Bug 268190 - archivers/libarchive: Fix CVE 2022-36227
Summary: archivers/libarchive: Fix CVE 2022-36227
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Greg Lewis
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Keywords: security
Depends on:
Blocks:
 
Reported: 2022-12-06 08:40 UTC by Daniel Engberg
Modified: 2022-12-06 21:18 UTC (History)
1 user (show)

See Also:
glewis: maintainer-feedback+
grahamperrin: merge-quarterly?

Attachments
Patch for libarchive (1.25 KB, patch)
2022-12-06 08:40 UTC, Daniel Engberg 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer freebsd_triage 2022-12-06 08:40:58 UTC 
Created attachment 238565 [details]
Patch for libarchive

Backport upstream commit bff38efe8c110469c5080d387bec62a6ca15b1a5 to fix CVE 2022-36227

Compile and runtime tested on FreeBSD 13.1-STABLE (amd64) (make, make check-plist, make test)
Comment 1 Greg Lewis freebsd_committer freebsd_triage 2022-12-06 15:02:26 UTC 
LGTM.  Please feel free to commit
Comment 2 Graham Perrin freebsd_committer freebsd_triage 2022-12-06 16:40:40 UTC 
Should there be a VUXML entry in cases such as this?
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-12-06 21:17:40 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8841574613df842f8bd396fed63a3ba5dd8636c6

commit 8841574613df842f8bd396fed63a3ba5dd8636c6
Author:     Daniel Engberg <diizzy@FreeBSD.org>
AuthorDate: 2022-12-06 21:08:11 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2022-12-06 21:17:12 +0000

    archivers/libarchive: Fix CVE 2022-36227

    Backport upstream commit bff38efe8c110469c5080d387bec62a6ca15b1a5

    PR:             268190
    Reviewed by:    glewis (maintainer)

 archivers/libarchive/Makefile | 4 ++++
 archivers/libarchive/distinfo | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)
Comment 4 Daniel Engberg freebsd_committer freebsd_triage 2022-12-06 21:18:48 UTC 
(In reply to Graham Perrin from comment #2)
No, it's a rare bug.