Bug 2071931 (CVE-2022-26280)

Summary: CVE-2022-26280 libarchive: an out-of-bounds read via the component zipx_lzma_alone_init
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: besser82, databases-maint, ljavorsk, mike, mmuzila, ndevos, odubaj, panovotn, pkubat, praiskup, saroy, tcullum, trpost, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libarchive 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in libarchive. This flaw allows an attacker who can supply a specially crafted zip file to libarchive to cause an out-of-bounds read in programs linked with libarchive, using the LZMA zip functionality. The consequences depend on the specific program linked with libarchive. Still, they would most likely result in an application crash or information disclosure that could be used in conjunction with another exploit.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 08:42:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2071933, 2071934, 2071935, 2086976, 2086977    
Bug Blocks: 2071936    

Description Vipul Nair 2022-04-05 09:19:13 UTC 
Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

https://github.com/libarchive/libarchive/issues/1672
Comment 1 Vipul Nair 2022-04-05 09:21:45 UTC 
Created cmake3 tracking bugs for this issue:

Affects: epel-all [bug 2071933]


Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 2071934]


Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-all [bug 2071935]
Comment 2 Sandipan Roy 2022-05-16 13:10:50 UTC 
Patch: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
Comment 9 errata-xmlrpc 2022-06-28 14:59:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5252 https://access.redhat.com/errata/RHSA-2022:5252
Comment 10 Product Security DevOps Team 2022-07-01 08:42:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26280