Bug 1199230 (CVE-2022-28066) - VUL-0: CVE-2022-28066: libarchive: read memory access vulnerability via the function lzma_decode
Summary: VUL-0: CVE-2022-28066: libarchive: read memory access vulnerability via the f...
Status: RESOLVED DUPLICATE of bug 1197634
Alias: CVE-2022-28066
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adrian Schröter
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/330728/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-28066:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-05 08:24 UTC by Cathy Hu
Modified: 2022-09-29 12:34 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2022-05-05 08:24:21 UTC 
CVE-2022-28066

Libarchive v3.6.0 was discovered to contain a read memory access vulnerability
via the function lzma_decode.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28066
https://github.com/libarchive/libarchive/issues/1672
Comment 1 Cathy Hu 2022-05-05 08:25:10 UTC 
Affected:
 - SUSE:Carwos:1/libarchive            3.4.2
 - SUSE:SLE-15-SP2:Update/libarchive   3.4.2
 - SUSE:SLE-15-SP4:Update/libarchive   3.5.1

Not Affected:
 - SUSE:SLE-12-SP4:Update/libarchive   3.3.3
 - SUSE:SLE-12:Update/libarchive       3.3.3
 - SUSE:SLE-15:Update/libarchive       3.3.3
 - openSUSE:Factory/libarchive         3.6.1
Comment 2 Thomas Leroy 2022-08-31 14:09:54 UTC 
(In reply to Hu from comment #1)
> Affected:
>  - SUSE:Carwos:1/libarchive            3.4.2
>  - SUSE:SLE-15-SP2:Update/libarchive   3.4.2
>  - SUSE:SLE-15-SP4:Update/libarchive   3.5.1
> 
> Not Affected:
>  - SUSE:SLE-12-SP4:Update/libarchive   3.3.3
>  - SUSE:SLE-12:Update/libarchive       3.3.3
>  - SUSE:SLE-15:Update/libarchive       3.3.3
>  - openSUSE:Factory/libarchive         3.6.1

Adding Danilo in the loop.
Adrian, any news on this?
Comment 3 Carlos López 2022-09-29 07:12:19 UTC 
Ping, could Adrian or Danilo take this?

The fix seems to be this one by the way:
https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
Comment 4 Danilo Spinella 2022-09-29 10:22:31 UTC 
CVE-2022-28066 should be a duplicate of CVE-2022-26280, fixed in bsc#1197634 by using the same commit linked here. Can you please confirm?
Comment 5 Carlos López 2022-09-29 12:34:11 UTC 
(In reply to Danilo Spinella from comment #4)
> CVE-2022-28066 should be a duplicate of CVE-2022-26280, fixed in bsc#1197634
> by using the same commit linked here. Can you please confirm?

You're right, thanks for double checking.

*** This bug has been marked as a duplicate of bug 1197634 ***