CVE-2022-28066

Name	CVE-2022-28066
Description	Libarchive v3.6.0 was discovered to contain a read memory access vulnerability via the function lzma_decode.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs	1010696

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libarchive (PTS)	stretch	3.2.2-2+deb9u2	fixed
	stretch (security)	3.2.2-2+deb9u3	fixed
	buster, buster (security)	3.3.3-4+deb10u1	fixed
	bullseye	3.4.3-2+deb11u1	vulnerable
	bookworm, sid	3.6.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
libarchive	source	stretch	(not affected)
libarchive	source	buster	(not affected)
libarchive	source	(unstable)	(unfixed)	1010696

Notes

[bullseye] - libarchive <no-dsa> (Minor issue)
[buster] - libarchive <not-affected> (Vulnerable code introduced later)
[stretch] - libarchive <not-affected> (Vulnerable code introduced later)
https://github.com/libarchive/libarchive/issues/1672
https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff (v3.6.1)