CVE-2022-36227: In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution. No idea how a null pointer dereference could lead to code execution. Unreleased patch is: https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
The reporter alleges this can achieve code execution on platforms where privileged code actually reads from the 0x0 memory address. I don't know of that being the case anywhere Gentoo is supported.
The fix looks trivial-ish, so I'll just put it straight to stable.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b618d6ec93c66f91c071c99c65775aaef2471bdf commit b618d6ec93c66f91c071c99c65775aaef2471bdf Author: Meena Shanmugam <meenashanmugam@google.com> AuthorDate: 2022-12-06 00:32:30 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-12-06 06:02:16 +0000 app-arch/libarchive: Add patch to fix CVE-2022-36227. New version is not released in libarchive with the CVE-2022-36227 fix. Closes: https://bugs.gentoo.org/882521 Signed-off-by: Meena Shanmugam <meenashanmugam@google.com> Closes: https://github.com/gentoo/gentoo/pull/28560 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../files/libarchive-3.6.1-CVE-2022-36227.patch | 35 ++++++++++++++++++++++ ...ive-3.6.1.ebuild => libarchive-3.6.1-r1.ebuild} | 2 ++ 2 files changed, 37 insertions(+)
Sorry, didn't intend to close it. Cleaned up now, anyway.
Thanks!
