://lists.debian.org/debian-security-announce/2024/msg00220.html

Comment 1 Nicolas Salguero 2024-11-12 09:55:55 CET

Patch: https://sources.debian.org/data/main/liba/libarchive/3.6.2-1%2Bdeb12u2/debian/patches/rar4-reader-protect-copy_from_lzss_window_to_unp-217.patch

Status comment: (none) => Patch available from Debian
CVE: (none) => CVE-2024-20696
Source RPM: (none) => libarchive-3.6.2-5.2.mga9.src.rpm

Comment 2 Nicolas Salguero 2024-11-12 10:05:59 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. (CVE-2024-20696)

References:
https://lists.debian.org/debian-security-announce/2024/msg00220.html
========================

Updated packages in core/updates_testing:
========================
bsdcat-3.6.2-5.3.mga9
bsdcpio-3.6.2-5.3.mga9
bsdtar-3.6.2-5.3.mga9
lib(64)archive13-3.6.2-5.3.mga9
lib(64)archive-devel-3.6.2-5.3.mga9

from SRPM:
libarchive-3.6.2-5.3.mga9.src.rpm

Status comment: Patch available from Debian => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Brian Rockwell 2024-11-12 20:25:40 CET

mga9-64, Cinnamon

The following 4 packages are going to be installed:

- bsdcat-3.6.2-5.3.mga9.x86_64
- bsdcpio-3.6.2-5.3.mga9.x86_64
- bsdtar-3.6.2-5.3.mga9.x86_64
- lib64archive13-3.6.2-5.3.mga9.x86_64

180KB of additional disk space will be used.

--

gzipped textfile

able to cat it with bsdcat

bsdcpio
$ find Documents | bsdcpio -pdmu newdoc2

worked

$ bsdtar -czf christine_files.tar.gz *

worked

CC: (none) => brtians1

Comment 4 katnatek 2024-11-13 02:54:31 CET

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing bsdtar-3.6.2-5.3.mga9.x86_64.rpm lib64archive13-3.6.2-5.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64archive13        ##################################################################################################
      2/2: bsdtar                ##################################################################################################
      1/2: removing bsdtar-3.6.2-5.2.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64archive13-3.6.2-5.2.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi bsdcat bsdcpio


installing bsdcat-3.6.2-5.3.mga9.x86_64.rpm bsdcpio-3.6.2-5.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: bsdcpio               ##################################################################################################
      2/2: bsdcat                ##################################################################################################

Go to my Image folder

bsdtar -c -f ~/archtar *

examined archtar with ark,
extract archtar with ark,  all files and folders checked OK

strace ark shows
openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 335

open a rar file with ark and extract without issues


rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv

extract with success the content of the rpm

CC: (none) => andrewsfarm
Keywords: (none) => advisory
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-11-13 14:01:09 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-11-13 19:48:51 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0363.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.