libarchive: fix CVE-2025-5916

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5916 Upstream-patch: https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403 (From OE-Core rev: 9c74d3a096fed68d173f8711b373a42f158d6cc7) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-07-02 12:21:32 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-09 08:43:32 -0700
commit: 0bccc5ec8559559167be0c2f772594b772112661 (patch)
tree: 6c7b24bc0a3ea257bee3fea003e93be862061fdf
parent: 0f2564b7c013ea7690ecfc997adc952d5cade5ea (diff)
download: poky-0bccc5ec8559559167be0c2f772594b772112661.tar.gz
2 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
new file mode 100644
index 0000000000..a1dfc7b286
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
@@ -0,0 +1,116 @@
+From ef093729521fcf73fa4007d5ae77adfe4df42403 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Mon, 7 Apr 2025 00:24:13 +0200
+Subject: [PATCH] warc: Prevent signed integer overflow (#2568)
+If a warc archive claims to have more than INT64_MAX - 4 content bytes,
+the inevitable failure to skip all these bytes could lead to parsing
+data which should be ignored instead.
+The test case contains a conversation entry with that many bytes and if
+the entry is not properly skipped, the warc implementation would read
+the conversation data as a new file entry.
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+CVE: CVE-2025-5916
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ Makefile.am                                   |  1 +
+ libarchive/archive_read_support_format_warc.c |  7 ++++--
+ libarchive/test/test_read_format_warc.c       | 24 +++++++++++++++++++
+ .../test_read_format_warc_incomplete.warc.uu  | 10 ++++++++
+ 4 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_warc_incomplete.warc.uu
+diff --git a/Makefile.am b/Makefile.am
+index 9f3a6d1..7627ec5 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -964,6 +964,7 @@ libarchive_test_EXTRA_DIST=\
+        libarchive/test/test_read_format_ustar_filename_eucjp.tar.Z.uu \
+        libarchive/test/test_read_format_ustar_filename_koi8r.tar.Z.uu \
+        libarchive/test/test_read_format_warc.warc.uu \
+       libarchive/test/test_read_format_warc_incomplete.warc.uu \
+        libarchive/test/test_read_format_xar_doublelink.xar.uu \
+        libarchive/test/test_read_format_xar_duplicate_filename_node.xar.uu \
+        libarchive/test/test_read_format_zip.zip.uu \
+diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
+index fcec5bc..696f959 100644
+--- a/libarchive/archive_read_support_format_warc.c
+++ b/libarchive/archive_read_support_format_warc.c
+@@ -386,7 +386,8 @@ start_over:
+        case LAST_WT:
+        default:
+                /* consume the content and start over */
+-               _warc_skip(a);
+               if (_warc_skip(a) < 0)
+                       return (ARCHIVE_FATAL);
+                goto start_over;
+        }
+        return (ARCHIVE_OK);
+@@ -439,7 +440,9 @@ _warc_skip(struct archive_read *a)
+ {
+        struct warc_s *w = a->format->data;
+ 
+-       __archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/);
+       if (__archive_read_consume(a, w->cntlen) < 0 ||
+           __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0)
+               return (ARCHIVE_FATAL);
+        w->cntlen = 0U;
+        w->cntoff = 0U;
+        return (ARCHIVE_OK);
+diff --git a/libarchive/test/test_read_format_warc.c b/libarchive/test/test_read_format_warc.c
+index 91e6dc6..745aabf 100644
+--- a/libarchive/test/test_read_format_warc.c
+++ b/libarchive/test/test_read_format_warc.c
+@@ -78,3 +78,27 @@ DEFINE_TEST(test_read_format_warc)
+        assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+        assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+ }
+
+DEFINE_TEST(test_read_format_warc_incomplete)
+{
