libarchive: upgrade 3.7.4 -> 3.7.9

These is update with only bug and security releases. On top of previous CVE patches, also CVE-2024-48615 is handled. Also many security fixes without CVE assigment are included. Note that upgrade to 3.7.5 on master required fix of test in python3-libarchive-c, however that recipe does not yet have ptest in scarthgap and the fix was in test only, not in productive code, so it is not necessary in scarthgap. Also remove CVE_STATUS which was obsolete already before this upgrade. (From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-04-15 18:10:45 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-04-19 14:42:10 -0700
commit: 06d60d3877ea268735215439b9253cd0e54ee93e (patch)
tree: 1babe3f377e3c8532d242638d379064e459b3b45
parent: 9ef34c9ce9f60077856d0145f66f734f696fa409 (diff)
download: poky-06d60d3877ea268735215439b9253cd0e54ee93e.tar.gz
6 files changed, 5 insertions, 285 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
deleted file mode 100644
index e55d58d37b..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
-From: "Dustin L. Howett" <dustin@howett.net>
-Date: Thu, 9 May 2024 18:59:17 -0500
-Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
-copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
-both of its callers were holding a `size_t`.
-A lzss opcode chain could be constructed that resulted in a negative
-copy length, which when passed into memcpy would result in a very, very
-large positive number.
-Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
-properly bounds-check length.
-In addition, this patch also ensures that `length` is not itself larger
-than the destination buffer.
-CVE: CVE-2024-20696
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
-Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
---
--- a/libarchive/archive_read_support_format_rar.c      2024-04-26 14:52:59.000000000 +0530
-+++ b/libarchive/archive_read_support_format_rar.c      2024-12-12 07:35:33.287412704 +0530
-@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
-                               struct huffman_table_entry *, int, int);
- static int expand(struct archive_read *, int64_t *);
- static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
-                                        int64_t, int);
-+                                        int64_t, size_t);
- static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
- static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
-                         uint8_t);
-@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
-         bs = rar->unp_buffer_size - rar->unp_offset;
-       else
-         bs = (size_t)rar->bytes_uncopied;
-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
-+      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
-       if (ret != ARCHIVE_OK)
-         return (ret);
-       rar->offset += bs;
-@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
-       bs = rar->unp_buffer_size - rar->unp_offset;
-     else
-       bs = (size_t)rar->bytes_uncopied;
-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
-+    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
-     if (ret != ARCHIVE_OK)
-       return (ret);
-     rar->offset += bs;
-@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
- 
- static int
- copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
-                             int64_t startpos, int length)
-+                             int64_t startpos, size_t length)
- {
-   int windowoffs, firstpart;
-   struct rar *rar = (struct rar *)(a->format->data);
- 
-+  if (length > rar->unp_buffer_size)
-+  {
-+    goto fatal;
-+  }
-+
-   if (!rar->unp_buffer)
-   {
-     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
-@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
-   }
- 
-   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
-+  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
-     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
-            length);
-  } else if (length <= lzss_size(&rar->lzss)) {
-+  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
-     firstpart = lzss_size(&rar->lzss) - windowoffs;
-     if (firstpart < 0) {
-       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-                         "Bad RAR file data");
-       return (ARCHIVE_FATAL);
-     }
-    if (firstpart < length) {
-+    if ((size_t)firstpart < length) {
-       memcpy(&rar->unp_buffer[rar->unp_offset],
-              &rar->lzss.window[windowoffs], firstpart);
-       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
-@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
-              &rar->lzss.window[windowoffs], length);
-     }
-   } else {
-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-                        "Bad RAR file data");
-      return (ARCHIVE_FATAL);
-+      goto fatal;
-   }
-   rar->unp_offset += length;
-   if (rar->unp_offset >= rar->unp_buffer_size)
-@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
-   else
-     *buffer = NULL;
-   return (ARCHIVE_OK);
-+
-+fatal:
-+  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-+                    "Bad RAR file data");
-+  return (ARCHIVE_FATAL);
- }
- 
- static const void *
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
deleted file mode 100644
index 98877cf72c..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
-From: Wei-Cheng Pan <legnaleurc@gmail.com>
-Date: Mon, 29 Apr 2024 06:53:19 +0900
-Subject: [PATCH] fix: OOB in rar audio filter (#2149)
-This patch ensures that `src` won't move ahead of `dst`, so `src` will
