Bug 1222911 (CVE-2024-26256)

Summary:	VUL-0: CVE-2024-26256: libarchive: remote code execution vulnerability
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Antonio Teixeira <antonio.teixeira>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	camila.matos
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/400972/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-26256:7.3:(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-04-16 16:58:21 UTC

libarchive Remote Code Execution Vulnerability

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26256
https://www.cve.org/CVERecord?id=CVE-2024-26256
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26256

Comment 1 Camila Camargo de Matos 2024-04-16 17:02:05 UTC

There is currently very little information about this issue. More investigation/information is necessary before affected codestreams can be defined.

Comment 3 Camila Camargo de Matos 2024-04-23 13:46:26 UTC

It was confirmed by upstream that this issue affects https://github.com/libarchive/libarchive.

The issue has been fixed through the following PR and commit:
https://github.com/libarchive/libarchive/pull/2135
https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237

Comment 5 Camila Camargo de Matos 2024-04-23 13:52:25 UTC

Libarchive packages that contain the software at a version earlier than 3.6.0 seem to not be affected by this issue, as the vulnerable function, 'execute_filter_e8', was only introduced in version 3.6.0 together with the RAR filter support functionality. See [0] and [1] for more information.

[0] https://github.com/libarchive/libarchive/pull/1503
[1] https://github.com/libarchive/libarchive/commit/01a2d329d