+       const char reffile[] = "test_read_format_warc_incomplete.warc";
+       struct archive_entry *ae;
+       struct archive *a;
+
+       extract_reference_file(reffile);
+       assert((a = archive_read_new()) != NULL);
+       assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
+       assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+       assertEqualIntA(a, ARCHIVE_OK,
+           archive_read_open_filename(a, reffile, 10240));
+
+       /* Entry cannot be parsed */
+       assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
+
+       /* Verify archive format. */
+       assertEqualIntA(a, ARCHIVE_FILTER_NONE, archive_filter_code(a, 0));
+
+       /* Verify closing and resource freeing */
+       assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+       assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+}
+diff --git a/libarchive/test/test_read_format_warc_incomplete.warc.uu b/libarchive/test/test_read_format_warc_incomplete.warc.uu
+new file mode 100644
+index 0000000..b91b97e
+--- /dev/null
+++ b/libarchive/test/test_read_format_warc_incomplete.warc.uu
+@@ -0,0 +1,10 @@
+begin 644 test_read_format_warc_incomplete.warc
+M5T%20R\Q+C`-"E=!4D,M5'EP93H@8V]N=F5R<VEO;@T*5T%20RU$871E.B`R
+M,#(U+3`S+3,P5#$U.C`P.C0P6@T*0V]N=&5N="U,96YG=&@Z(#DR,C,S-S(P
+M,S8X-30W-S4X,#<-"@T*5T%20R\Q+C`-"E=!4D,M5'EP93H@<F5S;W5R8V4-
+M"E=!4D,M5&%R9V5T+55223H@9FEL93HO+W)E861M92YT>'0-"E=!4D,M1&%T
+M93H@,C`R-2TP,RTS,%0Q-3HP,#HT,%H-"D-O;G1E;G0M5'EP93H@=&5X="]P
+M;&%I;@T*0V]N=&5N="U,96YG=&@Z(#,X#0H-"E1H92!R96%D;64N='AT('-H
+4;W5L9"!N;W0@8F4@=FES:6)L90H`
+`
+end
+-- 
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 42c91e641e..250a3c016f 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://configurehack.patch \
           file://CVE-2025-5914.patch \
           file://CVE-2025-5915.patch \
+           file://CVE-2025-5916.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-07-02 12:21:32 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-09 08:43:32 -0700
commit	0bccc5ec8559559167be0c2f772594b772112661 (patch)
tree	6c7b24bc0a3ea257bee3fea003e93be862061fdf
parent	0f2564b7c013ea7690ecfc997adc952d5cade5ea (diff)
download	poky-0bccc5ec8559559167be0c2f772594b772112661.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch new file mode 100644 index 0000000000..a1dfc7b286 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
@@ -0,0 +1,116 @@
		1	From ef093729521fcf73fa4007d5ae77adfe4df42403 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
		3	Date: Mon, 7 Apr 2025 00:24:13 +0200
		4	Subject: [PATCH] warc: Prevent signed integer overflow (#2568)
		5
		6	If a warc archive claims to have more than INT64_MAX - 4 content bytes,
		7	the inevitable failure to skip all these bytes could lead to parsing
		8	data which should be ignored instead.
		9
		10	The test case contains a conversation entry with that many bytes and if
		11	the entry is not properly skipped, the warc implementation would read
		12	the conversation data as a new file entry.
		13
		14	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
		15
		16	CVE: CVE-2025-5916
		17
		18	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403]
		19
		20	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		21	---
		22	Makefile.am \| 1 +
		23	libarchive/archive_read_support_format_warc.c \| 7 ++++--
		24	libarchive/test/test_read_format_warc.c \| 24 +++++++++++++++++++
		25	.../test_read_format_warc_incomplete.warc.uu \| 10 ++++++++
		26	4 files changed, 40 insertions(+), 2 deletions(-)
		27	create mode 100644 libarchive/test/test_read_format_warc_incomplete.warc.uu
		28
		29	diff --git a/Makefile.am b/Makefile.am
		30	index 9f3a6d1..7627ec5 100644
		31	--- a/Makefile.am
		32	+++ b/Makefile.am
		33	@@ -964,6 +964,7 @@ libarchive_test_EXTRA_DIST=\
		34	libarchive/test/test_read_format_ustar_filename_eucjp.tar.Z.uu \
		35	libarchive/test/test_read_format_ustar_filename_koi8r.tar.Z.uu \