-not OOB. Similar situation like in a1cb648.
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
-CVE: CVE-2024-48957
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- libarchive/archive_read_support_format_rar.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
-index 79669a8..95a91dc 100644
--- a/libarchive/archive_read_support_format_rar.c
-+++ b/libarchive/archive_read_support_format_rar.c
-@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
-     memset(&state, 0, sizeof(state));
-     for (j = i; j < length; j += numchannels)
-     {
-+      /*
-+       * The src block should not overlap with the dst block.
-+       * If so it would be better to consider this archive is broken.
-+       */
-+      if (src >= dst)
-+        return 0;
-+
-       int8_t delta = (int8_t)*src++;
-       uint8_t predbyte, byte;
-       int prederror;
-- 
-2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
deleted file mode 100644
index de266e9d95..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
-From: Wei-Cheng Pan <legnaleurc@gmail.com>
-Date: Mon, 29 Apr 2024 06:50:22 +0900
-Subject: [PATCH] fix: OOB in rar delta filter (#2148)
-Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
-Since `dst` won't move in this function, and we are only increasing `src`
-position, this check should be enough. It should be safe to early return
-because this function does not allocate resources.
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
-CVE: CVE-2024-48958
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- libarchive/archive_read_support_format_rar.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
-index 95a91dc..4fc6626 100644
--- a/libarchive/archive_read_support_format_rar.c
-+++ b/libarchive/archive_read_support_format_rar.c
-@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
-   {
-     uint8_t lastbyte = 0;
-     for (idx = i; idx < length; idx += numchannels)
-+    {
-+      /*
-+       * The src block should not overlap with the dst block.
-+       * If so it would be better to consider this archive is broken.
-+       */
-+      if (src >= dst)
-+        return 0;
-       lastbyte = dst[idx] = lastbyte - *src++;
-+    }
-   }
- 
-   filter->filteredblockaddress = length;
-- 
-2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch
deleted file mode 100644
index 459b664180..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
-Date: Mon, 10 Mar 2025 16:43:04 +0100
-Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
-Hi,
-please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
-vulnerabilities in this pr.
-As both error cases did trigger a NULL pointer deref (and triggered
-hopefully everywhere a coredump), we can safely replace the actual
-information by a predefined invalid string without breaking any
-functionality.
-CVE: CVE-2025-1632
-CVE: CVE-2025-25724
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---------
-Signed-off-by: Peter Kaestle <peter@piie.net>
---
- tar/util.c       |  5 ++++-
- unzip/bsdunzip.c | 10 +++++++---
- 2 files changed, 11 insertions(+), 4 deletions(-)
-diff --git a/tar/util.c b/tar/util.c
-index 3b099cb5..f3cbdf0b 100644
--- a/tar/util.c
-+++ b/tar/util.c
-@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
- #else
-        ltime = localtime(&tim);
- #endif
-       strftime(tmp, sizeof(tmp), fmt, ltime);
-+       if (ltime)
-+               strftime(tmp, sizeof(tmp), fmt, ltime);
-+       else
-+               sprintf(tmp, "-- -- ----");
-        fprintf(out, " %s ", tmp);
-        safe_fprintf(out, "%s", archive_entry_pathname(entry));
- 
-diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
-index 7c8cafc3..4a9028b7 100644
--- a/unzip/bsdunzip.c
-+++ b/unzip/bsdunzip.c
-@@ -904,6 +904,7 @@ list(struct archive *a, struct archive_entry *e)
-        char buf[20];
-        time_t mtime;
-        struct tm *tm;
-+       const char *pathname;
- 
-        mtime = archive_entry_mtime(e);
-        tm = localtime(&mtime);
-@@ -912,22 +913,25 @@ list(struct archive *a, struct archive_entry *e)
-        else
-                strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
- 
-+       pathname = archive_entry_pathname(e);
-+       if (!pathname)
-+               pathname = "";
-        if (!zipinfo_mode) {
-                if (v_opt == 1) {
-                        printf(" %8ju  %s   %s\n",
-                            (uintmax_t)archive_entry_size(e),
-                           buf, archive_entry_pathname(e));
-+                           buf, pathname);
-                } else if (v_opt == 2) {
-                        printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
-                            (uintmax_t)archive_entry_size(e),
-                            (uintmax_t)archive_entry_size(e),
-                            buf,
-                            0U,
-                           archive_entry_pathname(e));
-+                           pathname);
-                }
-        } else {
-                if (Z1_opt)
-                       printf("%s\n",archive_entry_pathname(e));
-+                       printf("%s\n", pathname);
-        }
-        ac(archive_read_data_skip(a));
- }
diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
index 44720fdd53..97e42591cb 100644
--- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch
+++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -10,7 +10,7 @@ diff --git a/configure.ac b/configure.ac
 index 5668d41..7e65e49 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then
+@@ -435,6 +435,19 @@ if test "x$with_bz2lib" != "xno"; then
   esac
 fi
 
