Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:3722-1 Final 1 1 2021-11-17T09:31:03Z current 2021-11-17T09:31:03Z 2021-11-17T09:31:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2019-19221: Fixed out-of-bounds read caused by incorrect mbrtowc or mbtowc call (bsc#1157569) - backporting symlink security fixes from 3.5.2: - extracting with ACLs modifies ACLs of target (bsc#1192425) - modifies file flags of target (bsc#1192426) - avoid follow on fixup entries (bsc#1192427) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3722,SUSE-SLE-SDK-12-SP5-2021-3722,SUSE-SLE-SERVER-12-SP5-2021-3722 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20213722-1/ Link for SUSE-SU-2021:3722-1 https://lists.suse.com/pipermail/sle-security-updates/2021-November/009736.html E-Mail link for SUSE-SU-2021:3722-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1157569 SUSE Bug 1157569 https://bugzilla.suse.com/1192425 SUSE Bug 1192425 https://bugzilla.suse.com/1192426 SUSE Bug 1192426 https://bugzilla.suse.com/1192427 SUSE Bug 1192427 https://www.suse.com/security/cve/CVE-2019-19221/ SUSE CVE CVE-2019-19221 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 bsdtar-3.3.3-32.5.1 libarchive-devel-3.3.3-32.5.1 libarchive13-3.3.3-32.5.1 libarchive13-32bit-3.3.3-32.5.1 libarchive13-64bit-3.3.3-32.5.1 libarchive13-3.3.3-32.5.1 as a component of SUSE Linux Enterprise Server 12 SP5 libarchive13-3.3.3-32.5.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libarchive-devel-3.3.3-32.5.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. CVE-2019-19221 SUSE Linux Enterprise Server 12 SP5:libarchive13-3.3.3-32.5.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libarchive13-3.3.3-32.5.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libarchive-devel-3.3.3-32.5.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213722-1/ https://www.suse.com/security/cve/CVE-2019-19221.html CVE-2019-19221 https://bugzilla.suse.com/1157569 SUSE Bug 1157569