		36	libarchive/test/test_read_format_warc.warc.uu \
		37	+ libarchive/test/test_read_format_warc_incomplete.warc.uu \
		38	libarchive/test/test_read_format_xar_doublelink.xar.uu \
		39	libarchive/test/test_read_format_xar_duplicate_filename_node.xar.uu \
		40	libarchive/test/test_read_format_zip.zip.uu \
		41	diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
		42	index fcec5bc..696f959 100644
		43	--- a/libarchive/archive_read_support_format_warc.c
		44	+++ b/libarchive/archive_read_support_format_warc.c
		45	@@ -386,7 +386,8 @@ start_over:
		46	case LAST_WT:
		47	default:
		48	/* consume the content and start over */
		49	- _warc_skip(a);
		50	+ if (_warc_skip(a) < 0)
		51	+ return (ARCHIVE_FATAL);
		52	goto start_over;
		53	}
		54	return (ARCHIVE_OK);
		55	@@ -439,7 +440,9 @@ _warc_skip(struct archive_read *a)
		56	{
		57	struct warc_s *w = a->format->data;
		58
		59	- __archive_read_consume(a, w->cntlen + 4U/\r\n\r\n separator/);
		60	+ if (__archive_read_consume(a, w->cntlen) < 0 \|\|
		61	+ __archive_read_consume(a, 4U/\r\n\r\n separator/) < 0)
		62	+ return (ARCHIVE_FATAL);
		63	w->cntlen = 0U;
		64	w->cntoff = 0U;
		65	return (ARCHIVE_OK);
		66	diff --git a/libarchive/test/test_read_format_warc.c b/libarchive/test/test_read_format_warc.c
		67	index 91e6dc6..745aabf 100644
		68	--- a/libarchive/test/test_read_format_warc.c
		69	+++ b/libarchive/test/test_read_format_warc.c
		70	@@ -78,3 +78,27 @@ DEFINE_TEST(test_read_format_warc)
		71	assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
		72	assertEqualInt(ARCHIVE_OK, archive_read_free(a));
		73	}
		74	+
		75	+DEFINE_TEST(test_read_format_warc_incomplete)
		76	+{
		77	+ const char reffile[] = "test_read_format_warc_incomplete.warc";
		78	+ struct archive_entry *ae;
		79	+ struct archive *a;
		80	+
		81	+ extract_reference_file(reffile);
		82	+ assert((a = archive_read_new()) != NULL);
		83	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
		84	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
		85	+ assertEqualIntA(a, ARCHIVE_OK,
		86	+ archive_read_open_filename(a, reffile, 10240));
		87	+
		88	+ /* Entry cannot be parsed */
		89	+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
		90	+
		91	+ /* Verify archive format. */
		92	+ assertEqualIntA(a, ARCHIVE_FILTER_NONE, archive_filter_code(a, 0));
		93	+
		94	+ /* Verify closing and resource freeing */
		95	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
		96	+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
		97	+}
		98	diff --git a/libarchive/test/test_read_format_warc_incomplete.warc.uu b/libarchive/test/test_read_format_warc_incomplete.warc.uu
		99	new file mode 100644
		100	index 0000000..b91b97e
		101	--- /dev/null
		102	+++ b/libarchive/test/test_read_format_warc_incomplete.warc.uu
		103	@@ -0,0 +1,10 @@
		104	+begin 644 test_read_format_warc_incomplete.warc
		105	+M5T%20R\Q+C`-"E=!4D,M5'EP93H@8V]N=F5R<VEO;@T*5T%20RU$871E.B`R
		106	+M,#(U+3`S+3,P5#$U.C`P.C0P6@T*0V]N=&5N="U,96YG=&@Z(#DR,C,S-S(P
		107	+M,S8X-30W-S4X,#<-"@T*5T%20R\Q+C`-"E=!4D,M5'EP93H@<F5S;W5R8V4-
		108	+M"E=!4D,M5&%R9V5T+55223H@9FEL93HO+W)E861M92YT>'0-"E=!4D,M1&%T
		109	+M93H@,C`R-2TP,RTS,%0Q-3HP,#HT,%H-"D-O;G1E;G0M5'EP93H@=&5X="]P
		110	+M;&%I;@T*0V]N=&5N="U,96YG=&@Z(#,X#0H-"E1H92!R96%D;64N='AT('-H
		111	+4;W5L9"!N;W0@8F4@=FES:6)L90H`
		112	+`
		113	+end
		114	--
		115	2.40.0
		116


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 42c91e641e..250a3c016f 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
33	file://configurehack.patch \	33	file://configurehack.patch \
34	file://CVE-2025-5914.patch \	34	file://CVE-2025-5914.patch \
35	file://CVE-2025-5915.patch \	35	file://CVE-2025-5915.patch \
		36	file://CVE-2025-5916.patch \
36	"	37	"
37	UPSTREAM_CHECK_URI = "http://libarchive.org/"	38	UPSTREAM_CHECK_URI = "http://libarchive.org/"
38		39