Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.
Links: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38766#c4
Unreleased patch: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
Released in 3.6.1
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=876025c7afca0f5ee13ac2b34bc49c9928ab4128 commit 876025c7afca0f5ee13ac2b34bc49c9928ab4128 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:08:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-26 ] libarchive: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803128 Bug: https://bugs.gentoo.org/836352 Bug: https://bugs.gentoo.org/837266 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-26.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA done, all done.