ALAS2023-2023-246

Amazon Linux 2023 Security Advisory: ALAS2023-2023-246
Advisory Released Date: 2023-07-19
Advisory Updated Date: 2023-07-20
Severity: Low
Issue Overview:

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution. (CVE-2022-36227)


Affected Packages:

libarchive


Issue Correction:
Run dnf update libarchive --releasever 2023.1.20230719 to update your system.

New Packages:
aarch64:
    bsdcpio-debuginfo-3.5.3-2.amzn2023.0.3.aarch64
    libarchive-debuginfo-3.5.3-2.amzn2023.0.3.aarch64
    bsdtar-3.5.3-2.amzn2023.0.3.aarch64
    bsdcat-debuginfo-3.5.3-2.amzn2023.0.3.aarch64
    libarchive-debugsource-3.5.3-2.amzn2023.0.3.aarch64
    bsdtar-debuginfo-3.5.3-2.amzn2023.0.3.aarch64
    bsdcpio-3.5.3-2.amzn2023.0.3.aarch64
    bsdcat-3.5.3-2.amzn2023.0.3.aarch64
    libarchive-3.5.3-2.amzn2023.0.3.aarch64
    libarchive-devel-3.5.3-2.amzn2023.0.3.aarch64

src:
    libarchive-3.5.3-2.amzn2023.0.3.src

x86_64:
    bsdcat-3.5.3-2.amzn2023.0.3.x86_64
    libarchive-debuginfo-3.5.3-2.amzn2023.0.3.x86_64
    bsdcpio-3.5.3-2.amzn2023.0.3.x86_64
    bsdcpio-debuginfo-3.5.3-2.amzn2023.0.3.x86_64
    bsdtar-debuginfo-3.5.3-2.amzn2023.0.3.x86_64
    bsdtar-3.5.3-2.amzn2023.0.3.x86_64
    libarchive-debugsource-3.5.3-2.amzn2023.0.3.x86_64
    libarchive-3.5.3-2.amzn2023.0.3.x86_64
    libarchive-devel-3.5.3-2.amzn2023.0.3.x86_64
    bsdcat-debuginfo-3.5.3-2.amzn2023.0.3.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2022-36227

Mitre: CVE-2022-36227