Bug 14382

Summary: [Update Request 2021] Fix long standnig vulnerability in libarchive
Product: [ROSA-based products] ROSA Fresh Reporter: Giovanni Mariani <mc2374>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, e.malashin, m.novosyolov, v.potapov
Version: AllFlags: v.potapov: qa_verified+
mc2374: secteam_verified?
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: libarchive-3.6.2-1.src.rpm ISO-related:
Bad POT generating: Upstream:

Description Giovanni Mariani 2024-03-30 14:25:53 MSK 
Fallout from the xz back-dooring mess (for the gory details see https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 and https://boehs.org/node/everything-i-know-about-the-xz-backdoor).

The same guy who back-doored xz sources also changed in Nov 2021 the libarchive error reporting in an unsafe and exploitable way (basically with a crafted compressed archive). This was probably done as a step to compromise more interesting stuff using that library (sshd, openssl...).

Unfortunately the date above means that any libarchive release > 3.5.2 is at risk and 2021.1 has 3.6.2: add the upstream patch reverting the malicious change.

I think we need this ASAP...
Comment 1 Giovanni Mariani 2024-03-30 14:28:13 MSK 
Advisory:
Update libarchive to fix long standing vulnerability.

Patches for Rosa 2021.1/Main:
https://abf.rosalinux.ru/build_lists/5011103
https://abf.rosalinux.ru/build_lists/5011104
https://abf.rosalinux.ru/build_lists/5011105
Comment 2 Mikhail Novosyolov 2024-03-30 14:58:19 MSK 
Seesm that nobody has found how that change in libarchive can be used by the backdoor, but +1 for this patch.
Comment 3 Giovanni Mariani 2024-03-30 17:20:21 MSK 
(In reply to Mikhail Novosyolov from comment #2)
> Seesm that nobody has found how that change in libarchive can be used by the
> backdoor, but +1 for this patch.

From what I'm reading the change in libarchive is not directly related to the xz backdoor: it was proposed by the same author of the backdoor and did not only what the PR openly told (improve the error message)... it actually opened the way to a possible exploit by using unsafe functions to report errors instead of the safe one used before the proposed change.

This happened very before (in 2021) the today issue and ATM is unknown if there were or there are actual exploits in the wild, but surely the change looks suspicious in the light of the recent findings...

Better be safe than sorry, IMO.
Comment 4 e.malashin@rosalinux.ru 2024-04-01 17:01:36 MSK 
(In reply to Giovanni Mariani from comment #1)
> Advisory:
> Update libarchive to fix long standing vulnerability.
> 
> Patches for Rosa 2021.1/Main:
> https://abf.rosalinux.ru/build_lists/5011103
> https://abf.rosalinux.ru/build_lists/5011104
> https://abf.rosalinux.ru/build_lists/5011105

The update sent to testings
Comment 5 Vladimir Potapov 2024-04-10 12:44:55 MSK 
libarchive-3.6.2-2
https://abf.rosalinux.ru/build_lists/5011103
https://abf.rosalinux.ru/build_lists/5011104
https://abf.rosalinux.ru/build_lists/5011105
*********************************** Advisory *****************************
Update libarchive to fix long standing vulnerability.
**************************************************************************
QA Verified