6 files changed, 5 insertions, 285 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
deleted file mode 100644
index e55d58d37b..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
-From: "Dustin L. Howett" <dustin@howett.net>
-Date: Thu, 9 May 2024 18:59:17 -0500
-Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
-copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
-both of its callers were holding a `size_t`.
-A lzss opcode chain could be constructed that resulted in a negative
-copy length, which when passed into memcpy would result in a very, very
-large positive number.
-Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
-properly bounds-check length.
-In addition, this patch also ensures that `length` is not itself larger
-than the destination buffer.
-CVE: CVE-2024-20696
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
-Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
---
--- a/libarchive/archive_read_support_format_rar.c      2024-04-26 14:52:59.000000000 +0530
-+++ b/libarchive/archive_read_support_format_rar.c      2024-12-12 07:35:33.287412704 +0530
-@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
-                               struct huffman_table_entry *, int, int);
- static int expand(struct archive_read *, int64_t *);
- static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
-                                        int64_t, int);
-+                                        int64_t, size_t);
- static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
- static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
-                         uint8_t);
-@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
-         bs = rar->unp_buffer_size - rar->unp_offset;
-       else
-         bs = (size_t)rar->bytes_uncopied;
-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
-+      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
-       if (ret != ARCHIVE_OK)
-         return (ret);
-       rar->offset += bs;
-@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
-       bs = rar->unp_buffer_size - rar->unp_offset;
-     else
-       bs = (size_t)rar->bytes_uncopied;
-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
-+    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
-     if (ret != ARCHIVE_OK)
-       return (ret);
-     rar->offset += bs;
-@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
- 
- static int
- copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
-                             int64_t startpos, int length)
-+                             int64_t startpos, size_t length)
- {
-   int windowoffs, firstpart;
-   struct rar *rar = (struct rar *)(a->format->data);
- 
-+  if (length > rar->unp_buffer_size)
-+  {
-+    goto fatal;
-+  }
-+
-   if (!rar->unp_buffer)
-   {
-     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
-@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
-   }
- 
-   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
-+  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
-     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
-            length);
-  } else if (length <= lzss_size(&rar->lzss)) {
-+  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
-     firstpart = lzss_size(&rar->lzss) - windowoffs;
-     if (firstpart < 0) {
-       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-                         "Bad RAR file data");
-       return (ARCHIVE_FATAL);
-     }
-    if (firstpart < length) {
-+    if ((size_t)firstpart < length) {
-       memcpy(&rar->unp_buffer[rar->unp_offset],
-              &rar->lzss.window[windowoffs], firstpart);
-       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
-@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
-              &rar->lzss.window[windowoffs], length);
-     }
-   } else {
-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-                        "Bad RAR file data");
-      return (ARCHIVE_FATAL);
-+      goto fatal;
-   }
-   rar->unp_offset += length;
-   if (rar->unp_offset >= rar->unp_buffer_size)
-@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
-   else
-     *buffer = NULL;
-   return (ARCHIVE_OK);
-+
-+fatal:
-+  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-+                    "Bad RAR file data");
-+  return (ARCHIVE_FATAL);
- }
- 
- static const void *
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
deleted file mode 100644
index 98877cf72c..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
-From: Wei-Cheng Pan <legnaleurc@gmail.com>
-Date: Mon, 29 Apr 2024 06:53:19 +0900
-Subject: [PATCH] fix: OOB in rar audio filter (#2149)
-This patch ensures that `src` won't move ahead of `dst`, so `src` will
-not OOB. Similar situation like in a1cb648.
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
-CVE: CVE-2024-48957
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- libarchive/archive_read_support_format_rar.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
-index 79669a8..95a91dc 100644
--- a/libarchive/archive_read_support_format_rar.c
-+++ b/libarchive/archive_read_support_format_rar.c
-@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
