ALT-PU-2022-1454-1
Package libarchive updated to version 3.6.0-alt1 for branch sisyphus in task 296421.
Closed vulnerabilities
BDU:2021-03887
Уязвимость функции do_uncompress_block and process_block библиотеки libarchive, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2022-01463
Уязвимость библиотеки архивирования libarchive, связанная с отслеживанием символьных ссылок, позволяющая нарушителю повысить свои привилегии
BDU:2022-01464
Уязвимость библиотеки архивирования libarchive, связанная с отслеживанием символьных ссылок, позволяющая нарушителю повысить свои привилегии
Modified: 2024-11-21
CVE-2021-23177
An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
- https://access.redhat.com/security/cve/CVE-2021-23177
- https://access.redhat.com/security/cve/CVE-2021-23177
- https://bugzilla.redhat.com/show_bug.cgi?id=2024245
- https://bugzilla.redhat.com/show_bug.cgi?id=2024245
- https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
- https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
- https://github.com/libarchive/libarchive/issues/1565
- https://github.com/libarchive/libarchive/issues/1565
- [debian-lts-announce] 20221122 [SECURITY] [DLA 3202-1] libarchive security update
- [debian-lts-announce] 20221122 [SECURITY] [DLA 3202-1] libarchive security update
Modified: 2024-11-21
CVE-2021-31566
An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
- https://access.redhat.com/security/cve/CVE-2021-31566
- https://access.redhat.com/security/cve/CVE-2021-31566
- https://bugzilla.redhat.com/show_bug.cgi?id=2024237
- https://bugzilla.redhat.com/show_bug.cgi?id=2024237
- https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
- https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
- https://github.com/libarchive/libarchive/issues/1566
- https://github.com/libarchive/libarchive/issues/1566
- [debian-lts-announce] 20221122 [SECURITY] [DLA 3202-1] libarchive security update
- [debian-lts-announce] 20221122 [SECURITY] [DLA 3202-1] libarchive security update
Modified: 2024-11-21
CVE-2021-36976
libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
- 20220314 APPLE-SA-2022-03-14-1 iOS 15.4 and iPadOS 15.4
- 20220314 APPLE-SA-2022-03-14-1 iOS 15.4 and iPadOS 15.4
- 20220314 APPLE-SA-2022-03-14-2 watchOS 8.5
- 20220314 APPLE-SA-2022-03-14-2 watchOS 8.5
- 20220314 APPLE-SA-2022-03-14-4 macOS Monterey 12.3
- 20220314 APPLE-SA-2022-03-14-4 macOS Monterey 12.3
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml
- https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml
- FEDORA-2022-9bb794c5f5
- FEDORA-2022-9bb794c5f5
- GLSA-202208-26
- GLSA-202208-26
- https://support.apple.com/kb/HT213182
- https://support.apple.com/kb/HT213182
- https://support.apple.com/kb/HT213183
- https://support.apple.com/kb/HT213183
- https://support.apple.com/kb/HT213193
- https://support.apple.com/kb/HT213193