ALAS2023-2023-071

An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system. (CVE-2021-31566)

A use-after-free flaw was found in libarchive in the copy_string function. (CVE-2021-36976)

An out-of-bounds read flaw was found in libarchive. This flaw allows an attacker who can supply a specially crafted zip file to libarchive to cause an out-of-bounds read in programs linked with libarchive, using the LZMA zip functionality. The consequences depend on the specific program linked with libarchive. Still, they would most likely result in an application crash or information disclosure that could be used in conjunction with another exploit. (CVE-2022-26280)

aarch64:
    bsdtar-debuginfo-3.5.3-2.amzn2023.0.2.aarch64
    bsdcat-debuginfo-3.5.3-2.amzn2023.0.2.aarch64
    bsdcpio-debuginfo-3.5.3-2.amzn2023.0.2.aarch64
    libarchive-debuginfo-3.5.3-2.amzn2023.0.2.aarch64
    libarchive-debugsource-3.5.3-2.amzn2023.0.2.aarch64
    libarchive-3.5.3-2.amzn2023.0.2.aarch64
    bsdcpio-3.5.3-2.amzn2023.0.2.aarch64
    bsdtar-3.5.3-2.amzn2023.0.2.aarch64
    libarchive-devel-3.5.3-2.amzn2023.0.2.aarch64
    bsdcat-3.5.3-2.amzn2023.0.2.aarch64

src:
    libarchive-3.5.3-2.amzn2023.0.2.src

x86_64:
    bsdtar-debuginfo-3.5.3-2.amzn2023.0.2.x86_64
    bsdcat-debuginfo-3.5.3-2.amzn2023.0.2.x86_64
    bsdtar-3.5.3-2.amzn2023.0.2.x86_64
    libarchive-debugsource-3.5.3-2.amzn2023.0.2.x86_64
    bsdcat-3.5.3-2.amzn2023.0.2.x86_64
    bsdcpio-debuginfo-3.5.3-2.amzn2023.0.2.x86_64
    libarchive-3.5.3-2.amzn2023.0.2.x86_64
    libarchive-debuginfo-3.5.3-2.amzn2023.0.2.x86_64
    bsdcpio-3.5.3-2.amzn2023.0.2.x86_64
    libarchive-devel-3.5.3-2.amzn2023.0.2.x86_64