-     memset(&state, 0, sizeof(state));
-     for (j = i; j < length; j += numchannels)
-     {
-+      /*
-+       * The src block should not overlap with the dst block.
-+       * If so it would be better to consider this archive is broken.
-+       */
-+      if (src >= dst)
-+        return 0;
-+
-       int8_t delta = (int8_t)*src++;
-       uint8_t predbyte, byte;
-       int prederror;
-- 
-2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
deleted file mode 100644
index de266e9d95..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
-From: Wei-Cheng Pan <legnaleurc@gmail.com>
-Date: Mon, 29 Apr 2024 06:50:22 +0900
-Subject: [PATCH] fix: OOB in rar delta filter (#2148)
-Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
-Since `dst` won't move in this function, and we are only increasing `src`
-position, this check should be enough. It should be safe to early return
-because this function does not allocate resources.
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
-CVE: CVE-2024-48958
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- libarchive/archive_read_support_format_rar.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
-index 95a91dc..4fc6626 100644
--- a/libarchive/archive_read_support_format_rar.c
-+++ b/libarchive/archive_read_support_format_rar.c
-@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
-   {
-     uint8_t lastbyte = 0;
-     for (idx = i; idx < length; idx += numchannels)
-+    {
-+      /*
-+       * The src block should not overlap with the dst block.
-+       * If so it would be better to consider this archive is broken.
-+       */
-+      if (src >= dst)
-+        return 0;
-       lastbyte = dst[idx] = lastbyte - *src++;
-+    }
-   }
- 
-   filter->filteredblockaddress = length;
-- 
-2.25.1
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch
deleted file mode 100644
index 459b664180..0000000000
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
-Date: Mon, 10 Mar 2025 16:43:04 +0100
-Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
-Hi,
-please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
-vulnerabilities in this pr.
-As both error cases did trigger a NULL pointer deref (and triggered
-hopefully everywhere a coredump), we can safely replace the actual
-information by a predefined invalid string without breaking any
-functionality.
-CVE: CVE-2025-1632
-CVE: CVE-2025-25724
-Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---------
-Signed-off-by: Peter Kaestle <peter@piie.net>
---
- tar/util.c       |  5 ++++-
- unzip/bsdunzip.c | 10 +++++++---
- 2 files changed, 11 insertions(+), 4 deletions(-)
-diff --git a/tar/util.c b/tar/util.c
-index 3b099cb5..f3cbdf0b 100644
--- a/tar/util.c
-+++ b/tar/util.c
-@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
- #else
-        ltime = localtime(&tim);
- #endif
-       strftime(tmp, sizeof(tmp), fmt, ltime);
-+       if (ltime)
-+               strftime(tmp, sizeof(tmp), fmt, ltime);
-+       else
-+               sprintf(tmp, "-- -- ----");
-        fprintf(out, " %s ", tmp);
-        safe_fprintf(out, "%s", archive_entry_pathname(entry));
- 
-diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
-index 7c8cafc3..4a9028b7 100644
--- a/unzip/bsdunzip.c
-+++ b/unzip/bsdunzip.c
-@@ -904,6 +904,7 @@ list(struct archive *a, struct archive_entry *e)
-        char buf[20];
-        time_t mtime;
-        struct tm *tm;
-+       const char *pathname;
- 
-        mtime = archive_entry_mtime(e);
-        tm = localtime(&mtime);
-@@ -912,22 +913,25 @@ list(struct archive *a, struct archive_entry *e)
-        else
-                strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
- 
-+       pathname = archive_entry_pathname(e);
-+       if (!pathname)
-+               pathname = "";
-        if (!zipinfo_mode) {
-                if (v_opt == 1) {
-                        printf(" %8ju  %s   %s\n",
-                            (uintmax_t)archive_entry_size(e),
-                           buf, archive_entry_pathname(e));
-+                           buf, pathname);
-                } else if (v_opt == 2) {
-                        printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
-                            (uintmax_t)archive_entry_size(e),
-                            (uintmax_t)archive_entry_size(e),
-                            buf,
-                            0U,
-                           archive_entry_pathname(e));
-+                           pathname);
-                }
-        } else {
-                if (Z1_opt)
-                       printf("%s\n",archive_entry_pathname(e));
-+                       printf("%s\n", pathname);
-        }
-        ac(archive_read_data_skip(a));
- }
diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
index 44720fdd53..97e42591cb 100644
--- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch
+++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -10,7 +10,7 @@ diff --git a/configure.ac b/configure.ac
 index 5668d41..7e65e49 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then
+@@ -435,6 +435,19 @@ if test "x$with_bz2lib" != "xno"; then
   esac
 fi
 
