Bug 1192425 (CVE-2021-23177)

Summary: VUL-0: CVE-2021-23177: libarchive: extracting a symlink with ACLs modifies ACLs of target
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, adrian.schroeter, cathy.hu, rfrohl, security-team, stoyan.manolov
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2021-11-07 19:31:11 UTC 
In libarchive before 3.5.2, when an archive entry contains a symbolic link that has defined ACLs on Linux, on extraction the ACLs of the link target are modified. This is because the function acl_set_file() is used without a prior check if the file is not a symbolic link. On Linux ACLs on symbolic links are not supported.

References:
https://github.com/libarchive/libarchive/issues/1565
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
Comment 1 Andreas Stieger 2021-11-07 19:33:12 UTC 
https://build.opensuse.org/request/show/930015
Comment 2 Adrian Schröter 2021-11-08 08:17:30 UTC 
thanks! maintenance submission is in 930073 in OBS.
Comment 6 Swamp Workflow Management 2021-11-17 14:20:17 UTC 
SUSE-SU-2021:3722-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1157569,1192425,1192426,1192427
CVE References: CVE-2019-19221
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libarchive-3.3.3-32.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    libarchive-3.3.3-32.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Alexander Bergmann 2022-09-13 05:58:14 UTC 
*** Bug 1195844 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2022-09-19 13:21:27 UTC 
SUSE-SU-2022:3306-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1192425
CVE References: CVE-2021-23177
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libarchive-3.5.1-150400.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    libarchive-3.5.1-150400.3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    libarchive-3.5.1-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-09-26 19:32:54 UTC 
SUSE-SU-2022:3393-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1192425
CVE References: CVE-2021-23177
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libarchive-3.4.2-150200.4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libarchive-3.4.2-150200.4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libarchive-3.4.2-150200.4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.