[Buildroot] [PATCH 1/1] package/libarchive: fix CVE-2022-36227
Peter Korsgaard
peter at korsgaard.com
Wed Dec 7 13:36:43 UTC 2022
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> In libarchive 3.6.1, the software does not check for an error after
> calling calloc function that can return with a NULL pointer if the
> function fails, which leads to a resultant NULL pointer dereference.
> NOTE: the discoverer cites this CWE-476 remark but third parties dispute
> the code-execution impact: "In rare circumstances, when NULL is
> equivalent to the 0x0 memory address and privileged code can access it,
> then writing or reading memory is possible, which may lead to code
> execution."
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list