CVE-2021-36976: libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). I guess this is unfixed? No references in the CVE to a fix, nor the oss-fuzz issue.
This is one of the most useless reports I've seen. There's literally zero detail on what's happening, only name of the function (which luckily seems to be used only once, so apparently it's affecting libarchive/archive_read_support_format_rar5.c). The detailed report does not seem to be public, the bug has apparently been kept secret for 3 months without bothering to report it upstream, and now CVE was released with practically no details and apparently still nobody cared to report it.
Package list is empty or all packages have requested keywords.
The fixes are apparently still work-in-progress.
oss-fuzz shows this as fixed as of d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559: https://github.com/libarchive/libarchive/commit/d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559 There's also https://github.com/libarchive/libarchive/commit/b9675888c288fb8b293a69783712bbc2a4573773 which apparently fixes some OOB reads.
This pull request was merged: https://github.com/libarchive/libarchive/pull/1491
Someone commented on the PR that this fixed these oss-fuzz issues (comment now deleted?): "OSS-Fuzz has just reported that this buxfix has resolved the issues: [#31890](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31890#c4) [#38744](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38744#c4) [#38754](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38754#c4) [#38770](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38770#c4) [#39951](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39951#c4)" Release seemingly incoming: https://github.com/libarchive/libarchive/pull/1491#issuecomment-1031989787
Libarchive 3.5.3 is a security release Security Fixes: - extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566) - fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976) So I guess they've fixed it finally.
Cleanup done.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=876025c7afca0f5ee13ac2b34bc49c9928ab4128 commit 876025c7afca0f5ee13ac2b34bc49c9928ab4128 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:08:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-26 ] libarchive: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803128 Bug: https://bugs.gentoo.org/836352 Bug: https://bugs.gentoo.org/837266 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-26.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA done, all done.