@@ -30,7 +30,7 @@ index 5668d41..7e65e49 100644
 AC_ARG_WITH([libb2],
   AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))
 
-@@ -678,19 +691,6 @@ fi
+@@ -694,19 +707,6 @@ fi
 
 AC_SUBST(DEAD_CODE_REMOVAL)
 
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 156a6bdaae..4dd6794bb1 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -29,18 +29,12 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
-SRC_URI += "file://configurehack.patch \
+           file://configurehack.patch \
-            file://CVE-2024-48957.patch \
-            file://CVE-2024-48958.patch \
-            file://CVE-2024-20696.patch \
-            file://CVE-2025-1632_CVE-2025-25724.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
-SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
+SRC_URI[sha256sum] = "aa90732c5a6bdda52fda2ad468ac98d75be981c15dde263d7b5cf6af66fd009f"
-CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
 inherit autotools update-alternatives pkgconfig
author	Peter Marko <peter.marko@siemens.com>	2025-04-15 18:10:45 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-04-19 14:42:10 -0700
commit	06d60d3877ea268735215439b9253cd0e54ee93e (patch)
tree	1babe3f377e3c8532d242638d379064e459b3b45
parent	9ef34c9ce9f60077856d0145f66f734f696fa409 (diff)
download	poky-06d60d3877ea268735215439b9253cd0e54ee93e.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch deleted file mode 100644 index e55d58d37b..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch +++ /dev/null
@@ -1,115 +0,0 @@
1	From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
2	From: "Dustin L. Howett" <dustin@howett.net>
3	Date: Thu, 9 May 2024 18:59:17 -0500
4	Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
5
6	copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
7	both of its callers were holding a `size_t`.
8
9	A lzss opcode chain could be constructed that resulted in a negative
10	copy length, which when passed into memcpy would result in a very, very
11	large positive number.
12
13	Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
14	properly bounds-check length.
15
16	In addition, this patch also ensures that `length` is not itself larger
17	than the destination buffer.
18
19	CVE: CVE-2024-20696
20	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
21
22	Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
23	---
24
25	--- a/libarchive/archive_read_support_format_rar.c 2024-04-26 14:52:59.000000000 +0530
26	+++ b/libarchive/archive_read_support_format_rar.c 2024-12-12 07:35:33.287412704 +0530
27	@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
28	struct huffman_table_entry *, int, int);
29	static int expand(struct archive_read , int64_t );
30	static int copy_from_lzss_window_to_unp(struct archive_read , const void *,
31	- int64_t, int);
32	+ int64_t, size_t);
33	static const void rar_read_ahead(struct archive_read , size_t, ssize_t *);
34	static int parse_filter(struct archive_read , const uint8_t , uint16_t,
35	uint8_t);
36	@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
37	bs = rar->unp_buffer_size - rar->unp_offset;
38	else
39	bs = (size_t)rar->bytes_uncopied;
40	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
41	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
42	if (ret != ARCHIVE_OK)
43	return (ret);
44	rar->offset += bs;
45	@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
46	bs = rar->unp_buffer_size - rar->unp_offset;
47	else
48	bs = (size_t)rar->bytes_uncopied;
49	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
50	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
51	if (ret != ARCHIVE_OK)
52	return (ret);
53	rar->offset += bs;
54	@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
55
56	static int
57	copy_from_lzss_window_to_unp(struct archive_read a, const void *buffer,
58	- int64_t startpos, int length)
59	+ int64_t startpos, size_t length)
60	{
61	int windowoffs, firstpart;
62	struct rar rar = (struct rar )(a->format->data);
63
64	+ if (length > rar->unp_buffer_size)
65	+ {
66	+ goto fatal;
67	+ }
68	+
69	if (!rar->unp_buffer)
70	{
71	if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
72	@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
73	}
74
75	windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
76	- if(windowoffs + length <= lzss_size(&rar->lzss)) {
77	+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
78	memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
79	length);
80	- } else if (length <= lzss_size(&rar->lzss)) {
81	+ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
82	firstpart = lzss_size(&rar->lzss) - windowoffs;
83	if (firstpart < 0) {
84	archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
85	"Bad RAR file data");
86	return (ARCHIVE_FATAL);
87	}
88	- if (firstpart < length) {
89	+ if ((size_t)firstpart < length) {
90	memcpy(&rar->unp_buffer[rar->unp_offset],
91	&rar->lzss.window[windowoffs], firstpart);
92	memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
93	@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
94	&rar->lzss.window[windowoffs], length);
95	}
96	} else {
97	- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
98	- "Bad RAR file data");
99	- return (ARCHIVE_FATAL);
100	+ goto fatal;
101	}
102	rar->unp_offset += length;
103	if (rar->unp_offset >= rar->unp_buffer_size)
104	@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
105	else
106	*buffer = NULL;
107	return (ARCHIVE_OK);
108	+
109	+fatal:
110	+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
111	+ "Bad RAR file data");
112	+ return (ARCHIVE_FATAL);
113	}
114
115	static const void *


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch deleted file mode 100644 index 98877cf72c..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch +++ /dev/null
@@ -1,36 +0,0 @@
1	From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
3	Date: Mon, 29 Apr 2024 06:53:19 +0900
4	Subject: [PATCH] fix: OOB in rar audio filter (#2149)
5
6	This patch ensures that `src` won't move ahead of `dst`, so `src` will
7	not OOB. Similar situation like in a1cb648.
8
9	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
10	CVE: CVE-2024-48957
11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
12	---
13	libarchive/archive_read_support_format_rar.c \| 7 +++++++
14	1 file changed, 7 insertions(+)
15
16	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
17	index 79669a8..95a91dc 100644
18	--- a/libarchive/archive_read_support_format_rar.c
19	+++ b/libarchive/archive_read_support_format_rar.c
20	@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter filter, struct rar_virtual_machine vm)
21	memset(&state, 0, sizeof(state));
22	for (j = i; j < length; j += numchannels)
23	{
24	+ /*
25	+ * The src block should not overlap with the dst block.
26	+ * If so it would be better to consider this archive is broken.
27	+ */
28	+ if (src >= dst)
29	+ return 0;
30	+
31	int8_t delta = (int8_t)*src++;
32	uint8_t predbyte, byte;
33	int prederror;
34	--
35	2.25.1
36


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch deleted file mode 100644 index de266e9d95..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
3	Date: Mon, 29 Apr 2024 06:50:22 +0900
4	Subject: [PATCH] fix: OOB in rar delta filter (#2148)
5
6	Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
7	Since `dst` won't move in this function, and we are only increasing `src`
8	position, this check should be enough. It should be safe to early return
9	because this function does not allocate resources.
10
11	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
12	CVE: CVE-2024-48958
13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
14	---
15	libarchive/archive_read_support_format_rar.c \| 8 ++++++++
16	1 file changed, 8 insertions(+)
17
18	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
19	index 95a91dc..4fc6626 100644
20	--- a/libarchive/archive_read_support_format_rar.c
21	+++ b/libarchive/archive_read_support_format_rar.c
22	@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter filter, struct rar_virtual_machine vm)
23	{
24	uint8_t lastbyte = 0;
25	for (idx = i; idx < length; idx += numchannels)
26	+ {
27	+ /*
28	+ * The src block should not overlap with the dst block.
29	+ * If so it would be better to consider this archive is broken.
30	+ */
31	+ if (src >= dst)
32	+ return 0;
33	lastbyte = dst[idx] = lastbyte - *src++;
34	+ }
35	}
36
37	filter->filteredblockaddress = length;
38	--
39	2.25.1
40


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch deleted file mode 100644 index 459b664180..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch +++ /dev/null
@@ -1,83 +0,0 @@
1	From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
3	Date: Mon, 10 Mar 2025 16:43:04 +0100
4	Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
5
6	Hi,
7
8	please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
9	vulnerabilities in this pr.
10	As both error cases did trigger a NULL pointer deref (and triggered
11	hopefully everywhere a coredump), we can safely replace the actual
12	information by a predefined invalid string without breaking any
13	functionality.
14
15	CVE: CVE-2025-1632
16	CVE: CVE-2025-25724
17	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
19	---------
20
21	Signed-off-by: Peter Kaestle <peter@piie.net>
22	---
23	tar/util.c \| 5 ++++-
24	unzip/bsdunzip.c \| 10 +++++++---
25	2 files changed, 11 insertions(+), 4 deletions(-)
26
27	diff --git a/tar/util.c b/tar/util.c
28	index 3b099cb5..f3cbdf0b 100644
29	--- a/tar/util.c
30	+++ b/tar/util.c
31	@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar bsdtar, FILE out, struct archive_entry *entry)
32	#else
33	ltime = localtime(&tim);
34	#endif
35	- strftime(tmp, sizeof(tmp), fmt, ltime);
36	+ if (ltime)
37	+ strftime(tmp, sizeof(tmp), fmt, ltime);
38	+ else
39	+ sprintf(tmp, "-- -- ----");
40	fprintf(out, " %s ", tmp);
41	safe_fprintf(out, "%s", archive_entry_pathname(entry));
42
43	diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
44	index 7c8cafc3..4a9028b7 100644
45	--- a/unzip/bsdunzip.c
46	+++ b/unzip/bsdunzip.c
47	@@ -904,6 +904,7 @@ list(struct archive a, struct archive_entry e)
48	char buf[20];
49	time_t mtime;
50	struct tm *tm;
51	+ const char *pathname;
52
53	mtime = archive_entry_mtime(e);
54	tm = localtime(&mtime);
55	@@ -912,22 +913,25 @@ list(struct archive a, struct archive_entry e)
56	else
57	strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
58
59	+ pathname = archive_entry_pathname(e);
60	+ if (!pathname)
61	+ pathname = "";
62	if (!zipinfo_mode) {
63	if (v_opt == 1) {
64	printf(" %8ju %s %s\n",
65	(uintmax_t)archive_entry_size(e),
66	- buf, archive_entry_pathname(e));
67	+ buf, pathname);
68	} else if (v_opt == 2) {
69	printf("%8ju Stored %7ju 0%% %s %08x %s\n",
70	(uintmax_t)archive_entry_size(e),
71	(uintmax_t)archive_entry_size(e),
72	buf,
73	0U,
74	- archive_entry_pathname(e));
75	+ pathname);
76	}
77	} else {
78	if (Z1_opt)
79	- printf("%s\n",archive_entry_pathname(e));
80	+ printf("%s\n", pathname);
81	}
82	ac(archive_read_data_skip(a));
83	}


diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch b/meta/recipes-extended/libarchive/libarchive/configurehack.patch index 44720fdd53..97e42591cb 100644 --- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch +++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -10,7 +10,7 @@ diff --git a/configure.ac b/configure.ac
10	index 5668d41..7e65e49 100644	10	index 5668d41..7e65e49 100644
11	--- a/configure.ac	11	--- a/configure.ac
12	+++ b/configure.ac	12	+++ b/configure.ac
13	@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then	13	@@ -435,6 +435,19 @@ if test "x$with_bz2lib" != "xno"; then
14	esac	14	esac
15	fi	15	fi
16		16
@@ -30,7 +30,7 @@ index 5668d41..7e65e49 100644
30	AC_ARG_WITH([libb2],	30	AC_ARG_WITH([libb2],
31	AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))	31	AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))
32		32
33	@@ -678,19 +691,6 @@ fi	33	@@ -694,19 +707,6 @@ fi
34		34
35	AC_SUBST(DEAD_CODE_REMOVAL)	35	AC_SUBST(DEAD_CODE_REMOVAL)
36		36


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 156a6bdaae..4dd6794bb1 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -29,18 +29,12 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
29		29
30	EXTRA_OECONF += "--enable-largefile --without-iconv"	30	EXTRA_OECONF += "--enable-largefile --without-iconv"
31		31
32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"	32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
33	SRC_URI += "file://configurehack.patch \	33	file://configurehack.patch \
34	file://CVE-2024-48957.patch \
35	file://CVE-2024-48958.patch \
36	file://CVE-2024-20696.patch \
37	file://CVE-2025-1632_CVE-2025-25724.patch \
38	"	34	"
39	UPSTREAM_CHECK_URI = "http://libarchive.org/"	35	UPSTREAM_CHECK_URI = "http://libarchive.org/"
40		36
41	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"	37	SRC_URI[sha256sum] = "aa90732c5a6bdda52fda2ad468ac98d75be981c15dde263d7b5cf6af66fd009f"
42
43	CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
44		38
45	inherit autotools update-alternatives pkgconfig	39	inherit autotools update-alternatives pkgconfig
46		40