Skip to content

1.173.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 16 Oct 15:42
· 95 commits to main since this release
1.173.0
6b3b4e7

Notably, this release addresses:

USN-7070-1 libarchive vulnerabilities:

  • CVE-2024-48958:
    execute_filter_delta in archive_read_support_format_rar.c in libarchive
    before 3.7.5 allows out-of-bounds access via a crafted archive file because
    src can move beyond dst.
  • CVE-2024-48957:
    execute_filter_audio in archive_read_support_format_rar.c in libarchive
    before 3.7.5 allows out-of-bounds access via a crafted archive file because
    src can move beyond dst.
  • CVE-2022-36227:
    In libarchive before 3.6.2, the software does not check for an error after
    calling calloc function that can return with a NULL pointer if the function
    fails, which leads to a resultant NULL pointer dereference. NOTE: the
    discoverer cites this CWE-476 remark but third parties dispute the
    code-execution impact: "In rare circumstances, when NULL is equivalent to
    the 0x0 memory address and privileged code can access it, then writing or
    reading memory is possible, which may lead to code execution."
-ii  libarchive13:amd64 3.6.0-1ubuntu1.1 amd64 Multi-format archive and compression library (shared library)
+ii  libarchive13:amd64 3.6.0-1ubuntu1.2 amd64 Multi-format archive and compression library (shared library)```
Assets 3
Loading