Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1930-1 Final 1 1 2022-06-02T15:34:49Z current 2022-06-02T15:34:49Z 2022-06-02T15:34:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2022-26280: Fixed out-of-bounds read via the component zipx_lzma_alone_init (bsc#1197634). - CVE-2021-36976: Fixed use-after-free in copy_string (called from do_uncompress_block and process_block) (bsc#1188572). - CVE-2017-5601: Fixed out-of-bounds memory access preventing denial-of-service (bsc#1197634, bsc#1189528). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP4-Manager-Server-4-3-BYOS-2022-1930,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2022-1930,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2022-1930,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2022-1930,Image SLES15-SP4-SAP-2022-1930,Image SLES15-SP4-SAP-Azure-2022-1930,Image SLES15-SP4-SAP-EC2-2022-1930,Image SLES15-SP4-SAP-GCE-2022-1930,Image SLES15-SP4-SAPCAL-2022-1930,Image SLES15-SP4-SAPCAL-Azure-2022-1930,Image SLES15-SP4-SAPCAL-EC2-2022-1930,Image SLES15-SP4-SAPCAL-GCE-2022-1930,Image SLES15-SP5-SAP-Azure-2022-1930,Image SLES15-SP5-SAP-EC2-2022-1930,Image SLES15-SP5-SAP-GCE-2022-1930,Image SLES15-SP5-SAPCAL-Azure-2022-1930,Image SLES15-SP5-SAPCAL-EC2-2022-1930,Image SLES15-SP5-SAPCAL-GCE-2022-1930,SUSE-2022-1930,SUSE-SLE-Module-Basesystem-15-SP4-2022-1930,SUSE-SLE-Module-Development-Tools-15-SP4-2022-1930,openSUSE-SLE-15.4-2022-1930 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221930-1/ Link for SUSE-SU-2022:1930-1 https://lists.suse.com/pipermail/sle-security-updates/2022-June/011227.html E-Mail link for SUSE-SU-2022:1930-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1022528 SUSE Bug 1022528 https://bugzilla.suse.com/1188572 SUSE Bug 1188572 https://bugzilla.suse.com/1189528 SUSE Bug 1189528 https://bugzilla.suse.com/1197634 SUSE Bug 1197634 https://www.suse.com/security/cve/CVE-2017-5601/ SUSE CVE CVE-2017-5601 page https://www.suse.com/security/cve/CVE-2021-36976/ SUSE CVE CVE-2021-36976 page https://www.suse.com/security/cve/CVE-2022-26280/ SUSE CVE CVE-2022-26280 page Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Image SLES15-SP5-SAP-Azure Image SLES15-SP5-SAP-EC2 Image SLES15-SP5-SAP-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.4 libarchive13-3.5.1-150400.3.3.1 bsdtar-3.5.1-150400.3.3.1 libarchive-devel-3.5.1-150400.3.3.1 libarchive13-32bit-3.5.1-150400.3.3.1 libarchive13-64bit-3.5.1-150400.3.3.1 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAP libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAP-Azure libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAP-EC2 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAP-GCE libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAPCAL libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAPCAL-Azure libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAPCAL-EC2 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP4-SAPCAL-GCE libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAP-Azure libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAP-EC2 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAP-GCE libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAPCAL-Azure libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAPCAL-EC2 libarchive13-3.5.1-150400.3.3.1 as a component of Image SLES15-SP5-SAPCAL-GCE libarchive-devel-3.5.1-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 libarchive13-3.5.1-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 bsdtar-3.5.1-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 bsdtar-3.5.1-150400.3.3.1 as a component of openSUSE Leap 15.4 libarchive-devel-3.5.1-150400.3.3.1 as a component of openSUSE Leap 15.4 libarchive13-3.5.1-150400.3.3.1 as a component of openSUSE Leap 15.4 libarchive13-32bit-3.5.1-150400.3.3.1 as a component of openSUSE Leap 15.4 An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. CVE-2017-5601 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive-devel-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive-devel-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-32bit-3.5.1-150400.3.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221930-1/ https://www.suse.com/security/cve/CVE-2017-5601.html CVE-2017-5601 https://bugzilla.suse.com/1022528 SUSE Bug 1022528 https://bugzilla.suse.com/1189528 SUSE Bug 1189528 libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). CVE-2021-36976 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive-devel-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive-devel-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-32bit-3.5.1-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221930-1/ https://www.suse.com/security/cve/CVE-2021-36976.html CVE-2021-36976 https://bugzilla.suse.com/1188572 SUSE Bug 1188572 Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init. CVE-2022-26280 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAP:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP4-SAPCAL:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAP-GCE:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-Azure:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-EC2:libarchive13-3.5.1-150400.3.3.1 Image SLES15-SP5-SAPCAL-GCE:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive-devel-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:libarchive13-3.5.1-150400.3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:bsdtar-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive-devel-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-3.5.1-150400.3.3.1 openSUSE Leap 15.4:libarchive13-32bit-3.5.1-150400.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221930-1/ https://www.suse.com/security/cve/CVE-2022-26280.html CVE-2022-26280 https://bugzilla.suse.com/1197634 SUSE Bug 1197634