libarchive: fix CVE-2025-5915

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer -Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o r the disclosure of sensitive information from adjacent memory regions. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5915 Upstream-patches: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c (From OE-Core rev: 41e7be4aa28481530d5e259d0f25b238b86c012d) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-07-08 15:08:16 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-14 08:37:40 -0700
commit: 6cc6cd3f8d2a981280ec5f90da699411c4a1a6c7 (patch)
tree: 9346e506dbc456d67590cf47604cf784a8a157fa
parent: 022d6ec767487a52fc479e25ebad11012df01474 (diff)
download: poky-6cc6cd3f8d2a981280ec5f90da699411c4a1a6c7.tar.gz
2 files changed, 218 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
new file mode 100644
index 0000000000..c83f4f1abc
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
@@ -0,0 +1,217 @@
+From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 11 May 2025 19:00:11 +0200
+Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599)
+A filter block size must not be larger than the lzss window, which is
+defined
+by dictionary size, which in turn can be derived from unpacked file
+size.
+While at it, improve error messages and fix lzss window wrap around
+logic.
+Fixes https://github.com/libarchive/libarchive/issues/2565
+---------
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Co-authored-by: Tim Kientzle <kientzle@acm.org>
+CVE: CVE-2025-5915
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ Makefile.am                                   |  2 +
+ libarchive/archive_read_support_format_rar.c  | 17 ++++---
+ libarchive/test/CMakeLists.txt                |  1 +
+ .../test/test_read_format_rar_overflow.c      | 48 +++++++++++++++++++
+ .../test/test_read_format_rar_overflow.rar.uu | 11 +++++
+ 5 files changed, 72 insertions(+), 7 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.c
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu
+diff --git a/Makefile.am b/Makefile.am
+index 3fd2fdb..e486a8d 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -505,6 +505,7 @@ libarchive_test_SOURCES= \
+        libarchive/test/test_read_format_rar_encryption_header.c \
+        libarchive/test/test_read_format_rar_filter.c \
+        libarchive/test/test_read_format_rar_invalid1.c \
+       libarchive/test/test_read_format_rar_overflow.c \
+        libarchive/test/test_read_format_rar5.c \
+        libarchive/test/test_read_format_raw.c \
+        libarchive/test/test_read_format_tar.c \
+@@ -848,6 +849,7 @@ libarchive_test_EXTRA_DIST=\
+        libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \
+        libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \
+        libarchive/test/test_read_format_rar_noeof.rar.uu \
+       libarchive/test/test_read_format_rar_overflow.rar.uu \
+        libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \
+        libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \
+        libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 091a993..4d3b966 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -451,7 +451,7 @@ static int read_filter(struct archive_read *, int64_t *);
+ static int rar_decode_byte(struct archive_read*, uint8_t *);
+ static int execute_filter(struct archive_read*, struct rar_filter *,
+                           struct rar_virtual_machine *, size_t);
+-static int copy_from_lzss_window(struct archive_read *, void *, int64_t, int);
+static int copy_from_lzss_window(struct archive_read *, uint8_t *, int64_t, int);
+ static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t);
+ static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t);
+ 
+@@ -2899,7 +2899,7 @@ expand(struct archive_read *a, int64_t *end)
+     }
+ 
+     if ((symbol = read_next_symbol(a, &rar->maincode)) < 0)
+-      return (ARCHIVE_FATAL);
+      goto bad_data;
+ 
+     if (symbol < 256)
+     {
+@@ -2926,14 +2926,14 @@ expand(struct archive_read *a, int64_t *end)
+       else
+       {
+         if (parse_codes(a) != ARCHIVE_OK)
+-          return (ARCHIVE_FATAL);
+          goto bad_data;
+         continue;
+       }
+     }
+     else if(symbol==257)
+     {
+       if (!read_filter(a, end))
+-          return (ARCHIVE_FATAL);
+          goto bad_data;
+       continue;
+     }
+     else if(symbol==258)
+@@ -3018,7 +3018,7 @@ expand(struct archive_read *a, int64_t *end)
+           {
+             if ((lowoffsetsymbol =
+               read_next_symbol(a, &rar->lowoffsetcode)) < 0)
+-              return (ARCHIVE_FATAL);
+              goto bad_data;
+             if(lowoffsetsymbol == 16)
