FS#75474 - [security] [libarchive] null pointer dereference

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Monday, 01 August 2022, 00:48 GMT
Last edited by Christian Hesse (eworm) - Monday, 01 August 2022, 21:38 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The libarchive package has a null pointer dereference bug that has been fixed upstream. Separately there was another oss-fuzz fix committed that may be relevant to security. The attached diff adds both fixes to the PKGBUILD.

Applying the second commit's full patch breaks one of the tests in "make check" (likely because it's missing another commit to that file) so I opted to use:

git apply --include=archive_read_support_format_tar.c

to only apply the relevant part of the full change. This adds git to makedepends, which isn't pretty, but it works. If you'd rather manually download the patch, edit it, and put that file in SVN, that's ok too.

Additional info:
This task depends upon

Closed by  Christian Hesse (eworm)
Monday, 01 August 2022, 21:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  libarchive 3.6.1-2