Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 837266 (CVE-2022-28066) - <app-arch/libarchive-3.6.1: multiple vulnerabilities
Summary: <app-arch/libarchive-3.6.1: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-28066
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 837293
Blocks:
  Show dependency tree
 
Reported: 2022-04-08 14:03 UTC by Michał Górny
Modified: 2022-05-07 15:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-04-08 14:03:05 UTC
```
Security fixes:
- 7zip reader: fix PPMD read beyond boundary (#1671)
- ZIP reader: fix possible out of bounds read ([OSS-Fuzz 38766](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38766&q=libarchive) #1672)
- ISO reader: fix possible heap buffer overflow in ```read_children()``` ([OSS-Fuzz 38764](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38764&q=libarchive), #1685)
- RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
  - fix heap use after free in ```archive_read_format_rar_read_data()``` ([OSS-Fuzz 44547](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44547&q=libarchive), 52efa50c69653029687bfc545703b7340b7a51e2)
  - fix null dereference in ```read_data_compressed()``` ([OSS-Fuzz 44843](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44843&q=libarchive), 1271f775dc917798ad7d03c3b3bd66bacad03603)
  - fix heap user after free in ```run_filters()``` ([OSS-Fuzz 46279](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46279&q=libarchive), #1715)
```
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 15:48:25 UTC
cleanup done
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 17:42:09 UTC
Thanks!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-07 15:09:18 UTC
CVE-2022-28066 (https://github.com/libarchive/libarchive/issues/1672):

Libarchive v3.6.0 was discovered to contain a read memory access vulnerability via the function lzma_decode.