Request 1135471: Submit libarchive - openSUSE Build Service

Overview

Request 1135471 revoked

- update to 3.7.2:
* Multiple vulnerabilities have been fixed in the PAX writer
* bsdunzip(1) now correctly handles arguments following an
-x after the zipfile
* zstd filter now supports the "long" write option
* SEGV and stack buffer overflow in verbose mode of cpio
* bsdunzip updated to match latest upstream code
* miscellaneous functional bugfixes

* NULL pointer dereference vulnerability in archive_write.c
- Drop upstream merged CVE-2022-36227.patch

- Fix CVE-2022-36227, Handle a calloc returning NULL
(CVE-2022-36227, bsc#1205629)
* CVE-2022-36227.patch
* fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
- Drop upstream merged fix-CVE-2022-26280.patch

- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init
(CVE-2022-26280, bsc#1197634)
* fix-CVE-2022-26280.patch
- Drop upstream merged:
* fix-following-symlinks.patch
* fix-CVE-2021-36976.patch

- Fix CVE-2021-36976 use-after-free in copy_string
(CVE-2021-36976, bsc#1188572)
* fix-CVE-2021-36976.patch
- The following issues have already been fixed in this package but
weren't previously mentioned in the changes file:

Created by dirkmueller 5 months ago
In state revoked
Open review for opensuse-review-team

Submit libarchive

Comments for request 1135471 0

Login required, please login in order to comment

Request History

dirkmueller created request 5 months ago

- update to 3.7.2:
* Multiple vulnerabilities have been fixed in the PAX writer
* bsdunzip(1) now correctly handles arguments following an
-x after the zipfile
* zstd filter now supports the "long" write option
* SEGV and stack buffer overflow in verbose mode of cpio
* bsdunzip updated to match latest upstream code
* miscellaneous functional bugfixes

* NULL pointer dereference vulnerability in archive_write.c
- Drop upstream merged CVE-2022-36227.patch

- Fix CVE-2022-36227, Handle a calloc returning NULL
(CVE-2022-36227, bsc#1205629)
* CVE-2022-36227.patch
* fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
- Drop upstream merged fix-CVE-2022-26280.patch

- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init
(CVE-2022-26280, bsc#1197634)
* fix-CVE-2022-26280.patch
- Drop upstream merged:
* fix-following-symlinks.patch
* fix-CVE-2021-36976.patch

- Fix CVE-2021-36976 use-after-free in copy_string
(CVE-2021-36976, bsc#1188572)
* fix-CVE-2021-36976.patch
- The following issues have already been fixed in this package but
weren't previously mentioned in the changes file:

licensedigger accepted review 5 months ago

ok

factory-auto added opensuse-review-team as a reviewer 5 months ago

Please review sources

factory-auto accepted review 5 months ago

Check script succeeded

anag+factory set openSUSE:Factory:Staging:K as a staging project 5 months ago

Being evaluated by staging project "openSUSE:Factory:Staging:K"

anag+factory accepted review 5 months ago

Picked "openSUSE:Factory:Staging:K"

pluskalm accepted review 5 months ago

staging-bot added factory-staging as a reviewer 5 months ago

Being evaluated by group "factory-staging"

staging-bot accepted review 5 months ago

Unstaged from project "openSUSE:Factory:Staging:K"

staging-bot declined review 5 months ago

sr#1135735 has newer source and is from the same project

staging-bot declined request 5 months ago

sr#1135735 has newer source and is from the same project

dirkmueller revoked request 5 months ago

openSUSE Build Service is sponsored by