jiachao2130/csaf2cusa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0b84f3c661
csaf2cusa/cvrfs/2022/cvrf-openEuler-SA-2022-1494.xml
Jia Chao 0b84f3c661 增加测试用的配置和目录 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-02 15:51:55 +08:00

167 lines
12 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1494</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-01-22</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-01-22</InitialReleaseDate>
<CurrentReleaseDate>2022-01-22</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-01-22</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">libarchive security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use .
Security Fix(es):
Incorrect link resolution flaws can occur when extracting archives, resulting in changes to the mode, time, access control list, and flags of files outside the archive. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to gain additional privileges on the system.(CVE-2021-31566)
Incorrect link resolution flaws when using ACLs to extract symbolic links can lead to changes to the access control list (ACL) of the link target. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to change the ACL of a file on the system and gain more permissions.(CVE-2021-23177)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">libarchive</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-31566</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-23177</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-31566</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-23177</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-devel-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-devel-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-devel-3.4.3-4.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="libarchive-help-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-help-3.4.3-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="libarchive-help-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-help-3.4.3-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="libarchive-help-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-help-3.4.3-4.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-3.4.3-4.oe1.src.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-3.4.3-4.oe1.src.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-3.4.3-4.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libarchive-devel-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libarchive-devel-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debuginfo-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-devel-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-devel-3.4.3-4.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libarchive-debugsource-3.4.3-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Incorrect link resolution flaws can occur when extracting archives, resulting in changes to the mode, time, access control list, and flags of files outside the archive. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to gain additional privileges on the system.</Note>
</Notes>
<ReleaseDate>2022-01-22</ReleaseDate>
<CVE>CVE-2021-31566</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>4.4</BaseScore>
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>libarchive security update</Description>
<DATE>2022-01-22</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Incorrect link resolution flaws when using ACLs to extract symbolic links can lead to changes to the access control list (ACL) of the link target. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to change the ACL of a file on the system and gain more permissions.</Note>
</Notes>
<ReleaseDate>2022-01-22</ReleaseDate>
<CVE>CVE-2021-23177</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.6</BaseScore>
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>libarchive security update</Description>
<DATE>2022-01-22</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink