libarchive: fix CVE-2024-48957 & CVE-2024-48958

Backport fixes for: * CVE-2024-48957 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b * CVE-2024-48958 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 (From OE-Core rev: 8b520c3cea136591128f6601718c23334afd7a55) (From OE-Core rev: 4f6a2eea1476bc7be1d55b6b6051c4b65d4d97fa) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2024-12-06 00:41:41 +0100
committer: Steve Sakoman <steve@sakoman.com> 2024-12-17 12:58:10 -0800
commit: f2609a2f16947b5a02e04d05e07cec1c62e8410e (patch)
tree: 40e8e29e4e802fdf346d8080f4fb96c6049dba5f /meta
parent: 027121de7e8dfd06550c07d9b4182f2c2e96e6c5 (diff)
download: poky-f2609a2f16947b5a02e04d05e07cec1c62e8410e.tar.gz
3 files changed, 80 insertions, 1 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
new file mode 100644
index 0000000000..98877cf72c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
@@ -0,0 +1,36 @@
+From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:53:19 +0900
+Subject: [PATCH] fix: OOB in rar audio filter (#2149)
+This patch ensures that `src` won't move ahead of `dst`, so `src` will
+not OOB. Similar situation like in a1cb648.
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
+CVE: CVE-2024-48957
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libarchive/archive_read_support_format_rar.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 79669a8..95a91dc 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+     memset(&state, 0, sizeof(state));
+     for (j = i; j < length; j += numchannels)
+     {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
+
+       int8_t delta = (int8_t)*src++;
+       uint8_t predbyte, byte;
+       int prederror;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
new file mode 100644
index 0000000000..de266e9d95
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
@@ -0,0 +1,40 @@
+From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:50:22 +0900
+Subject: [PATCH] fix: OOB in rar delta filter (#2148)
+Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
+Since `dst` won't move in this function, and we are only increasing `src`
+position, this check should be enough. It should be safe to early return
+because this function does not allocate resources.
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
+CVE: CVE-2024-48958
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 95a91dc..4fc6626 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+   {
+     uint8_t lastbyte = 0;
+     for (idx = i; idx < length; idx += numchannels)
+    {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
+       lastbyte = dst[idx] = lastbyte - *src++;
+    }
+   }
+ 
+   filter->filteredblockaddress = length;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index da85764116..6e406611f9 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -30,7 +30,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
-SRC_URI += "file://configurehack.patch"
+SRC_URI += "file://configurehack.patch \
+            file://CVE-2024-48957.patch \
+            file://CVE-2024-48958.patch \
+        "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
author	Hitendra Prajapati <hprajapati@mvista.com>	2024-12-06 00:41:41 +0100
committer	Steve Sakoman <steve@sakoman.com>	2024-12-17 12:58:10 -0800
commit	f2609a2f16947b5a02e04d05e07cec1c62e8410e (patch)
tree	40e8e29e4e802fdf346d8080f4fb96c6049dba5f /meta
parent	027121de7e8dfd06550c07d9b4182f2c2e96e6c5 (diff)
download	poky-f2609a2f16947b5a02e04d05e07cec1c62e8410e.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch new file mode 100644 index 0000000000..98877cf72c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
@@ -0,0 +1,36 @@
		1	From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
		2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
		3	Date: Mon, 29 Apr 2024 06:53:19 +0900
		4	Subject: [PATCH] fix: OOB in rar audio filter (#2149)
		5
		6	This patch ensures that `src` won't move ahead of `dst`, so `src` will
		7	not OOB. Similar situation like in a1cb648.
		8
		9	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
		10	CVE: CVE-2024-48957
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	libarchive/archive_read_support_format_rar.c \| 7 +++++++
		14	1 file changed, 7 insertions(+)
		15
		16	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
		17	index 79669a8..95a91dc 100644
		18	--- a/libarchive/archive_read_support_format_rar.c
		19	+++ b/libarchive/archive_read_support_format_rar.c
		20	@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter filter, struct rar_virtual_machine vm)
		21	memset(&state, 0, sizeof(state));
		22	for (j = i; j < length; j += numchannels)
		23	{
		24	+ /*
		25	+ * The src block should not overlap with the dst block.
		26	+ * If so it would be better to consider this archive is broken.
		27	+ */
		28	+ if (src >= dst)
		29	+ return 0;
		30	+
		31	int8_t delta = (int8_t)*src++;
		32	uint8_t predbyte, byte;
		33	int prederror;
		34	--
		35	2.25.1
		36


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch new file mode 100644 index 0000000000..de266e9d95 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
@@ -0,0 +1,40 @@
		1	From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
		2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
		3	Date: Mon, 29 Apr 2024 06:50:22 +0900
		4	Subject: [PATCH] fix: OOB in rar delta filter (#2148)
		5
		6	Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
		7	Since `dst` won't move in this function, and we are only increasing `src`
		8	position, this check should be enough. It should be safe to early return
		9	because this function does not allocate resources.
		10
		11	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
		12	CVE: CVE-2024-48958
		13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		14	---
		15	libarchive/archive_read_support_format_rar.c \| 8 ++++++++
		16	1 file changed, 8 insertions(+)
		17
		18	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
		19	index 95a91dc..4fc6626 100644
		20	--- a/libarchive/archive_read_support_format_rar.c
		21	+++ b/libarchive/archive_read_support_format_rar.c
		22	@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter filter, struct rar_virtual_machine vm)
		23	{
		24	uint8_t lastbyte = 0;
		25	for (idx = i; idx < length; idx += numchannels)
		26	+ {
		27	+ /*
		28	+ * The src block should not overlap with the dst block.
		29	+ * If so it would be better to consider this archive is broken.
		30	+ */
		31	+ if (src >= dst)
		32	+ return 0;
		33	lastbyte = dst[idx] = lastbyte - *src++;
		34	+ }
		35	}
		36
		37	filter->filteredblockaddress = length;
		38	--
		39	2.25.1
		40


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb index da85764116..6e406611f9 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -30,7 +30,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
30	EXTRA_OECONF += "--enable-largefile --without-iconv"	30	EXTRA_OECONF += "--enable-largefile --without-iconv"
31		31
32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"	32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
33	SRC_URI += "file://configurehack.patch"	33	SRC_URI += "file://configurehack.patch \
		34	file://CVE-2024-48957.patch \
		35	file://CVE-2024-48958.patch \
		36	"
34	UPSTREAM_CHECK_URI = "http://libarchive.org/"	37	UPSTREAM_CHECK_URI = "http://libarchive.org/"
35		38
36	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"	39	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"