@@ -30,7 +30,7 @@ index 5668d41..7e65e49 100644
 AC_ARG_WITH([libb2],
   AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))
 
-@@ -678,19 +691,6 @@ fi
+@@ -694,19 +707,6 @@ fi
 
 AC_SUBST(DEAD_CODE_REMOVAL)
 
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 156a6bdaae..4dd6794bb1 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -29,18 +29,12 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
-SRC_URI += "file://configurehack.patch \
+           file://configurehack.patch \
-            file://CVE-2024-48957.patch \
-            file://CVE-2024-48958.patch \
-            file://CVE-2024-20696.patch \
-            file://CVE-2025-1632_CVE-2025-25724.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
-SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
+SRC_URI[sha256sum] = "aa90732c5a6bdda52fda2ad468ac98d75be981c15dde263d7b5cf6af66fd009f"
-CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
 inherit autotools update-alternatives pkgconfig

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch deleted file mode 100644 index e55d58d37b..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch +++ /dev/null
@@ -1,115 +0,0 @@
1	From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
2	From: "Dustin L. Howett" <dustin@howett.net>
3	Date: Thu, 9 May 2024 18:59:17 -0500
4	Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
5
6	copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
7	both of its callers were holding a `size_t`.
8
9	A lzss opcode chain could be constructed that resulted in a negative
10	copy length, which when passed into memcpy would result in a very, very
11	large positive number.
12
13	Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
14	properly bounds-check length.
15
16	In addition, this patch also ensures that `length` is not itself larger
17	than the destination buffer.
18
19	CVE: CVE-2024-20696
20	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
21
22	Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
23	---
24
25	--- a/libarchive/archive_read_support_format_rar.c 2024-04-26 14:52:59.000000000 +0530
26	+++ b/libarchive/archive_read_support_format_rar.c 2024-12-12 07:35:33.287412704 +0530
27	@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
28	struct huffman_table_entry *, int, int);
29	static int expand(struct archive_read , int64_t );
30	static int copy_from_lzss_window_to_unp(struct archive_read , const void *,
31	- int64_t, int);
32	+ int64_t, size_t);
33	static const void rar_read_ahead(struct archive_read , size_t, ssize_t *);
34	static int parse_filter(struct archive_read , const uint8_t , uint16_t,
35	uint8_t);
36	@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
37	bs = rar->unp_buffer_size - rar->unp_offset;
38	else
39	bs = (size_t)rar->bytes_uncopied;
40	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
41	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
42	if (ret != ARCHIVE_OK)
43	return (ret);
44	rar->offset += bs;
45	@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
46	bs = rar->unp_buffer_size - rar->unp_offset;
47	else
48	bs = (size_t)rar->bytes_uncopied;
49	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
50	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
51	if (ret != ARCHIVE_OK)
52	return (ret);
53	rar->offset += bs;
54	@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
55
56	static int
57	copy_from_lzss_window_to_unp(struct archive_read a, const void *buffer,
58	- int64_t startpos, int length)
59	+ int64_t startpos, size_t length)
60	{
61	int windowoffs, firstpart;
62	struct rar rar = (struct rar )(a->format->data);
63
64	+ if (length > rar->unp_buffer_size)
65	+ {
66	+ goto fatal;
67	+ }
68	+
69	if (!rar->unp_buffer)
70	{
71	if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
72	@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
73	}
74
75	windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
76	- if(windowoffs + length <= lzss_size(&rar->lzss)) {
77	+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
78	memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
79	length);
80	- } else if (length <= lzss_size(&rar->lzss)) {
81	+ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
82	firstpart = lzss_size(&rar->lzss) - windowoffs;
83	if (firstpart < 0) {
84	archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
85	"Bad RAR file data");
86	return (ARCHIVE_FATAL);
87	}
88	- if (firstpart < length) {
89	+ if ((size_t)firstpart < length) {
90	memcpy(&rar->unp_buffer[rar->unp_offset],
91	&rar->lzss.window[windowoffs], firstpart);
92	memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
93	@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
94	&rar->lzss.window[windowoffs], length);
95	}
96	} else {
97	- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
98	- "Bad RAR file data");
99	- return (ARCHIVE_FATAL);
100	+ goto fatal;
101	}
102	rar->unp_offset += length;
103	if (rar->unp_offset >= rar->unp_buffer_size)
104	@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
105	else
106	*buffer = NULL;
107	return (ARCHIVE_OK);
108	+
109	+fatal:
110	+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
111	+ "Bad RAR file data");
112	+ return (ARCHIVE_FATAL);
113	}
114
115	static const void *


