Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 939800 (CVE-2024-20696, CVE-2024-26256, CVE-2024-48957, CVE-2024-48958) - <app-arch/libarchive-3.7.5: Multiple vulnerabilities
Summary: <app-arch/libarchive-3.7.5: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2024-20696, CVE-2024-26256, CVE-2024-48957, CVE-2024-48958
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 939802
Blocks:
  Show dependency tree
 
Reported: 2024-09-18 02:23 UTC by Sam James
Modified: 2024-10-31 11:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 02:23:00 UTC
From https://github.com/libarchive/libarchive/releases/tag/v3.7.5:

"""
Security fixes:

    fix multiple vulnerabilities identified by SAST (#2251, #2256)
    cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
    lzop: prevent integer overflow (#2174)
    rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
    rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
    rar4: fix OOB in delta and audio filter (#2148, #2149)
    rar4: fix out of boundary access with large files (#2179)
    rar4: add boundary checks to rgb filter (#2210)
    rar4: fix OOB access with unicode filenames (#2203)
    rar5: clear 'data ready' cache on window buffer reallocs (#2265)
    rpm: calculate huge header sizes correctly (#2158)
    unzip: unify EOF handling (#2175)
    util: fix out of boundary access in mktemp functions (#2160)
    uu: stop processing if lines are too long (#2168)
"""
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 03:57:44 UTC
The bump was blocked while I waited for a fix to be merged upstream, but I'll backport it now.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-18 04:00:44 UTC
(In reply to Michał Górny from comment #1)
> The bump was blocked while I waited for a fix to be merged upstream, but
> I'll backport it now.

Ah, thanks. I only noticed the release by chance and figured there must be some reason ;)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-31 05:00:20 UTC
cleanup done