Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:0944-2 Final 1 1 2023-01-31T07:08:31Z current 2023-01-31T07:08:31Z 2023-01-31T07:08:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2021-36976: Fixed an invalid memory access that could cause data corruption (bsc#1188572). Non-security updates: - Updated references for CVE-2017-5601, which was already fixed in a previous version (bsc#1022528 bsc#1189528). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure-2022-944,Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM-2022-944,Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE-2022-944,Image SLES15-SP3-EC2-HVM-2022-944,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-944,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2022-944,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2022-944,Image SLES15-SP3-SAP-Azure-2022-944,Image SLES15-SP3-SAP-EC2-HVM-2022-944,Image SLES15-SP3-SAP-GCE-2022-944,Image SLES15-SP3-SAPCAL-Azure-2022-944,Image SLES15-SP3-SAPCAL-EC2-HVM-2022-944,Image SLES15-SP3-SAPCAL-GCE-2022-944,SUSE-2022-944,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-217,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-217,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-217,SUSE-Storage-7-2023-217 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20220944-2/ Link for SUSE-SU-2022:0944-2 https://lists.suse.com/pipermail/sle-security-updates/2023-January/013608.html E-Mail link for SUSE-SU-2022:0944-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1022528 SUSE Bug 1022528 https://bugzilla.suse.com/1188572 SUSE Bug 1188572 https://bugzilla.suse.com/1189528 SUSE Bug 1189528 https://www.suse.com/security/cve/CVE-2017-5601/ SUSE CVE CVE-2017-5601 page https://www.suse.com/security/cve/CVE-2021-36976/ SUSE CVE CVE-2021-36976 page Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE Image SLES15-SP3-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE Image SLES15-SP3-SAP-Azure Image SLES15-SP3-SAP-EC2-HVM Image SLES15-SP3-SAP-GCE Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 libarchive13-3.4.2-150200.4.3.1 bsdtar-3.4.2-150200.4.3.1 libarchive-devel-3.4.2-150200.4.3.1 libarchive13-32bit-3.4.2-150200.4.3.1 libarchive13-64bit-3.4.2-150200.4.3.1 libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-EC2-HVM libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAP-Azure libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAP-EC2-HVM libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAP-GCE libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAPCAL-Azure libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM libarchive13-3.4.2-150200.4.3.1 as a component of Image SLES15-SP3-SAPCAL-GCE bsdtar-3.4.2-150200.4.3.1 as a component of SUSE Enterprise Storage 7 libarchive-devel-3.4.2-150200.4.3.1 as a component of SUSE Enterprise Storage 7 libarchive13-3.4.2-150200.4.3.1 as a component of SUSE Enterprise Storage 7 bsdtar-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libarchive-devel-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libarchive13-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS bsdtar-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libarchive-devel-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libarchive13-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS bsdtar-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 libarchive-devel-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 libarchive13-3.4.2-150200.4.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. CVE-2017-5601 Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-GCE:libarchive13-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:bsdtar-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:libarchive-devel-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libarchive13-3.4.2-150200.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220944-2/ https://www.suse.com/security/cve/CVE-2017-5601.html CVE-2017-5601 https://bugzilla.suse.com/1022528 SUSE Bug 1022528 https://bugzilla.suse.com/1189528 SUSE Bug 1189528 libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). CVE-2021-36976 Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAP-GCE:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-Azure:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-EC2-HVM:libarchive13-3.4.2-150200.4.3.1 Image SLES15-SP3-SAPCAL-GCE:libarchive13-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:bsdtar-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:libarchive-devel-3.4.2-150200.4.3.1 SUSE Enterprise Storage 7:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libarchive13-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:bsdtar-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libarchive-devel-3.4.2-150200.4.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libarchive13-3.4.2-150200.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220944-2/ https://www.suse.com/security/cve/CVE-2021-36976.html CVE-2021-36976 https://bugzilla.suse.com/1188572 SUSE Bug 1188572