[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2021-36976/libarchive
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Nov 18 19:59:58 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c8cced87 by Salvatore Bonaccorso at 2022-11-18T20:53:02+01:00
Correct tracking for CVE-2021-36976/libarchive
The oss-fuzz report testcase is as well a "RAR archive data, v5" making
lcear the referenced fixing commit touching only
libarchive/archive_read_support_format_tar.c unrelated to the issue.
There is enough evidence as well with crosschecking with other distros
that we can consider the introducing commit be 47bb8187d3ef ("RAR5
reader: window_mask was not updated correctly").
Discussion with upstream in
https://github.com/libarchive/libarchive/issues/1554 in particular
leading to
https://github.com/libarchive/libarchive/pull/1491#issuecomment-997453342
indicate the fix
https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml
is confusing further as it specifies as fix 56c920eab335 ("Merge pull
request #1626 from evelikov/bsdtar-allow-ax") which with the above does
not make sense. IIRC back when the CVE appeared first in the feed the
OSV-2021-557.yaml was the only additional reference available.
In short: Introducing commit is 47bb8187d3ef ("RAR5 reader: window_mask
was not updated correctly"). Fixing commit is 17f4e83c0f0f ("RAR5
reader: fix invalid memory access in some files").
Update buster affected status accordingly and bring it inline to the
stretch analysis.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -98152,12 +98152,13 @@ CVE-2021-36977 (matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-ba
CVE-2021-36976 (libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (ca ...)
- libarchive 3.6.0-1 (bug #991442)
[bullseye] - libarchive <no-dsa> (Minor issue)
- [buster] - libarchive <no-dsa> (Minor issue)
+ [buster] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1)
[stretch] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1)
NOTE: https://github.com/libarchive/libarchive/issues/1554
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml
- NOTE: https://github.com/libarchive/libarchive/commit/d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559
+ NOTE: Introduced by: https://github.com/libarchive/libarchive/commit/47bb8187d3ef2d49ee8c7841cb2872b3cfa1f6f7 (v3.4.1)
+ NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f (v3.6.0)
CVE-2021-36975 (Win32k Elevation of Privilege Vulnerability This CVE ID is unique from ...)
NOT-FOR-US: Microsoft
CVE-2021-36974 (Windows SMB Elevation of Privilege Vulnerability ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8cced870a4a4f3029998dbde3e742b7f4c847c1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8cced870a4a4f3029998dbde3e742b7f4c847c1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221118/b009dba8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list