Bug 882521 (CVE-2022-36227)

Summary:	<app-arch/libarchive-3.6.1-r1: null pointer dereference
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mgorny
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/libarchive/libarchive/issues/1754
See Also:	https://github.com/gentoo/gentoo/pull/28560
Whiteboard:	A3 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2022-11-22 15:47:04 UTC

CVE-2022-36227:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

No idea how a null pointer dereference could lead to code
execution. Unreleased patch is:
https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024

Comment 1 John Helmert III archtester

2022-11-24 00:25:58 UTC

The reporter alleges this can achieve code execution on platforms where privileged code actually reads from the 0x0 memory address. I don't know of that being the case anywhere Gentoo is supported.

Comment 2 Michał Górny archtester

2022-12-06 04:49:59 UTC

The fix looks trivial-ish, so I'll just put it straight to stable.

Comment 3 Larry the Git Cow gentoo-dev

2022-12-06 06:02:29 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b618d6ec93c66f91c071c99c65775aaef2471bdf

commit b618d6ec93c66f91c071c99c65775aaef2471bdf
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-12-06 00:32:30 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-12-06 06:02:16 +0000

    app-arch/libarchive: Add patch to fix CVE-2022-36227.
    
    New version is not released in libarchive with the CVE-2022-36227 fix.
    
    Closes: https://bugs.gentoo.org/882521
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/28560
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../files/libarchive-3.6.1-CVE-2022-36227.patch    | 35 ++++++++++++++++++++++
 ...ive-3.6.1.ebuild => libarchive-3.6.1-r1.ebuild} |  2 ++
 2 files changed, 37 insertions(+)

Comment 4 Michał Górny archtester

2022-12-06 14:26:31 UTC

Sorry, didn't intend to close it.

Cleaned up now, anyway.

Comment 5 John Helmert III archtester

2022-12-08 01:23:59 UTC

Thanks!

Comment 6 Parag 2023-02-21 07:42:45 UTC

Hi,
I am a beginner to CVEs vulnerability issues, So I want how to fix this issue in the Ubuntu 22.04 server.

I want to step in to fix this issue.

Comment 7 Parag 2023-02-21 07:45:33 UTC

This package info is
Package: libarchive13
Version: 3.6.0-1ubuntu1

Comment 8 John Helmert III archtester

2023-02-22 00:07:37 UTC

(In reply to Parag from comment #6)
> Hi,
> I am a beginner to CVEs vulnerability issues, So I want how to fix this
> issue in the Ubuntu 22.04 server.
> 
> I want to step in to fix this issue.

Why would you ask Gentoo about Ubuntu?

Comment 9 John Helmert III archtester

2023-09-25 04:24:34 UTC

GLSA request filed.

Comment 10 Larry the Git Cow gentoo-dev

2023-09-29 13:39:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e05346e205e470b799ae6c0dafb506d6aa1cdae8

commit e05346e205e470b799ae6c0dafb506d6aa1cdae8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-29 13:38:51 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-29 13:39:30 +0000

    [ GLSA 202309-14 ] libarchive: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/882521
    Bug: https://bugs.gentoo.org/911486
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-14.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)