update: libarchive #1457

dongsupark · 2024-05-23T13:44:27Z

Name: libarchive
CVEs: CVE-2024-26256, CVE-2024-37407
CVSSs: 7.8
Action Needed: update to >= 3.7.4

Summary:

CVE-2024-26256: Remote code execution vulnerability, an out-of-bound error in rar e8 filter.
- GHSA-2jc9-36w4-pmqw
- Fix: fix: OOB in rar e8 filter libarchive/libarchive#2135
CVE-2024-37407: Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.
- https://bugzilla.redhat.com/show_bug.cgi?id=2292307
- zip: Fix out of boundary access libarchive/libarchive#2145

refmap.gentoo: TBD

dongsupark · 2024-07-01T14:08:09Z

dongsupark added security security concerns advisory security advisory labels May 23, 2024

dongsupark added this to Flatcar tactical, release planning, and roadmap May 23, 2024

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap May 23, 2024

dongsupark moved this from 📝 Needs Triage to ⏳ Long Term in Flatcar tactical, release planning, and roadmap May 23, 2024

dongsupark moved this from ⏳ Long Term to 🪵Backlog in Flatcar tactical, release planning, and roadmap May 23, 2024

github-actions bot mentioned this issue Jun 22, 2024

Monthly contributions report 2024-05-22 - 2024-06-21 #1477

Closed

dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Jul 1, 2024

krnowak mentioned this issue Jul 5, 2024

Weekly portage-stable package updates 2024-07-01 flatcar/scripts#2070

Merged

2 tasks

tormath1 closed this as completed in flatcar/scripts#2070 Jul 16, 2024

github-project-automation bot moved this from 🪵Backlog to Implemented in Flatcar tactical, release planning, and roadmap Jul 16, 2024

github-actions bot mentioned this issue Jul 22, 2024

Monthly contributions report 2024-06-22 - 2024-07-21 #1497

Closed

Provide feedback