Bug 2144972 (CVE-2022-36227)

Summary: CVE-2022-36227 libarchive: NULL pointer dereference in archive_write.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, adudiak, aoconnor, bdettelb, caswilli, databases-maint, dffrench, dhalasz, dkuc, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jkoehler, jmitchel, jtanner, jwon, kaycoth, kshier, ljavorsk, micjohns, mmuzila, ngough, pkubat, praiskup, rbobbitt, rgodfrey, rravi, stcannon, sthirugn, tcarlin, tfister, tohughes, vkrizan, vmugicag, yguenane, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 00:51:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2144973, 2144974, 2144975, 2147362, 2147363    
Bug Blocks: 2144976    

Description Pedro Sampaio 2022-11-22 20:01:01 UTC 
In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

Upstream patch:
https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
Comment 1 Pedro Sampaio 2022-11-22 20:01:25 UTC 
Created cmake3 tracking bugs for this issue:

Affects: epel-all [bug 2144973]


Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 2144974]


Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-all [bug 2144975]
Comment 2 Guilherme de Almeida Suckevicz 2022-11-23 19:08:33 UTC 
Reference:
https://github.com/libarchive/libarchive/issues/1754
Comment 5 errata-xmlrpc 2023-05-09 07:56:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2532 https://access.redhat.com/errata/RHSA-2023:2532
Comment 7 errata-xmlrpc 2023-05-16 08:43:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3018 https://access.redhat.com/errata/RHSA-2023:3018
Comment 8 Product Security DevOps Team 2023-05-17 00:51:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-36227
Comment 10 errata-xmlrpc 2024-01-10 13:22:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0146 https://access.redhat.com/errata/RHSA-2024:0146