Summary: | <app-arch/libarchive-3.5.3: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375 | ||
See Also: | https://github.com/libarchive/libarchive/issues/1554 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 832897 | ||
Bug Blocks: |
Description
John Helmert III
2021-07-20 23:29:45 UTC
This is one of the most useless reports I've seen. There's literally zero detail on what's happening, only name of the function (which luckily seems to be used only once, so apparently it's affecting libarchive/archive_read_support_format_rar5.c). The detailed report does not seem to be public, the bug has apparently been kept secret for 3 months without bothering to report it upstream, and now CVE was released with practically no details and apparently still nobody cared to report it. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. The fixes are apparently still work-in-progress. oss-fuzz shows this as fixed as of d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559: https://github.com/libarchive/libarchive/commit/d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559 There's also https://github.com/libarchive/libarchive/commit/b9675888c288fb8b293a69783712bbc2a4573773 which apparently fixes some OOB reads. This pull request was merged: https://github.com/libarchive/libarchive/pull/1491 Someone commented on the PR that this fixed these oss-fuzz issues (comment now deleted?): "OSS-Fuzz has just reported that this buxfix has resolved the issues: [#31890](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31890#c4) [#38744](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38744#c4) [#38754](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38754#c4) [#38770](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38770#c4) [#39951](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39951#c4)" Release seemingly incoming: https://github.com/libarchive/libarchive/pull/1491#issuecomment-1031989787 Libarchive 3.5.3 is a security release Security Fixes: - extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566) - fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976) So I guess they've fixed it finally. Cleanup done. GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=876025c7afca0f5ee13ac2b34bc49c9928ab4128 commit 876025c7afca0f5ee13ac2b34bc49c9928ab4128 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:08:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-26 ] libarchive: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803128 Bug: https://bugs.gentoo.org/836352 Bug: https://bugs.gentoo.org/837266 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-26.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) GLSA done, all done. |