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch deleted file mode 100644 index 98877cf72c..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch +++ /dev/null
@@ -1,36 +0,0 @@
1	From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
3	Date: Mon, 29 Apr 2024 06:53:19 +0900
4	Subject: [PATCH] fix: OOB in rar audio filter (#2149)
5
6	This patch ensures that `src` won't move ahead of `dst`, so `src` will
7	not OOB. Similar situation like in a1cb648.
8
9	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
10	CVE: CVE-2024-48957
11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
12	---
13	libarchive/archive_read_support_format_rar.c \| 7 +++++++
14	1 file changed, 7 insertions(+)
15
16	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
17	index 79669a8..95a91dc 100644
18	--- a/libarchive/archive_read_support_format_rar.c
19	+++ b/libarchive/archive_read_support_format_rar.c
20	@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter filter, struct rar_virtual_machine vm)
21	memset(&state, 0, sizeof(state));
22	for (j = i; j < length; j += numchannels)
23	{
24	+ /*
25	+ * The src block should not overlap with the dst block.
26	+ * If so it would be better to consider this archive is broken.
27	+ */
28	+ if (src >= dst)
29	+ return 0;
30	+
31	int8_t delta = (int8_t)*src++;
32	uint8_t predbyte, byte;
33	int prederror;
34	--
35	2.25.1
36


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch deleted file mode 100644 index de266e9d95..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
2	From: Wei-Cheng Pan <legnaleurc@gmail.com>
3	Date: Mon, 29 Apr 2024 06:50:22 +0900
4	Subject: [PATCH] fix: OOB in rar delta filter (#2148)
5
6	Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
7	Since `dst` won't move in this function, and we are only increasing `src`
8	position, this check should be enough. It should be safe to early return
9	because this function does not allocate resources.
10
11	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
12	CVE: CVE-2024-48958
13	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
14	---
15	libarchive/archive_read_support_format_rar.c \| 8 ++++++++
16	1 file changed, 8 insertions(+)
17
18	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
19	index 95a91dc..4fc6626 100644
20	--- a/libarchive/archive_read_support_format_rar.c
21	+++ b/libarchive/archive_read_support_format_rar.c
22	@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter filter, struct rar_virtual_machine vm)
23	{
24	uint8_t lastbyte = 0;
25	for (idx = i; idx < length; idx += numchannels)
26	+ {
27	+ /*
28	+ * The src block should not overlap with the dst block.
29	+ * If so it would be better to consider this archive is broken.
30	+ */
31	+ if (src >= dst)
32	+ return 0;
33	lastbyte = dst[idx] = lastbyte - *src++;
34	+ }
35	}
36
37	filter->filteredblockaddress = length;
38	--
39	2.25.1
40


diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch deleted file mode 100644 index 459b664180..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch +++ /dev/null
@@ -1,83 +0,0 @@
1	From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
3	Date: Mon, 10 Mar 2025 16:43:04 +0100
4	Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
5
6	Hi,
7
8	please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
9	vulnerabilities in this pr.
10	As both error cases did trigger a NULL pointer deref (and triggered
11	hopefully everywhere a coredump), we can safely replace the actual
12	information by a predefined invalid string without breaking any
13	functionality.
14
15	CVE: CVE-2025-1632
16	CVE: CVE-2025-25724
17	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
19	---------
20
21	Signed-off-by: Peter Kaestle <peter@piie.net>
22	---
23	tar/util.c \| 5 ++++-
24	unzip/bsdunzip.c \| 10 +++++++---
25	2 files changed, 11 insertions(+), 4 deletions(-)
26
27	diff --git a/tar/util.c b/tar/util.c
28	index 3b099cb5..f3cbdf0b 100644
29	--- a/tar/util.c
30	+++ b/tar/util.c
31	@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar bsdtar, FILE out, struct archive_entry *entry)
32	#else
33	ltime = localtime(&tim);
34	#endif
35	- strftime(tmp, sizeof(tmp), fmt, ltime);
36	+ if (ltime)
37	+ strftime(tmp, sizeof(tmp), fmt, ltime);
38	+ else
39	+ sprintf(tmp, "-- -- ----");
40	fprintf(out, " %s ", tmp);
41	safe_fprintf(out, "%s", archive_entry_pathname(entry));
42
43	diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
44	index 7c8cafc3..4a9028b7 100644
45	--- a/unzip/bsdunzip.c
46	+++ b/unzip/bsdunzip.c
47	@@ -904,6 +904,7 @@ list(struct archive a, struct archive_entry e)
48	char buf[20];
49	time_t mtime;
50	struct tm *tm;
51	+ const char *pathname;
52
53	mtime = archive_entry_mtime(e);
54	tm = localtime(&mtime);
55	@@ -912,22 +913,25 @@ list(struct archive a, struct archive_entry e)
56	else
57	strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
58
59	+ pathname = archive_entry_pathname(e);
60	+ if (!pathname)
61	+ pathname = "";
62	if (!zipinfo_mode) {
63	if (v_opt == 1) {
64	printf(" %8ju %s %s\n",
65	(uintmax_t)archive_entry_size(e),
66	- buf, archive_entry_pathname(e));
67	+ buf, pathname);
68	} else if (v_opt == 2) {
69	printf("%8ju Stored %7ju 0%% %s %08x %s\n",
70	(uintmax_t)archive_entry_size(e),
71	(uintmax_t)archive_entry_size(e),
72	buf,
73	0U,
74	- archive_entry_pathname(e));
75	+ pathname);
76	}
77	} else {
78	if (Z1_opt)
79	- printf("%s\n",archive_entry_pathname(e));
80	+ printf("%s\n", pathname);
81	}
82	ac(archive_read_data_skip(a));
83	}


diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch b/meta/recipes-extended/libarchive/libarchive/configurehack.patch index 44720fdd53..97e42591cb 100644 --- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch +++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -10,7 +10,7 @@ diff --git a/configure.ac b/configure.ac
10	index 5668d41..7e65e49 100644	10	index 5668d41..7e65e49 100644
11	--- a/configure.ac	11	--- a/configure.ac
12	+++ b/configure.ac	12	+++ b/configure.ac
13	@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then	13	@@ -435,6 +435,19 @@ if test "x$with_bz2lib" != "xno"; then
14	esac	14	esac
15	fi	15	fi
16		16
@@ -30,7 +30,7 @@ index 5668d41..7e65e49 100644
30	AC_ARG_WITH([libb2],	30	AC_ARG_WITH([libb2],
31	AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))	31	AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))
32		32
33	@@ -678,19 +691,6 @@ fi	33	@@ -694,19 +707,6 @@ fi
34		34
35	AC_SUBST(DEAD_CODE_REMOVAL)	35	AC_SUBST(DEAD_CODE_REMOVAL)
36		36


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 156a6bdaae..4dd6794bb1 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -29,18 +29,12 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
29		29
30	EXTRA_OECONF += "--enable-largefile --without-iconv"	30	EXTRA_OECONF += "--enable-largefile --without-iconv"
31		31
32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"	32	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
33	SRC_URI += "file://configurehack.patch \	33	file://configurehack.patch \
34	file://CVE-2024-48957.patch \
35	file://CVE-2024-48958.patch \
36	file://CVE-2024-20696.patch \
37	file://CVE-2025-1632_CVE-2025-25724.patch \
38	"	34	"
39	UPSTREAM_CHECK_URI = "http://libarchive.org/"	35	UPSTREAM_CHECK_URI = "http://libarchive.org/"
40		36
41	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"	37	SRC_URI[sha256sum] = "aa90732c5a6bdda52fda2ad468ac98d75be981c15dde263d7b5cf6af66fd009f"
42
43	CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"
44		38
45	inherit autotools update-alternatives pkgconfig	39	inherit autotools update-alternatives pkgconfig
46		40