Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 882521 (CVE-2022-36227) - <app-arch/libarchive-3.6.1-r1: null pointer dereference
Summary: <app-arch/libarchive-3.6.1-r1: null pointer dereference
Status: IN_PROGRESS
Alias: CVE-2022-36227
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libarchive/libarch...
Whiteboard: A3 [glsa?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-11-22 15:47 UTC by John Helmert III
Modified: 2022-12-08 01:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 15:47:04 UTC
CVE-2022-36227:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

No idea how a null pointer dereference could lead to code
execution. Unreleased patch is:
https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-24 00:25:58 UTC
The reporter alleges this can achieve code execution on platforms where privileged code actually reads from the 0x0 memory address. I don't know of that being the case anywhere Gentoo is supported.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 04:49:59 UTC
The fix looks trivial-ish, so I'll just put it straight to stable.
Comment 3 Larry the Git Cow gentoo-dev 2022-12-06 06:02:29 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b618d6ec93c66f91c071c99c65775aaef2471bdf

commit b618d6ec93c66f91c071c99c65775aaef2471bdf
Author:     Meena Shanmugam <meenashanmugam@google.com>
AuthorDate: 2022-12-06 00:32:30 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-12-06 06:02:16 +0000

    app-arch/libarchive: Add patch to fix CVE-2022-36227.
    
    New version is not released in libarchive with the CVE-2022-36227 fix.
    
    Closes: https://bugs.gentoo.org/882521
    Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/28560
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../files/libarchive-3.6.1-CVE-2022-36227.patch    | 35 ++++++++++++++++++++++
 ...ive-3.6.1.ebuild => libarchive-3.6.1-r1.ebuild} |  2 ++
 2 files changed, 37 insertions(+)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 14:26:31 UTC
Sorry, didn't intend to close it.

Cleaned up now, anyway.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:23:59 UTC
Thanks!