+             {
+               rar->numlowoffsetrepeats = 15;
+@@ -3066,7 +3066,7 @@ bad_data:
+ }
+ 
+ static int
+-copy_from_lzss_window(struct archive_read *a, void *buffer,
+copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
+                       int64_t startpos, int length)
+ {
+   int windowoffs, firstpart;
+@@ -3081,7 +3081,7 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+   }
+   if (firstpart < length) {
+     memcpy(buffer, &rar->lzss.window[windowoffs], firstpart);
+-    memcpy(buffer, &rar->lzss.window[0], length - firstpart);
+    memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart);
+   } else {
+     memcpy(buffer, &rar->lzss.window[windowoffs], length);
+   }
+@@ -3228,6 +3228,9 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
+   else
+     blocklength = prog ? prog->oldfilterlength : 0;
+ 
+  if (blocklength > rar->dictionary_size)
+    return 0;
+
+   registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
+   registers[4] = blocklength;
+   registers[5] = prog ? prog->usagecount : 0;
+diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
+index bbbff22..05c6fd7 100644
+--- a/libarchive/test/CMakeLists.txt
+++ b/libarchive/test/CMakeLists.txt
+@@ -154,6 +154,7 @@ IF(ENABLE_TEST)
+     test_read_format_rar_encryption_partially.c
+     test_read_format_rar_invalid1.c
+     test_read_format_rar_filter.c
+    test_read_format_rar_overflow.c
+     test_read_format_rar5.c
+     test_read_format_raw.c
+     test_read_format_tar.c
+diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c
+new file mode 100644
+index 0000000..b39ed6b
+--- /dev/null
+++ b/libarchive/test/test_read_format_rar_overflow.c
+@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2003-2025 Tim Kientzle
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "test.h"
+
+DEFINE_TEST(test_read_format_rar_overflow)
+{
+    struct archive *a;
+    struct archive_entry *ae;
+    const char reffile[] = "test_read_format_rar_overflow.rar";
+    const void *buff;
+    size_t size;
+    int64_t offset;
+
+    extract_reference_file(reffile);
+    assert((a = archive_read_new()) != NULL);
+    assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
+    assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+    assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024));
+    assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
+    assertEqualInt(48, archive_entry_size(ae));
+    /* The next call should reproduce Issue #2565 */
+    assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset));
+
+    assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+    assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+}
+diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu
+new file mode 100644
+index 0000000..48fd3fd
+--- /dev/null
+++ b/libarchive/test/test_read_format_rar_overflow.rar.uu
+@@ -0,0 +1,11 @@
+begin 644 test_read_format_rar_overflow.rar
+M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_:
+MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#,
+MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A
+M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP
+MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P
+M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`&
+M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P
+-,#`P,#`P,#`P,#`P,```
+`
+end
+-- 
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 4d0e3f7179..c612c1b7e0 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://CVE-2024-20696.patch \
           file://CVE-2025-25724.patch \
           file://CVE-2025-5914.patch \
+           file://CVE-2025-5915.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
author	Divya Chellam <divya.chellam@windriver.com>	2025-07-08 15:08:16 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-14 08:37:40 -0700
commit	6cc6cd3f8d2a981280ec5f90da699411c4a1a6c7 (patch)
tree	9346e506dbc456d67590cf47604cf784a8a157fa
parent	022d6ec767487a52fc479e25ebad11012df01474 (diff)
download	poky-6cc6cd3f8d2a981280ec5f90da699411c4a1a6c7.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch new file mode 100644 index 0000000000..c83f4f1abc --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
@@ -0,0 +1,217 @@
		1	From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
		3	Date: Sun, 11 May 2025 19:00:11 +0200
		4	Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599)
		5
		6	A filter block size must not be larger than the lzss window, which is
		7	defined
		8	by dictionary size, which in turn can be derived from unpacked file
		9	size.
		10
		11	While at it, improve error messages and fix lzss window wrap around
		12	logic.
