1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
new file mode 100644
index 0000000000..0e1549f229
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
@@ -0,0 +1,93 @@
+From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sat, 13 Feb 2021 10:13:22 +0100
+Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
+ parameters
+Some specially crafted files declare invalid extraction parameters that
+can confuse the RAR5 reader.
+One of the arguments is the declared window size parameter that the
+archive file can declare for each file stored in the archive. Some
+crafted files declare window size equal to 0, which is clearly wrong.
+This commit adds additional safety checks decreasing the tolerance of
+the RAR5 format.
+This commit also contains OSSFuzz sample #30459.
+---
+ Makefile.am                                   |  1 +
+ libarchive/archive_read_support_format_rar5.c | 10 ++++++++++
+ libarchive/test/test_read_format_rar5.c       | 19 +++++++++++++++++++
+ ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu |  7 +++++++
+ 4 files changed, 37 insertions(+)
+ create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+--- libarchive-3.4.2.orig/Makefile.am
+++ libarchive-3.4.2/Makefile.am
+@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
+        libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+        libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
+        libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
+       libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
+        libarchive/test/test_read_format_raw.bufr.uu \
+        libarchive/test/test_read_format_raw.data.gz.uu \
+        libarchive/test/test_read_format_raw.data.Z.uu \
+--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
+++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
+@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
+                rar->cstate.initialized = 1;
+        }
+ 
+       /* Don't allow extraction if window_size is invalid. */
+       if(rar->cstate.window_size == 0) {
+               archive_set_error(&a->archive,
+                       ARCHIVE_ERRNO_FILE_FORMAT,
+                       "Invalid window size declaration in this file");
+
+               /* This should never happen in valid files. */
+               return ARCHIVE_FATAL;
+       }
+
+        if(rar->cstate.all_filters_applied == 1) {
+                /* We use while(1) here, but standard case allows for just 1
+                 * iteration. The loop will iterate if process_block() didn't
+--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
+@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
+ 
+        EPILOGUE();
+ }
+
+DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
+{
+       /* oss fuzz 30459 */
+
+       char buf[4096];
+       PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
+
+       /* This file is damaged, so those functions should return failure.
+        * Additionally, SIGSEGV shouldn't be raised during execution
+        * of those functions. */
+
+       (void) archive_read_next_header(a, &ae);
+       while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+       (void) archive_read_next_header(a, &ae);
+       while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+
+       EPILOGUE();
+}
+--- /dev/null
+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+@@ -0,0 +1,7 @@
+begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
+M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
+M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
+M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
+5$"`OX2`@[.SL[.S_("`@("`@("`@
+`
+end

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch new file mode 100644 index 0000000000..0e1549f229 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
@@ -0,0 +1,93 @@
	1	From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
	2	From: Grzegorz Antoniak <ga@anadoxin.org>
	3	Date: Sat, 13 Feb 2021 10:13:22 +0100
	4	Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
	5	parameters
	6
	7	Some specially crafted files declare invalid extraction parameters that
	8	can confuse the RAR5 reader.
	9
	10	One of the arguments is the declared window size parameter that the
	11	archive file can declare for each file stored in the archive. Some
	12	crafted files declare window size equal to 0, which is clearly wrong.
	13
	14	This commit adds additional safety checks decreasing the tolerance of
	15	the RAR5 format.
	16
	17	This commit also contains OSSFuzz sample #30459.
	18	---
	19	Makefile.am \| 1 +
	20	libarchive/archive_read_support_format_rar5.c \| 10 ++++++++++
	21	libarchive/test/test_read_format_rar5.c \| 19 +++++++++++++++++++
	22	...t_rar5_bad_window_sz_in_mltarc_file.rar.uu \| 7 +++++++
	23	4 files changed, 37 insertions(+)
	24	create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
	25
	26	Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
	27	CVE: CVE-2021-36976
	28	Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
	29
	30	--- libarchive-3.4.2.orig/Makefile.am
	31	+++ libarchive-3.4.2/Makefile.am
	32	@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
	33	libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
	34	libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
	35	libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
	36	+ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
	37	libarchive/test/test_read_format_raw.bufr.uu \
	38	libarchive/test/test_read_format_raw.data.gz.uu \
	39	libarchive/test/test_read_format_raw.data.Z.uu \
	40	--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
	41	+++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
	42	@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
	43	rar->cstate.initialized = 1;
	44	}
	45
	46	+ /* Don't allow extraction if window_size is invalid. */
	47	+ if(rar->cstate.window_size == 0) {
	48	+ archive_set_error(&a->archive,
	49	+ ARCHIVE_ERRNO_FILE_FORMAT,
	50	+ "Invalid window size declaration in this file");
	51	+
	52	+ /* This should never happen in valid files. */
	53	+ return ARCHIVE_FATAL;
	54	+ }
	55	+
	56	if(rar->cstate.all_filters_applied == 1) {
	57	/* We use while(1) here, but standard case allows for just 1
	58	* iteration. The loop will iterate if process_block() didn't
	59	--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
	60	+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
	61	@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
	62
	63	EPILOGUE();
	64	}
	65	+
	66	+DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
	67	+{
	68	+ /* oss fuzz 30459 */
	69	+
	70	+ char buf[4096];
	71	+ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
	72	+
	73	+ /* This file is damaged, so those functions should return failure.
	74	+ * Additionally, SIGSEGV shouldn't be raised during execution
	75	+ * of those functions. */
	76	+
	77	+ (void) archive_read_next_header(a, &ae);
	78	+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
	79	+ (void) archive_read_next_header(a, &ae);
	80	+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
	81	+
	82	+ EPILOGUE();
	83	+}
	84	--- /dev/null
	85	+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
	86	@@ -0,0 +1,7 @@
	87	+begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
	88	+M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
	89	+M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
	90	+M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
	91	+5$"`OX2`@[.SL[.S_("`@("`@("`@
	92	+`
	93	+end