Bug 1192425 (CVE-2021-23177) - VUL-0: CVE-2021-23177: libarchive: extracting a symlink with ACLs modifies ACLs of target
Summary: VUL-0: CVE-2021-23177: libarchive: extracting a symlink with ACLs modifies AC...
Status: RESOLVED FIXED
: 1195844 (view as bug list)
Alias: CVE-2021-23177
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.3
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-07 19:31 UTC by Andreas Stieger
Modified: 2023-04-12 00:49 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2021-11-07 19:31:11 UTC 
In libarchive before 3.5.2, when an archive entry contains a symbolic link that has defined ACLs on Linux, on extraction the ACLs of the link target are modified. This is because the function acl_set_file() is used without a prior check if the file is not a symbolic link. On Linux ACLs on symbolic links are not supported.

References:
https://github.com/libarchive/libarchive/issues/1565
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
Comment 1 Andreas Stieger 2021-11-07 19:33:12 UTC 
https://build.opensuse.org/request/show/930015
Comment 2 Adrian Schröter 2021-11-08 08:17:30 UTC 
thanks! maintenance submission is in 930073 in OBS.
Comment 6 Swamp Workflow Management 2021-11-17 14:20:17 UTC 
SUSE-SU-2021:3722-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1157569,1192425,1192426,1192427
CVE References: CVE-2019-19221
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libarchive-3.3.3-32.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    libarchive-3.3.3-32.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Alexander Bergmann 2022-09-13 05:58:14 UTC 
*** Bug 1195844 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2022-09-19 13:21:27 UTC 
SUSE-SU-2022:3306-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1192425
CVE References: CVE-2021-23177
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libarchive-3.5.1-150400.3.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    libarchive-3.5.1-150400.3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    libarchive-3.5.1-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-09-26 19:32:54 UTC 
SUSE-SU-2022:3393-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1192425
CVE References: CVE-2021-23177
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libarchive-3.4.2-150200.4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libarchive-3.4.2-150200.4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libarchive-3.4.2-150200.4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.