Amazon Linux 2022 Security Advisory: ALAS-2022-059
Advisory Release Date: 2022-05-04 21:04 Pacific
Advisory Updated Date: 2022-05-06 16:19 Pacific
Severity:
Medium
Issue Overview:
An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system. (CVE-2021-31566)
A use-after-free flaw was found in libarchive in the copy_string function. (CVE-2021-36976)
Affected Packages:
libarchive
Issue Correction:
Run dnf update --releasever=2022.0.20220504 libarchive to update your system.
New Packages:
aarch64:
libarchive-debuginfo-3.5.3-1.amzn2022.aarch64
bsdcpio-debuginfo-3.5.3-1.amzn2022.aarch64
bsdcat-3.5.3-1.amzn2022.aarch64
bsdcpio-3.5.3-1.amzn2022.aarch64
bsdcat-debuginfo-3.5.3-1.amzn2022.aarch64
libarchive-devel-3.5.3-1.amzn2022.aarch64
bsdtar-debuginfo-3.5.3-1.amzn2022.aarch64
bsdtar-3.5.3-1.amzn2022.aarch64
libarchive-3.5.3-1.amzn2022.aarch64
libarchive-debugsource-3.5.3-1.amzn2022.aarch64
src:
libarchive-3.5.3-1.amzn2022.src
x86_64:
bsdtar-debuginfo-3.5.3-1.amzn2022.x86_64
bsdcat-3.5.3-1.amzn2022.x86_64
bsdcpio-3.5.3-1.amzn2022.x86_64
libarchive-debugsource-3.5.3-1.amzn2022.x86_64
libarchive-debuginfo-3.5.3-1.amzn2022.x86_64
bsdcpio-debuginfo-3.5.3-1.amzn2022.x86_64
bsdcat-debuginfo-3.5.3-1.amzn2022.x86_64
bsdtar-3.5.3-1.amzn2022.x86_64
libarchive-3.5.3-1.amzn2022.x86_64
libarchive-devel-3.5.3-1.amzn2022.x86_64