{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2021-31566: extend backport with upstream 8a1bd5c and ede459d2 to close\n the trailing-slash variant of the fixup-list symlink-follow attack", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux7els/advisories/2026/clsa-2026_1777307149.json" } ], "tracking": { "current_release_date": "2026-04-27T16:26:36Z", "generator": { "date": "2026-04-27T16:26:36Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1777307149", "initial_release_date": "2026-04-27T16:26:36Z", "revision_history": [ { "date": "2026-04-27T16:26:36Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "libarchive: Fix of CVE-2021-31566" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux 7", "product": { "name": "Oracle Linux 7", "product_id": "Oracle-Linux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product": { "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product_id": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.1.2-14.el7_7.tuxcare.els5?arch=i686" } } }, { "category": "product_version", "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product": { "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product_id": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.1.2-14.el7_7.tuxcare.els5?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product": { "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_id": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.1.2-14.el7_7.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product": { "name": "bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_id": "bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdcpio@3.1.2-14.el7_7.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product": { "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_id": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.1.2-14.el7_7.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product": { "name": "bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_id": "bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdtar@3.1.2-14.el7_7.tuxcare.els5?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686" }, "product_reference": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" }, "product_reference": "libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" }, "product_reference": "bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686" }, "product_reference": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" }, "product_reference": "libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" }, "product_reference": "bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "relates_to_product_reference": "Oracle-Linux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-31566", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access ('Link Following')" }, "notes": [ { "category": "description", "text": "An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-31566" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-31566", "url": "https://access.redhat.com/security/cve/CVE-2021-31566" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2024237", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024237" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043", "url": "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/issues/1566", "url": "https://github.com/libarchive/libarchive/issues/1566" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html" } ], "release_date": "2022-08-23T16:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-27T16:25:52.701251Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149", "product_ids": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2021-23177", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access ('Link Following')" }, "notes": [ { "category": "description", "text": "An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-23177" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-23177", "url": "https://access.redhat.com/security/cve/CVE-2021-23177" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2024245", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024245" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad", "url": "https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/issues/1565", "url": "https://github.com/libarchive/libarchive/issues/1565" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html" } ], "release_date": "2022-08-23T16:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-27T16:25:52.701251Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149", "product_ids": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2022-36227", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-36227" }, { "category": "external", "summary": "https://bugs.gentoo.org/882521", "url": "https://bugs.gentoo.org/882521" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/blob/v3.0.0a/libarchive/archive_write.c#L215", "url": "https://github.com/libarchive/libarchive/blob/v3.0.0a/libarchive/archive_write.c#L215" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/issues/1754", "url": "https://github.com/libarchive/libarchive/issues/1754" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/01/msg00034.html", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00034.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V67OO2UUQAUJS3IK4JZPF6F3LUCBU6IS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V67OO2UUQAUJS3IK4JZPF6F3LUCBU6IS/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202309-14", "url": "https://security.gentoo.org/glsa/202309-14" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html", "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html" } ], "release_date": "2022-11-22T02:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-27T16:25:52.701251Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149", "product_ids": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1777307149" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bsdcpio-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:bsdtar-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-0:3.1.2-14.el7_7.tuxcare.els5.x86_64", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.i686", "Oracle-Linux-7:libarchive-devel-0:3.1.2-14.el7_7.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }