ALAS-2022-201

Amazon Linux 2022 Security Advisory: ALAS-2022-201
Advisory Release Date: 2022-11-01 21:25 Pacific
Advisory Updated Date: 2022-12-06 16:47 Pacific
Severity: Medium
Issue Overview:

An out-of-bounds read flaw was found in libarchive. This flaw allows an attacker who can supply a specially crafted zip file to libarchive to cause an out-of-bounds read in programs linked with libarchive, using the LZMA zip functionality. The consequences depend on the specific program linked with libarchive. Still, they would most likely result in an application crash or information disclosure that could be used in conjunction with another exploit. (CVE-2022-26280)


Affected Packages:

libarchive


Issue Correction:
Run dnf update libarchive --releasever=2022.0.20221102 to update your system.

New Packages:
aarch64:
    bsdcpio-debuginfo-3.5.3-2.amzn2022.0.1.aarch64
    libarchive-debugsource-3.5.3-2.amzn2022.0.1.aarch64
    bsdtar-3.5.3-2.amzn2022.0.1.aarch64
    bsdcat-debuginfo-3.5.3-2.amzn2022.0.1.aarch64
    bsdtar-debuginfo-3.5.3-2.amzn2022.0.1.aarch64
    bsdcat-3.5.3-2.amzn2022.0.1.aarch64
    libarchive-debuginfo-3.5.3-2.amzn2022.0.1.aarch64
    bsdcpio-3.5.3-2.amzn2022.0.1.aarch64
    libarchive-3.5.3-2.amzn2022.0.1.aarch64
    libarchive-devel-3.5.3-2.amzn2022.0.1.aarch64

src:
    libarchive-3.5.3-2.amzn2022.0.1.src

x86_64:
    libarchive-debuginfo-3.5.3-2.amzn2022.0.1.x86_64
    libarchive-devel-3.5.3-2.amzn2022.0.1.x86_64
    libarchive-debugsource-3.5.3-2.amzn2022.0.1.x86_64
    bsdtar-debuginfo-3.5.3-2.amzn2022.0.1.x86_64
    bsdcpio-3.5.3-2.amzn2022.0.1.x86_64
    bsdcat-3.5.3-2.amzn2022.0.1.x86_64
    bsdcpio-debuginfo-3.5.3-2.amzn2022.0.1.x86_64
    libarchive-3.5.3-2.amzn2022.0.1.x86_64
    bsdcat-debuginfo-3.5.3-2.amzn2022.0.1.x86_64
    bsdtar-3.5.3-2.amzn2022.0.1.x86_64

Additional References

Red Hat: CVE-2021-31566, CVE-2021-36976, CVE-2022-26280

Mitre: CVE-2021-31566, CVE-2021-36976, CVE-2022-26280