Bug 2170784 (CVE-2022-36369)

Summary: CVE-2022-36369 qatzip: local privilege escalation
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: vdronov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qatzip 1.0.9 Doc Type: If docs needed, set a value
Doc Text:
A potential flaw was found in QATzip. This vulnerability may allow escalation of privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-31 21:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2171981, 2171982, 2178769    
Bug Blocks: 2170785    

Description TEJ RATHI 2023-02-17 08:51:53 UTC 
Improper access control in some QATzip software maintained by Intel(R) before version 1.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.

Affects QATzip before version 1.0.9.

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00765.html
Comment 2 Mauro Matteo Cascella 2023-04-14 17:02:32 UTC 
This issue was fixed upstream in version 1.0.9. The qatzip packages as shipped in following Red Hat products were previously updated to a version that contains the fix via the following errata:

qatzip in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHBA-2022:7667

qatzip in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHBA-2022:8256
Comment 3 errata-xmlrpc 2023-04-25 10:23:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1976 https://access.redhat.com/errata/RHSA-2023:1976
Comment 6 errata-xmlrpc 2023-05-31 15:53:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3397 https://access.redhat.com/errata/RHSA-2023:3397
Comment 7 Product Security DevOps Team 2023-05-31 21:14:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-36369