Tim Kientzle

Name of the Vulnerable Software and Affected Versions: libarchive versions prior to 2.2.4 bsdtar (affected versions not specified) Description: The issue concerns multiple vulnerabilities in the libarchive package, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. The vulnerabilities can be triggered by a crafted PAX or TAR archive, potentially leading to a denial of service or the execution of arbitrary code. The exploitation can be performed remotely. Recommendations: For libarchive versions prior to 2.2.4, update to version 2.2.4 or later to resolve the issue. For bsdtar, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libarchive versions prior to 2.2.4 Description: The issue allows user-assisted remote attackers to cause a denial of service via specific conditions in tar headers or malformed pax extension headers in PAX or TAR archives, resulting in a NULL pointer dereference. Multiple vulnerabilities in the libarchive package can lead to violations of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Recommendations: For versions prior to 2.2.4, update to version 2.2.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of libarchive functions that handle tar and pax headers until a patch is available. Avoid using the `archive read support format tar` function in `archive read support format tar.c` until the issue is resolved.