Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: c8cced87 by Salvatore Bonaccorso at 2022-11-18T20:53:02+01:00 Correct tracking for CVE-2021-36976/libarchive The oss-fuzz report testcase is as well a "RAR archive data, v5" making lcear the referenced fixing commit touching only libarchive/archive_read_support_format_tar.c unrelated to the issue. There is enough evidence as well with crosschecking with other distros that we can consider the introducing commit be 47bb8187d3ef ("RAR5 reader: window_mask was not updated correctly"). Discussion with upstream in https://github.com/libarchive/libarchive/issues/1554 in particular leading to https://github.com/libarchive/libarchive/pull/1491#issuecomment-997453342 indicate the fix https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml is confusing further as it specifies as fix 56c920eab335 ("Merge pull request #1626 from evelikov/bsdtar-allow-ax") which with the above does not make sense. IIRC back when the CVE appeared first in the feed the OSV-2021-557.yaml was the only additional reference available. In short: Introducing commit is 47bb8187d3ef ("RAR5 reader: window_mask was not updated correctly"). Fixing commit is 17f4e83c0f0f ("RAR5 reader: fix invalid memory access in some files"). Update buster affected status accordingly and bring it inline to the stretch analysis. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -98152,12 +98152,13 @@ CVE-2021-36977 (matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-ba CVE-2021-36976 (libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (ca ...) - libarchive 3.6.0-1 (bug #991442) [bullseye] - libarchive <no-dsa> (Minor issue) - [buster] - libarchive <no-dsa> (Minor issue) + [buster] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1) [stretch] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1) NOTE: https://github.com/libarchive/libarchive/issues/1554 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml - NOTE: https://github.com/libarchive/libarchive/commit/d3ae4163e1d51b1b0c039fd2140e9f3aae4c6559 + NOTE: Introduced by: https://github.com/libarchive/libarchive/commit/47bb8187d3ef2d49ee8c7841cb2872b3cfa1f6f7 (v3.4.1) + NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f (v3.6.0) CVE-2021-36975 (Win32k Elevation of Privilege Vulnerability This CVE ID is unique from ...) NOT-FOR-US: Microsoft CVE-2021-36974 (Windows SMB Elevation of Privilege Vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8cced870a4a4f3029998dbde3e742b7f4c847c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8cced870a4a4f3029998dbde3e742b7f4c847c1 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
