Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 882521 (CVE-2022-36227) - <app-arch/libarchive-3.6.1-r1: null pointer dereference
Summary: <app-arch/libarchive-3.6.1-r1: null pointer dereference
Status: RESOLVED FIXED
Alias: CVE-2022-36227
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libarchive/libarch...
Whiteboard: A3 [glsa+]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-11-22 15:47 UTC by John Helmert III
Modified: 2023-09-29 13:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 15:47:04 UTC
CVE-2022-36227:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

No idea how a null pointer dereference could lead to code
execution. Unreleased patch is:
https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-24 00:25:58 UTC
The reporter alleges this can achieve code execution on platforms where privileged code actually reads from the 0x0 memory address. I don't know of that being the case anywhere Gentoo is supported.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 04:49:59 UTC
The fix looks trivial-ish, so I'll just put it straight to stable.
Comment 3 Larry the Git Cow gentoo-dev 2022-12-06 06:02:29 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b618d6ec93c66f91c071c99c65775aaef2471bdf

commit b618d6ec93c66f91c071c99c65775aaef2471bdf
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-12-06 00:32:30 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-12-06 06:02:16 +0000

    app-arch/libarchive: Add patch to fix CVE-2022-36227.
    
    New version is not released in libarchive with the CVE-2022-36227 fix.
    
    Closes: https://bugs.gentoo.org/882521
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/28560
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../files/libarchive-3.6.1-CVE-2022-36227.patch    | 35 ++++++++++++++++++++++
 ...ive-3.6.1.ebuild => libarchive-3.6.1-r1.ebuild} |  2 ++
 2 files changed, 37 insertions(+)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 14:26:31 UTC
Sorry, didn't intend to close it.

Cleaned up now, anyway.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:23:59 UTC
Thanks!
Comment 6 Parag 2023-02-21 07:42:45 UTC
Hi,
I am a beginner to CVEs vulnerability issues, So I want how to fix this issue in the Ubuntu 22.04 server.

I want to step in to fix this issue.
Comment 7 Parag 2023-02-21 07:45:33 UTC
This package info is
Package: libarchive13
Version: 3.6.0-1ubuntu1
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-22 00:07:37 UTC
(In reply to Parag from comment #6)
> Hi,
> I am a beginner to CVEs vulnerability issues, So I want how to fix this
> issue in the Ubuntu 22.04 server.
> 
> I want to step in to fix this issue.

Why would you ask Gentoo about Ubuntu?
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-09-25 04:24:34 UTC
GLSA request filed.
Comment 10 Larry the Git Cow gentoo-dev 2023-09-29 13:39:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e05346e205e470b799ae6c0dafb506d6aa1cdae8

commit e05346e205e470b799ae6c0dafb506d6aa1cdae8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-29 13:38:51 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-29 13:39:30 +0000

    [ GLSA 202309-14 ] libarchive: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/882521
    Bug: https://bugs.gentoo.org/911486
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-14.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)