summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2024-12-06 00:41:41 +0100
committerSteve Sakoman <steve@sakoman.com>2024-12-17 12:58:10 -0800
commitf2609a2f16947b5a02e04d05e07cec1c62e8410e (patch)
tree40e8e29e4e802fdf346d8080f4fb96c6049dba5f
parent027121de7e8dfd06550c07d9b4182f2c2e96e6c5 (diff)
downloadpoky-f2609a2f16947b5a02e04d05e07cec1c62e8410e.tar.gz
libarchive: fix CVE-2024-48957 & CVE-2024-48958
Backport fixes for: * CVE-2024-48957 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b * CVE-2024-48958 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 (From OE-Core rev: 8b520c3cea136591128f6601718c23334afd7a55) (From OE-Core rev: 4f6a2eea1476bc7be1d55b6b6051c4b65d4d97fa) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch36
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch40
-rw-r--r--meta/recipes-extended/libarchive/libarchive_3.7.4.bb5
3 files changed, 80 insertions, 1 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
new file mode 100644
index 0000000000..98877cf72c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
@@ -0,0 +1,36 @@
1From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
2From: Wei-Cheng Pan <legnaleurc@gmail.com>
3Date: Mon, 29 Apr 2024 06:53:19 +0900
4Subject: [PATCH] fix: OOB in rar audio filter (#2149)
5
6This patch ensures that `src` won't move ahead of `dst`, so `src` will
7not OOB. Similar situation like in a1cb648.
8
9Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
10CVE: CVE-2024-48957
11Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
12---
13 libarchive/archive_read_support_format_rar.c | 7 +++++++
14 1 file changed, 7 insertions(+)
15
16diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
17index 79669a8..95a91dc 100644
18--- a/libarchive/archive_read_support_format_rar.c
19+++ b/libarchive/archive_read_support_format_rar.c
20@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
21 memset(&state, 0, sizeof(state));
22 for (j = i; j < length; j += numchannels)
23 {
24+ /*
25+ * The src block should not overlap with the dst block.
26+ * If so it would be better to consider this archive is broken.
27+ */
28+ if (src >= dst)
29+ return 0;
30+
31 int8_t delta = (int8_t)*src++;
32 uint8_t predbyte, byte;
33 int prederror;
34--
352.25.1
36
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
new file mode 100644
index 0000000000..de266e9d95
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
@@ -0,0 +1,40 @@
1From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
2From: Wei-Cheng Pan <legnaleurc@gmail.com>
3Date: Mon, 29 Apr 2024 06:50:22 +0900
4Subject: [PATCH] fix: OOB in rar delta filter (#2148)
5
6Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
7Since `dst` won't move in this function, and we are only increasing `src`
8position, this check should be enough. It should be safe to early return
9because this function does not allocate resources.
10
11Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
12CVE: CVE-2024-48958
13Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
14---
15 libarchive/archive_read_support_format_rar.c | 8 ++++++++
16 1 file changed, 8 insertions(+)
17
18diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
19index 95a91dc..4fc6626 100644
20--- a/libarchive/archive_read_support_format_rar.c
21+++ b/libarchive/archive_read_support_format_rar.c
22@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
23 {
24 uint8_t lastbyte = 0;
25 for (idx = i; idx < length; idx += numchannels)
26+ {
27+ /*
28+ * The src block should not overlap with the dst block.
29+ * If so it would be better to consider this archive is broken.
30+ */
31+ if (src >= dst)
32+ return 0;
33 lastbyte = dst[idx] = lastbyte - *src++;
34+ }
35 }
36
37 filter->filteredblockaddress = length;
38--
392.25.1
40
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index da85764116..6e406611f9 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -30,7 +30,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
30EXTRA_OECONF += "--enable-largefile --without-iconv" 30EXTRA_OECONF += "--enable-largefile --without-iconv"
31 31
32SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" 32SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
33SRC_URI += "file://configurehack.patch" 33SRC_URI += "file://configurehack.patch \
34 file://CVE-2024-48957.patch \
35 file://CVE-2024-48958.patch \
36 "
34UPSTREAM_CHECK_URI = "http://libarchive.org/" 37UPSTREAM_CHECK_URI = "http://libarchive.org/"
35 38
36SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8" 39SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"