Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803128 (CVE-2021-36976) - app-arch/libarchive: UAF in copy_string (CVE-2021-36976)
Summary: app-arch/libarchive: UAF in copy_string (CVE-2021-36976)
Alias: CVE-2021-36976
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream]
Depends on:
Reported: 2021-07-20 23:29 UTC by John Helmert III
Modified: 2021-08-23 05:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-20 23:29:45 UTC

libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

I guess this is unfixed? No references in the CVE to a fix, nor the oss-fuzz
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-07-21 07:40:49 UTC
This is one of the most useless reports I've seen.  There's literally zero detail on what's happening, only name of the function (which luckily seems to be used only once, so apparently it's affecting libarchive/archive_read_support_format_rar5.c).  The detailed report does not seem to be public, the bug has apparently been kept secret for 3 months without bothering to report it upstream, and now CVE was released with practically no details and apparently still nobody cared to report it.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:20:48 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:28:55 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:36:51 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:44:54 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:52:57 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:56:53 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:00:53 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:09:11 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-08-23 05:45:57 UTC
The fixes are apparently still work-in-progress.