CVE-2024-37407 is not being reported on mcr.microsoft.com/openjdk/jdk:8-mariner (Mariner OS)

[srinuhub1152]

CVE : CVE-2024-37407
Issue : CVE is not being reported on mcr.microsoft.com/openjdk/jdk:8-mariner (Mariner OS)
Package Name : libarchive
Version : 3.6.1-3.cm2

Details:
As per NVD, the version till 3.7.4 is vulnerable.
Below is the commit link the client shared:
libarchive/libarchive#2145 (comment)

As this is the OS package, we rely on the OS vendor but not on the NVD.

Below Link is being referred to check if Packages are impacted by CVEs:
https://github.com/microsoft/AzureLinuxVulnerabilityData/archive/refs/heads/main.tar.gz

The above link downloads the below files:

1. azurelinux-3.0-oval
2. cbl-mariner-1.0-oval
3. cbl-mariner-2.0-oval

The reported CVE is not there in the cbl-mariner-2.0-oval but it is there in azurelinux-3.0-oval. May we know why is the CVE not part of Mariner OS 2.0 but Azure Linux 3.0?

[Kanishk-Bansal]

Hey @srinuhub1152
in Azure Linux 2.0 we have libarchive v3.6.1.
The patch is not applicable on 3.6.1 version as the affected code block does not exist in this version of libarchive. The vulnerable code was introduced later

[Kanishk-Bansal]

cc @eric-desrochers

[srinuhub1152]

@Kanishk-Bansal Thank you for your update, I hope you are pointing to Azure Linux but we need why the CVE-2024-37407 is not reporting in Mariner OS 2.0.

[srinuhub1152]

Any Inputs on my ask

[chrs-gordon]

Hello @srinuhub1152 as mentioned, the version in Azure Linux 2.0 (Mariner) is not vulnerable. I have checked and the vulnerable line of code is not present in libarchive-3.6.1/libarchive/archive_read_support_format_zip.c which is the reason why the vulnerability/CVE is not reporting in Azure Linux 2.0 (Mariner)