diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2024-12-06 00:41:41 +0100 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-12-17 12:58:10 -0800 |
commit | f2609a2f16947b5a02e04d05e07cec1c62e8410e (patch) | |
tree | 40e8e29e4e802fdf346d8080f4fb96c6049dba5f | |
parent | 027121de7e8dfd06550c07d9b4182f2c2e96e6c5 (diff) | |
download | poky-f2609a2f16947b5a02e04d05e07cec1c62e8410e.tar.gz |
libarchive: fix CVE-2024-48957 & CVE-2024-48958
Backport fixes for:
* CVE-2024-48957 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b
* CVE-2024-48958 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7
(From OE-Core rev: 8b520c3cea136591128f6601718c23334afd7a55)
(From OE-Core rev: 4f6a2eea1476bc7be1d55b6b6051c4b65d4d97fa)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 files changed, 80 insertions, 1 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch new file mode 100644 index 0000000000..98877cf72c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001 | ||
2 | From: Wei-Cheng Pan <legnaleurc@gmail.com> | ||
3 | Date: Mon, 29 Apr 2024 06:53:19 +0900 | ||
4 | Subject: [PATCH] fix: OOB in rar audio filter (#2149) | ||
5 | |||
6 | This patch ensures that `src` won't move ahead of `dst`, so `src` will | ||
7 | not OOB. Similar situation like in a1cb648. | ||
8 | |||
9 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b] | ||
10 | CVE: CVE-2024-48957 | ||
11 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
12 | --- | ||
13 | libarchive/archive_read_support_format_rar.c | 7 +++++++ | ||
14 | 1 file changed, 7 insertions(+) | ||
15 | |||
16 | diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
17 | index 79669a8..95a91dc 100644 | ||
18 | --- a/libarchive/archive_read_support_format_rar.c | ||
19 | +++ b/libarchive/archive_read_support_format_rar.c | ||
20 | @@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) | ||
21 | memset(&state, 0, sizeof(state)); | ||
22 | for (j = i; j < length; j += numchannels) | ||
23 | { | ||
24 | + /* | ||
25 | + * The src block should not overlap with the dst block. | ||
26 | + * If so it would be better to consider this archive is broken. | ||
27 | + */ | ||
28 | + if (src >= dst) | ||
29 | + return 0; | ||
30 | + | ||
31 | int8_t delta = (int8_t)*src++; | ||
32 | uint8_t predbyte, byte; | ||
33 | int prederror; | ||
34 | -- | ||
35 | 2.25.1 | ||
36 | |||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch new file mode 100644 index 0000000000..de266e9d95 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wei-Cheng Pan <legnaleurc@gmail.com> | ||
3 | Date: Mon, 29 Apr 2024 06:50:22 +0900 | ||
4 | Subject: [PATCH] fix: OOB in rar delta filter (#2148) | ||
5 | |||
6 | Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. | ||
7 | Since `dst` won't move in this function, and we are only increasing `src` | ||
8 | position, this check should be enough. It should be safe to early return | ||
9 | because this function does not allocate resources. | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7] | ||
12 | CVE: CVE-2024-48958 | ||
13 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
14 | --- | ||
15 | libarchive/archive_read_support_format_rar.c | 8 ++++++++ | ||
16 | 1 file changed, 8 insertions(+) | ||
17 | |||
18 | diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
19 | index 95a91dc..4fc6626 100644 | ||
20 | --- a/libarchive/archive_read_support_format_rar.c | ||
21 | +++ b/libarchive/archive_read_support_format_rar.c | ||
22 | @@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) | ||
23 | { | ||
24 | uint8_t lastbyte = 0; | ||
25 | for (idx = i; idx < length; idx += numchannels) | ||
26 | + { | ||
27 | + /* | ||
28 | + * The src block should not overlap with the dst block. | ||
29 | + * If so it would be better to consider this archive is broken. | ||
30 | + */ | ||
31 | + if (src >= dst) | ||
32 | + return 0; | ||
33 | lastbyte = dst[idx] = lastbyte - *src++; | ||
34 | + } | ||
35 | } | ||
36 | |||
37 | filter->filteredblockaddress = length; | ||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb index da85764116..6e406611f9 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb | |||
@@ -30,7 +30,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," | |||
30 | EXTRA_OECONF += "--enable-largefile --without-iconv" | 30 | EXTRA_OECONF += "--enable-largefile --without-iconv" |
31 | 31 | ||
32 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" | 32 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" |
33 | SRC_URI += "file://configurehack.patch" | 33 | SRC_URI += "file://configurehack.patch \ |
34 | file://CVE-2024-48957.patch \ | ||
35 | file://CVE-2024-48958.patch \ | ||
36 | " | ||
34 | UPSTREAM_CHECK_URI = "http://libarchive.org/" | 37 | UPSTREAM_CHECK_URI = "http://libarchive.org/" |
35 | 38 | ||
36 | SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8" | 39 | SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8" |