diff --git a/backport-CVE-2024-20696.patch b/backport-CVE-2024-20696.patch deleted file mode 100644 index d0e757fcd9638d862bf60198d8856ab89c1c7f3c..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-20696.patch +++ /dev/null @@ -1,116 +0,0 @@ -From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001 -From: "Dustin L. Howett" -Date: Thu, 9 May 2024 18:59:17 -0500 -Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172) - -copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where -both of its callers were holding a `size_t`. - -A lzss opcode chain could be constructed that resulted in a negative -copy length, which when passed into memcpy would result in a very, very -large positive number. - -Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to -properly bounds-check length. - -In addition, this patch also ensures that `length` is not itself larger -than the destination buffer. - -Security: CVE-2024-20696 ---- - libarchive/archive_read_support_format_rar.c | 28 +++++++++++++------- - 1 file changed, 18 insertions(+), 10 deletions(-) - -diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c -index 4fc6626ca..5776df4bd 100644 ---- a/libarchive/archive_read_support_format_rar.c -+++ b/libarchive/archive_read_support_format_rar.c -@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int, - struct huffman_table_entry *, int, int); - static int expand(struct archive_read *, int64_t *); - static int copy_from_lzss_window_to_unp(struct archive_read *, const void **, -- int64_t, int); -+ int64_t, size_t); - static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *); - static int parse_filter(struct archive_read *, const uint8_t *, uint16_t, - uint8_t); -@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, - bs = rar->unp_buffer_size - rar->unp_offset; - else - bs = (size_t)rar->bytes_uncopied; -- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); -+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); - if (ret != ARCHIVE_OK) - return (ret); - rar->offset += bs; -@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, - bs = rar->unp_buffer_size - rar->unp_offset; - else - bs = (size_t)rar->bytes_uncopied; -- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); -+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); - if (ret != ARCHIVE_OK) - return (ret); - rar->offset += bs; -@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer, - - static int - copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, -- int64_t startpos, int length) -+ int64_t startpos, size_t length) - { - int windowoffs, firstpart; - struct rar *rar = (struct rar *)(a->format->data); - -+ if (length > rar->unp_buffer_size) -+ { -+ goto fatal; -+ } -+ - if (!rar->unp_buffer) - { - if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL) -@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, - } - - windowoffs = lzss_offset_for_position(&rar->lzss, startpos); -- if(windowoffs + length <= lzss_size(&rar->lzss)) { -+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) { - memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs], - length); -- } else if (length <= lzss_size(&rar->lzss)) { -+ } else if (length <= (size_t)lzss_size(&rar->lzss)) { - firstpart = lzss_size(&rar->lzss) - windowoffs; - if (firstpart < 0) { - archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, - "Bad RAR file data"); - return (ARCHIVE_FATAL); - } -- if (firstpart < length) { -+ if ((size_t)firstpart < length) { - memcpy(&rar->unp_buffer[rar->unp_offset], - &rar->lzss.window[windowoffs], firstpart); - memcpy(&rar->unp_buffer[rar->unp_offset + firstpart], -@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, - &rar->lzss.window[windowoffs], length); - } - } else { -- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, -- "Bad RAR file data"); -- return (ARCHIVE_FATAL); -+ goto fatal; - } - rar->unp_offset += length; - if (rar->unp_offset >= rar->unp_buffer_size) -@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, - else - *buffer = NULL; - return (ARCHIVE_OK); -+ -+fatal: -+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, -+ "Bad RAR file data"); -+ return (ARCHIVE_FATAL); - } - - static const void * diff --git a/libarchive-3.7.4.tar.gz b/libarchive-3.7.5.tar.xz similarity index 38% rename from libarchive-3.7.4.tar.gz rename to libarchive-3.7.5.tar.xz index 50abf77b7226df46a33013f278464c1588b0ceea..ab47d5b61041a3899cbf8668ba460d3b20eb2608 100644 Binary files a/libarchive-3.7.4.tar.gz and b/libarchive-3.7.5.tar.xz differ diff --git a/libarchive.spec b/libarchive.spec index 44eef0f4d4936c33e06a90b886aeb44c51f1c197..5f47b0ce984693838492e1ed6f598984f15f87aa 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,19 +1,17 @@ %bcond_without check Name: libarchive -Version: 3.7.4 +Version: 3.7.5 Release: 1 Summary: Multi-format archive and compression library -License: BSD +License: BSD-2-Clause URL: https://www.libarchive.org/ -Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.gz - -Patch6000: backport-CVE-2024-20696.patch +Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.xz BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel -BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel -BuildRequires: openssl-devel libxml2-devel lz4-devel automake libzstd-devel -BuildRequires: autoconf libtool make +BuildRequires: e2fsprogs-devel libacl-devel libattr-devel +BuildRequires: openssl-devel libxml2-devel lz4-devel libzstd-devel +BuildRequires: make %description %{name} is an open-source BSD-licensed C programming library that @@ -69,7 +67,6 @@ libarchive packages. It is designed to provide an interface compatible with Info %autosetup -n %{name}-%{version} -p1 %build -autoreconf -ifv %configure --disable-rpath --disable-static LT_SYS_LIBRARY_PATH=%_libdir %disable_rpath @@ -157,50 +154,44 @@ run_testsuite %endif %files -%defattr(-,root,root) -%{!?_licensedir:%global license %%doc} %license COPYING %{_libdir}/%{name}.so.13* %files devel -%defattr(-,root,root) %{_includedir}/*.h %{_libdir}/%{name}.so %{_libdir}/pkgconfig/%{name}.pc %files help -%defattr(-,root,root) %doc NEWS README.md -%{_mandir}/man1/* -%{_mandir}/man3/* -%{_mandir}/man5/* +%{_mandir}/man?/* %files -n bsdtar -%{!?_licensedir:%global license %%doc} %license COPYING %doc NEWS README.md %{_bindir}/bsdtar %files -n bsdcpio -%{!?_licensedir:%global license %%doc} %license COPYING %doc NEWS README.md %{_bindir}/bsdcpio %files -n bsdcat -%{!?_licensedir:%global license %%doc} %license COPYING %doc NEWS README.md %{_bindir}/bsdcat %files -n bsdunzip -%{!?_licensedir:%global license %%doc} %license COPYING %doc NEWS README.md %{_bindir}/bsdunzip -%{_mandir}/*/bsdunzip* %changelog +* Sat Sep 14 2024 Funda Wang - 3.7.5-1 +- update to 3.7.5 +- do not link against liblzo as suggested upstream: + https://github.com/libarchive/libarchive/releases/tag/v3.3.0 + * Sun Jul 28 2024 dillon chen - 3.7.4-1 - Type:enhancement - ID:NA