Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 939800 (CVE-2024-20696, CVE-2024-26256, CVE-2024-48957, CVE-2024-48958)

Summary: <app-arch/libarchive-3.7.5: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 939802    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 02:23:00 UTC
From https://github.com/libarchive/libarchive/releases/tag/v3.7.5:

"""
Security fixes:

    fix multiple vulnerabilities identified by SAST (#2251, #2256)
    cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
    lzop: prevent integer overflow (#2174)
    rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
    rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
    rar4: fix OOB in delta and audio filter (#2148, #2149)
    rar4: fix out of boundary access with large files (#2179)
    rar4: add boundary checks to rgb filter (#2210)
    rar4: fix OOB access with unicode filenames (#2203)
    rar5: clear 'data ready' cache on window buffer reallocs (#2265)
    rpm: calculate huge header sizes correctly (#2158)
    unzip: unify EOF handling (#2175)
    util: fix out of boundary access in mktemp functions (#2160)
    uu: stop processing if lines are too long (#2168)
"""
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 03:57:44 UTC
The bump was blocked while I waited for a fix to be merged upstream, but I'll backport it now.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 04:00:44 UTC
(In reply to Michał Górny from comment #1)
> The bump was blocked while I waited for a fix to be merged upstream, but
> I'll backport it now.

Ah, thanks. I only noticed the release by chance and figured there must be some reason ;)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-31 05:00:20 UTC
cleanup done