diff --git a/backport-CVE-2024-48957.patch b/backport-CVE-2024-48957.patch new file mode 100644 index 0000000000000000000000000000000000000000..39befe73c60314d6639219454ff154cab40bb147 --- /dev/null +++ b/backport-CVE-2024-48957.patch @@ -0,0 +1,29 @@ +From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 29 Apr 2024 06:53:19 +0900 +Subject: [PATCH] fix: OOB in rar audio filter (#2149) + +This patch ensures that `src` won't move ahead of `dst`, so `src` will +not OOB. Similar situation like in a1cb648. +--- + libarchive/archive_read_support_format_rar.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 619ee81e2..4fc6626ca 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) + memset(&state, 0, sizeof(state)); + for (j = i; j < length; j += numchannels) + { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; ++ + int8_t delta = (int8_t)*src++; + uint8_t predbyte, byte; + int prederror; diff --git a/backport-CVE-2024-48958.patch b/backport-CVE-2024-48958.patch new file mode 100644 index 0000000000000000000000000000000000000000..79b8dae8f0872b2a4825bcc21f62b91415a77dbc --- /dev/null +++ b/backport-CVE-2024-48958.patch @@ -0,0 +1,33 @@ +From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 29 Apr 2024 06:50:22 +0900 +Subject: [PATCH] fix: OOB in rar delta filter (#2148) + +Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. +Since `dst` won't move in this function, and we are only increasing `src` +position, this check should be enough. It should be safe to early return +because this function does not allocate resources. +--- + libarchive/archive_read_support_format_rar.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 79669a8f4..619ee81e2 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) + { + uint8_t lastbyte = 0; + for (idx = i; idx < length; idx += numchannels) ++ { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; + lastbyte = dst[idx] = lastbyte - *src++; ++ } + } + + filter->filteredblockaddress = length; diff --git a/libarchive.spec b/libarchive.spec index 0efa0359396c4238c03af9108569f9862bc7e607..5e1219ce8ad6dc62cd9d8a5d1f67be9102a6a079 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.7.1 -Release: 4 +Release: 5 Summary: Multi-format archive and compression library License: BSD URL: https://www.libarchive.org/ @@ -11,6 +11,8 @@ Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.gz Patch6000: backport-CVE-2024-20697-CVE-2024-26256.patch Patch6001: backport-CVE-2024-20696.patch Patch6002: backport-CVE-2024-26256-CVE-2024-43495.patch +Patch6003: backport-CVE-2024-48957.patch +Patch6004: backport-CVE-2024-48958.patch BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel @@ -202,6 +204,12 @@ run_testsuite %{_mandir}/*/bsdunzip* %changelog +* Sat Oct 12 2024 lingsheng - 3.7.1-5 +- Type:CVE +- ID:CVE-2024-48957,CVE-2024-48958 +- SUG:NA +- DESC:fix CVE-2024-48957 CVE-2024-48958 + * Thu Sep 19 2024 lingsheng - 3.7.1-4 - Type:CVE - ID:CVE-2024-26256,CVE-2024-43495