-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: libarchive security update Advisory ID: RHSA-2022:0892-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0892 Issue date: 2022-03-15 CVE Names: CVE-2021-23177 CVE-2021-31566 ==================================================================== 1. Summary: An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. Security Fix(es): * libarchive: extracting a symlink with ACLs modifies ACLs of target (CVE-2021-23177) * libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive (CVE-2021-31566) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2024237 - CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive 2024245 - CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: libarchive-3.3.3-3.el8_5.src.rpm aarch64: bsdcat-debuginfo-3.3.3-3.el8_5.aarch64.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.aarch64.rpm bsdtar-3.3.3-3.el8_5.aarch64.rpm bsdtar-debuginfo-3.3.3-3.el8_5.aarch64.rpm libarchive-3.3.3-3.el8_5.aarch64.rpm libarchive-debuginfo-3.3.3-3.el8_5.aarch64.rpm libarchive-debugsource-3.3.3-3.el8_5.aarch64.rpm ppc64le: bsdcat-debuginfo-3.3.3-3.el8_5.ppc64le.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.ppc64le.rpm bsdtar-3.3.3-3.el8_5.ppc64le.rpm bsdtar-debuginfo-3.3.3-3.el8_5.ppc64le.rpm libarchive-3.3.3-3.el8_5.ppc64le.rpm libarchive-debuginfo-3.3.3-3.el8_5.ppc64le.rpm libarchive-debugsource-3.3.3-3.el8_5.ppc64le.rpm s390x: bsdcat-debuginfo-3.3.3-3.el8_5.s390x.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.s390x.rpm bsdtar-3.3.3-3.el8_5.s390x.rpm bsdtar-debuginfo-3.3.3-3.el8_5.s390x.rpm libarchive-3.3.3-3.el8_5.s390x.rpm libarchive-debuginfo-3.3.3-3.el8_5.s390x.rpm libarchive-debugsource-3.3.3-3.el8_5.s390x.rpm x86_64: bsdcat-debuginfo-3.3.3-3.el8_5.i686.rpm bsdcat-debuginfo-3.3.3-3.el8_5.x86_64.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.i686.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.x86_64.rpm bsdtar-3.3.3-3.el8_5.x86_64.rpm bsdtar-debuginfo-3.3.3-3.el8_5.i686.rpm bsdtar-debuginfo-3.3.3-3.el8_5.x86_64.rpm libarchive-3.3.3-3.el8_5.i686.rpm libarchive-3.3.3-3.el8_5.x86_64.rpm libarchive-debuginfo-3.3.3-3.el8_5.i686.rpm libarchive-debuginfo-3.3.3-3.el8_5.x86_64.rpm libarchive-debugsource-3.3.3-3.el8_5.i686.rpm libarchive-debugsource-3.3.3-3.el8_5.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: bsdcat-debuginfo-3.3.3-3.el8_5.aarch64.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.aarch64.rpm bsdtar-debuginfo-3.3.3-3.el8_5.aarch64.rpm libarchive-debuginfo-3.3.3-3.el8_5.aarch64.rpm libarchive-debugsource-3.3.3-3.el8_5.aarch64.rpm libarchive-devel-3.3.3-3.el8_5.aarch64.rpm ppc64le: bsdcat-debuginfo-3.3.3-3.el8_5.ppc64le.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.ppc64le.rpm bsdtar-debuginfo-3.3.3-3.el8_5.ppc64le.rpm libarchive-debuginfo-3.3.3-3.el8_5.ppc64le.rpm libarchive-debugsource-3.3.3-3.el8_5.ppc64le.rpm libarchive-devel-3.3.3-3.el8_5.ppc64le.rpm s390x: bsdcat-debuginfo-3.3.3-3.el8_5.s390x.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.s390x.rpm bsdtar-debuginfo-3.3.3-3.el8_5.s390x.rpm libarchive-debuginfo-3.3.3-3.el8_5.s390x.rpm libarchive-debugsource-3.3.3-3.el8_5.s390x.rpm libarchive-devel-3.3.3-3.el8_5.s390x.rpm x86_64: bsdcat-debuginfo-3.3.3-3.el8_5.i686.rpm bsdcat-debuginfo-3.3.3-3.el8_5.x86_64.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.i686.rpm bsdcpio-debuginfo-3.3.3-3.el8_5.x86_64.rpm bsdtar-debuginfo-3.3.3-3.el8_5.i686.rpm bsdtar-debuginfo-3.3.3-3.el8_5.x86_64.rpm libarchive-debuginfo-3.3.3-3.el8_5.i686.rpm libarchive-debuginfo-3.3.3-3.el8_5.x86_64.rpm libarchive-debugsource-3.3.3-3.el8_5.i686.rpm libarchive-debugsource-3.3.3-3.el8_5.x86_64.rpm libarchive-devel-3.3.3-3.el8_5.i686.rpm libarchive-devel-3.3.3-3.el8_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYjCsHdzjgjWX9erEAQhhfg//c8azFu+Ohb8guIXMoFAd3oZTG/sAwrA4 Dkelkz8XIczxbKioWYj426ufsmT+8atPfdPF4R7W2rOmuGx5Nj5WC4MUNL9E8s+G B/3UZkIcI5bh/TxmR/P5mxVaJyVGy22KP5xG4cNXkBDs++Um67/ZdoUDVUVkAeH/ YPMEdk0YFz1Ai8lHmsJx9+QykrtSVeNs9mL8H7vPLh+i8w1AG4rAIv5MNmTdkj2S cF8mzNYAieXOr/Aj9kZIBkaubss2A02KJOi71qSnLzuVL1HQAdBHYqpLnq4RLdrP J2RRSGkvFw59HNZxN+7Vf0LR5bwzWU31/KuSMfnCdN1E3ee7gmkiJgYubsY/ejZ2 CnwRThtnXfUzfuD9bUnwDwqIkFnrkPAq0iAQR8F+/VNXH/FqBhOFay2ev2jHV9kn 03Odq7gGC6dNQlDBSPsnbgX/eLjEwSMVfgoF6EOrNF51M0yzpYCb5BkixhSh1c1Q VLmBhKT3qfZaq+yi2amY0hR/c5yzyl+LH+52P2WPe4OuIVS4xH8XO48tdApiBE1Q gVfYOjN81JwrQiqoU+aygXf4U2Fvj7Kd7eCyAnkFvSBuIOXGKzlcOgk5Q+RptV21 THNWQ7nxYFbB8eljoUcGY2QbjSu45YUvPWCjQiPLyeqOQHM2DhjTzCYAiJ4fxXR6 qsGG7ByKlYg=TjxV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce