2 files changed, 117 insertions, 1 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
new file mode 100644
index 0000000000..e55d58d37b
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
@@ -0,0 +1,115 @@
+From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <dustin@howett.net>
+Date: Thu, 9 May 2024 18:59:17 -0500
+Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+A lzss opcode chain could be constructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+CVE: CVE-2024-20696
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
+Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
+---
+--- a/libarchive/archive_read_support_format_rar.c      2024-04-26 14:52:59.000000000 +0530
+++ b/libarchive/archive_read_support_format_rar.c      2024-12-12 07:35:33.287412704 +0530
+@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
+                               struct huffman_table_entry *, int, int);
+ static int expand(struct archive_read *, int64_t *);
+ static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
+-                                        int64_t, int);
+                                        int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
+                         uint8_t);
+@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
+         bs = rar->unp_buffer_size - rar->unp_offset;
+       else
+         bs = (size_t)rar->bytes_uncopied;
+-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
+      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+       if (ret != ARCHIVE_OK)
+         return (ret);
+       rar->offset += bs;
+@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
+       bs = rar->unp_buffer_size - rar->unp_offset;
+     else
+       bs = (size_t)rar->bytes_uncopied;
+-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
+    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+     if (ret != ARCHIVE_OK)
+       return (ret);
+     rar->offset += bs;
+@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
+ 
+ static int
+ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+-                             int64_t startpos, int length)
+                             int64_t startpos, size_t length)
+ {
+   int windowoffs, firstpart;
+   struct rar *rar = (struct rar *)(a->format->data);
+ 
+  if (length > rar->unp_buffer_size)
+  {
+    goto fatal;
+  }
+
+   if (!rar->unp_buffer)
+   {
+     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
+   }
+ 
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
+  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+            length);
+-  } else if (length <= lzss_size(&rar->lzss)) {
+  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+     firstpart = lzss_size(&rar->lzss) - windowoffs;
+     if (firstpart < 0) {
+       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                         "Bad RAR file data");
+       return (ARCHIVE_FATAL);
+     }
+-    if (firstpart < length) {
+    if ((size_t)firstpart < length) {
+       memcpy(&rar->unp_buffer[rar->unp_offset],
+              &rar->lzss.window[windowoffs], firstpart);
+       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
+              &rar->lzss.window[windowoffs], length);
+     }
+   } else {
+-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+-                        "Bad RAR file data");
+-      return (ARCHIVE_FATAL);
+      goto fatal;
+   }
+   rar->unp_offset += length;
+   if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
+   else
+     *buffer = NULL;
+   return (ARCHIVE_OK);
+
+fatal:
+  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                    "Bad RAR file data");
+  return (ARCHIVE_FATAL);
+ }
+ 
+ static const void *
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index 6e406611f9..80b2e49eac 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -33,7 +33,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
 SRC_URI += "file://configurehack.patch \
            file://CVE-2024-48957.patch \
            file://CVE-2024-48958.patch \
-        "
+            file://CVE-2024-20696.patch \
+           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch new file mode 100644 index 0000000000..e55d58d37b --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
@@ -0,0 +1,115 @@
		1	From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
		2	From: "Dustin L. Howett" <dustin@howett.net>
		3	Date: Thu, 9 May 2024 18:59:17 -0500
		4	Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
		5
		6	copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
		7	both of its callers were holding a `size_t`.
		8
		9	A lzss opcode chain could be constructed that resulted in a negative
		10	copy length, which when passed into memcpy would result in a very, very
		11	large positive number.
		12
		13	Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
		14	properly bounds-check length.
		15
		16	In addition, this patch also ensures that `length` is not itself larger
		17	than the destination buffer.
		18
		19	CVE: CVE-2024-20696
		20	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
		21
		22	Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
		23	---
		24
		25	--- a/libarchive/archive_read_support_format_rar.c 2024-04-26 14:52:59.000000000 +0530
		26	+++ b/libarchive/archive_read_support_format_rar.c 2024-12-12 07:35:33.287412704 +0530
		27	@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
		28	struct huffman_table_entry *, int, int);
		29	static int expand(struct archive_read , int64_t );
		30	static int copy_from_lzss_window_to_unp(struct archive_read , const void *,
		31	- int64_t, int);
		32	+ int64_t, size_t);
		33	static const void rar_read_ahead(struct archive_read , size_t, ssize_t *);
		34	static int parse_filter(struct archive_read , const uint8_t , uint16_t,
		35	uint8_t);
		36	@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read
		37	bs = rar->unp_buffer_size - rar->unp_offset;
		38	else
		39	bs = (size_t)rar->bytes_uncopied;
		40	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
		41	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
		42	if (ret != ARCHIVE_OK)
		43	return (ret);
		44	rar->offset += bs;
		45	@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read
		46	bs = rar->unp_buffer_size - rar->unp_offset;
		47	else
		48	bs = (size_t)rar->bytes_uncopied;
		49	- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
		50	+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
		51	if (ret != ARCHIVE_OK)
		52	return (ret);
		53	rar->offset += bs;
		54	@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_rea
		55
		56	static int
		57	copy_from_lzss_window_to_unp(struct archive_read a, const void *buffer,
		58	- int64_t startpos, int length)
		59	+ int64_t startpos, size_t length)
		60	{
		61	int windowoffs, firstpart;
		62	struct rar rar = (struct rar )(a->format->data);
		63
		64	+ if (length > rar->unp_buffer_size)
		65	+ {
		66	+ goto fatal;
		67	+ }
		68	+
		69	if (!rar->unp_buffer)
		70	{
		71	if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
		72	@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct arch
		73	}
		74
		75	windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
		76	- if(windowoffs + length <= lzss_size(&rar->lzss)) {
		77	+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
		78	memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
		79	length);
		80	- } else if (length <= lzss_size(&rar->lzss)) {
		81	+ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
		82	firstpart = lzss_size(&rar->lzss) - windowoffs;
		83	if (firstpart < 0) {
		84	archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
		85	"Bad RAR file data");
		86	return (ARCHIVE_FATAL);
		87	}
		88	- if (firstpart < length) {
		89	+ if ((size_t)firstpart < length) {
		90	memcpy(&rar->unp_buffer[rar->unp_offset],
		91	&rar->lzss.window[windowoffs], firstpart);
		92	memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
		93	@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct arch
		94	&rar->lzss.window[windowoffs], length);
		95	}
		96	} else {
		97	- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
		98	- "Bad RAR file data");
		99	- return (ARCHIVE_FATAL);
		100	+ goto fatal;
		101	}
		102	rar->unp_offset += length;
		103	if (rar->unp_offset >= rar->unp_buffer_size)
		104	@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct arch
		105	else
		106	*buffer = NULL;
		107	return (ARCHIVE_OK);
		108	+
		109	+fatal:
		110	+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
		111	+ "Bad RAR file data");
		112	+ return (ARCHIVE_FATAL);
		113	}
		114
		115	static const void *


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb index 6e406611f9..80b2e49eac 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -33,7 +33,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
33	SRC_URI += "file://configurehack.patch \	33	SRC_URI += "file://configurehack.patch \
34	file://CVE-2024-48957.patch \	34	file://CVE-2024-48957.patch \
35	file://CVE-2024-48958.patch \	35	file://CVE-2024-48958.patch \
36	"	36	file://CVE-2024-20696.patch \
		37	"
37	UPSTREAM_CHECK_URI = "http://libarchive.org/"	38	UPSTREAM_CHECK_URI = "http://libarchive.org/"
38		39
39	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"	40	SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"