		13
		14	Fixes https://github.com/libarchive/libarchive/issues/2565
		15
		16	---------
		17
		18	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
		19	Co-authored-by: Tim Kientzle <kientzle@acm.org>
		20
		21	CVE: CVE-2025-5915
		22
		23	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c]
		24
		25	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		26	---
		27	Makefile.am \| 2 +
		28	libarchive/archive_read_support_format_rar.c \| 17 ++++---
		29	libarchive/test/CMakeLists.txt \| 1 +
		30	.../test/test_read_format_rar_overflow.c \| 48 +++++++++++++++++++
		31	.../test/test_read_format_rar_overflow.rar.uu \| 11 +++++
		32	5 files changed, 72 insertions(+), 7 deletions(-)
		33	create mode 100644 libarchive/test/test_read_format_rar_overflow.c
		34	create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu
		35
		36	diff --git a/Makefile.am b/Makefile.am
		37	index 3fd2fdb..e486a8d 100644
		38	--- a/Makefile.am
		39	+++ b/Makefile.am
		40	@@ -505,6 +505,7 @@ libarchive_test_SOURCES= \
		41	libarchive/test/test_read_format_rar_encryption_header.c \
		42	libarchive/test/test_read_format_rar_filter.c \
		43	libarchive/test/test_read_format_rar_invalid1.c \
		44	+ libarchive/test/test_read_format_rar_overflow.c \
		45	libarchive/test/test_read_format_rar5.c \
		46	libarchive/test/test_read_format_raw.c \
		47	libarchive/test/test_read_format_tar.c \
		48	@@ -848,6 +849,7 @@ libarchive_test_EXTRA_DIST=\
		49	libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \
		50	libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \
		51	libarchive/test/test_read_format_rar_noeof.rar.uu \
		52	+ libarchive/test/test_read_format_rar_overflow.rar.uu \
		53	libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \
		54	libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \
		55	libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \
		56	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
		57	index 091a993..4d3b966 100644
		58	--- a/libarchive/archive_read_support_format_rar.c
		59	+++ b/libarchive/archive_read_support_format_rar.c
		60	@@ -451,7 +451,7 @@ static int read_filter(struct archive_read , int64_t );
		61	static int rar_decode_byte(struct archive_read, uint8_t );
		62	static int execute_filter(struct archive_read, struct rar_filter ,
		63	struct rar_virtual_machine *, size_t);
		64	-static int copy_from_lzss_window(struct archive_read , void , int64_t, int);
		65	+static int copy_from_lzss_window(struct archive_read , uint8_t , int64_t, int);
		66	static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t);
		67	static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t);
		68
		69	@@ -2899,7 +2899,7 @@ expand(struct archive_read a, int64_t end)
		70	}
		71
		72	if ((symbol = read_next_symbol(a, &rar->maincode)) < 0)
		73	- return (ARCHIVE_FATAL);
		74	+ goto bad_data;
		75
		76	if (symbol < 256)
		77	{
		78	@@ -2926,14 +2926,14 @@ expand(struct archive_read a, int64_t end)
		79	else
		80	{
		81	if (parse_codes(a) != ARCHIVE_OK)
		82	- return (ARCHIVE_FATAL);
		83	+ goto bad_data;
		84	continue;
		85	}
		86	}
		87	else if(symbol==257)
		88	{
		89	if (!read_filter(a, end))
		90	- return (ARCHIVE_FATAL);
		91	+ goto bad_data;
		92	continue;
		93	}
		94	else if(symbol==258)
		95	@@ -3018,7 +3018,7 @@ expand(struct archive_read a, int64_t end)
		96	{
		97	if ((lowoffsetsymbol =
		98	read_next_symbol(a, &rar->lowoffsetcode)) < 0)
		99	- return (ARCHIVE_FATAL);
		100	+ goto bad_data;
		101	if(lowoffsetsymbol == 16)
		102	{
		103	rar->numlowoffsetrepeats = 15;
		104	@@ -3066,7 +3066,7 @@ bad_data:
		105	}
		106
		107	static int
		108	-copy_from_lzss_window(struct archive_read a, void buffer,
		109	+copy_from_lzss_window(struct archive_read a, uint8_t buffer,
		110	int64_t startpos, int length)
		111	{
		112	int windowoffs, firstpart;
		113	@@ -3081,7 +3081,7 @@ copy_from_lzss_window(struct archive_read a, void buffer,
		114	}
		115	if (firstpart < length) {
		116	memcpy(buffer, &rar->lzss.window[windowoffs], firstpart);
		117	- memcpy(buffer, &rar->lzss.window[0], length - firstpart);
		118	+ memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart);
		119	} else {
		120	memcpy(buffer, &rar->lzss.window[windowoffs], length);
		121	}
		122	@@ -3228,6 +3228,9 @@ parse_filter(struct archive_read a, const uint8_t bytes, uint16_t length, uint
		123	else
		124	blocklength = prog ? prog->oldfilterlength : 0;
		125
		126	+ if (blocklength > rar->dictionary_size)
		127	+ return 0;
		128	+
		129	registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
		130	registers[4] = blocklength;
		131	registers[5] = prog ? prog->usagecount : 0;
		132	diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
		133	index bbbff22..05c6fd7 100644
		134	--- a/libarchive/test/CMakeLists.txt
		135	+++ b/libarchive/test/CMakeLists.txt
		136	@@ -154,6 +154,7 @@ IF(ENABLE_TEST)
		137	test_read_format_rar_encryption_partially.c
		138	test_read_format_rar_invalid1.c
		139	test_read_format_rar_filter.c
		140	+ test_read_format_rar_overflow.c
		141	test_read_format_rar5.c
		142	test_read_format_raw.c
		143	test_read_format_tar.c
		144	diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c
		145	new file mode 100644
		146	index 0000000..b39ed6b
		147	--- /dev/null
		148	+++ b/libarchive/test/test_read_format_rar_overflow.c
		149	@@ -0,0 +1,48 @@
		150	+/*-
		151	+ * Copyright (c) 2003-2025 Tim Kientzle
		152	+ * All rights reserved.
		153	+ *
		154	+ * Redistribution and use in source and binary forms, with or without
		155	+ * modification, are permitted provided that the following conditions
		156	+ * are met:
		157	+ * 1. Redistributions of source code must retain the above copyright
		158	+ * notice, this list of conditions and the following disclaimer.
		159	+ * 2. Redistributions in binary form must reproduce the above copyright
		160	+ * notice, this list of conditions and the following disclaimer in the
		161	+ * documentation and/or other materials provided with the distribution.
		162	+ *
		163	+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
		164	+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		165	+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		166	+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
		167	+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		168	+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		169	+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		170	+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		171	+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		172	+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		173	+ */
		174	+#include "test.h"
		175	+
		176	+DEFINE_TEST(test_read_format_rar_overflow)
		177	+{
		178	+ struct archive *a;
		179	+ struct archive_entry *ae;
		180	+ const char reffile[] = "test_read_format_rar_overflow.rar";
		181	+ const void *buff;
		182	+ size_t size;
		183	+ int64_t offset;
		184	+
		185	+ extract_reference_file(reffile);
		186	+ assert((a = archive_read_new()) != NULL);
		187	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
		188	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
		189	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024));
		190	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
		191	+ assertEqualInt(48, archive_entry_size(ae));
		192	+ /* The next call should reproduce Issue #2565 */
		193	+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset));
		194	+
		195	+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
		196	+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
		197	+}
		198	diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu
		199	new file mode 100644
		200	index 0000000..48fd3fd
		201	--- /dev/null
		202	+++ b/libarchive/test/test_read_format_rar_overflow.rar.uu
		203	@@ -0,0 +1,11 @@
		204	+begin 644 test_read_format_rar_overflow.rar
		205	+M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_:
		206	+MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#,
		207	+MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A
		208	+M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP
		209	+MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P
		210	+M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`&
		211	+M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P
		212	+-,#`P,#`P,#`P,#`P,```
		213	+`
		214	+end
		215	--
		216	2.40.0
		217


diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index 4d0e3f7179..c612c1b7e0 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
36	file://CVE-2024-20696.patch \	36	file://CVE-2024-20696.patch \
37	file://CVE-2025-25724.patch \	37	file://CVE-2025-25724.patch \
38	file://CVE-2025-5914.patch \	38	file://CVE-2025-5914.patch \
		39	file://CVE-2025-5915.patch \
39	"	40	"
40	UPSTREAM_CHECK_URI = "http://libarchive.org/"	41	UPSTREAM_CHECK_URI = "http://libarchive.org/"
41		42