Skip to content

Commit

Permalink
Upgrade libarchive to 3.7.7 Fix CVE-2024-48957, CVE-2024-48958
Browse files Browse the repository at this point in the history
  • Loading branch information
@CBL-Mariner-Bot @liunan-ms
CBL-Mariner-Bot authored and liunan-ms committed Oct 16, 2024
1 parent 045fd51 commit 1f3f00e
Show file tree
Hide file tree
Showing 9 changed files with 20 additions and 66 deletions.
23 changes: 0 additions & 23 deletions SPECS/libarchive/CVE-2024-26256.patch
View file

This file was deleted.

24 changes: 0 additions & 24 deletions SPECS/libarchive/CVE-2024-37407.patch
View file

This file was deleted.

6 changes: 3 additions & 3 deletions SPECS/libarchive/libarchive.signatures.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"Signatures": {
"libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0"
}
"Signatures": {
"libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff"
}
}
9 changes: 5 additions & 4 deletions SPECS/libarchive/libarchive.spec
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
Summary: Multi-format archive and compression library
Name: libarchive
Version: 3.7.1
Release: 2%{?dist}
Version: 3.7.7
Release: 1%{?dist}
# Certain files have individual licenses. For more details see contents of "COPYING".
License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
Vendor: Microsoft Corporation
Distribution: Azure Linux
URL: https://www.libarchive.org/
Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch0: CVE-2024-26256.patch
# https://github.com/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB (CVE-2024-37407) patch)
# Please remove when upgrading to v3.7.4 and above
Patch1: update-appledouble-support-directories.patch
Patch2: CVE-2024-37407.patch
Provides: bsdtar = %{version}-%{release}

BuildRequires: xz-libs
Expand Down Expand Up @@ -65,6 +63,9 @@ make %{?_smp_mflags} check
%{_libdir}/pkgconfig/*.pc

%changelog
* Tue Oct 15 2024 CBL-Mariner Servicing Account <[email protected]> - 3.7.7-1
- Auto-upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958

* Tue Jun 25 2024 Neha Agarwal <[email protected]> - 3.7.1-2
- Patch CVE-2024-26256 and CVE-2024-37407

Expand Down
4 changes: 2 additions & 2 deletions cgmanifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8601,8 +8601,8 @@
"type": "other",
"other": {
"name": "libarchive",
"version": "3.7.1",
"downloadUrl": "https://github.com/libarchive/libarchive/releases/download/v3.7.1/libarchive-3.7.1.tar.gz"
"version": "3.7.7",
"downloadUrl": "https://github.com/libarchive/libarchive/releases/download/v3.7.7/libarchive-3.7.7.tar.gz"
}
}
},
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.aarch64.rpm
libcap-2.69-1.azl3.aarch64.rpm
libcap-devel-2.69-1.azl3.aarch64.rpm
debugedit-5.0-2.azl3.aarch64.rpm
libarchive-3.7.1-2.azl3.aarch64.rpm
libarchive-devel-3.7.1-2.azl3.aarch64.rpm
libarchive-3.7.7-1.azl3.aarch64.rpm
libarchive-devel-3.7.7-1.azl3.aarch64.rpm
rpm-4.18.2-1.azl3.aarch64.rpm
rpm-build-4.18.2-1.azl3.aarch64.rpm
rpm-build-libs-4.18.2-1.azl3.aarch64.rpm
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.x86_64.rpm
libcap-2.69-1.azl3.x86_64.rpm
libcap-devel-2.69-1.azl3.x86_64.rpm
debugedit-5.0-2.azl3.x86_64.rpm
libarchive-3.7.1-2.azl3.x86_64.rpm
libarchive-devel-3.7.1-2.azl3.x86_64.rpm
libarchive-3.7.7-1.azl3.x86_64.rpm
libarchive-devel-3.7.7-1.azl3.x86_64.rpm
rpm-4.18.2-1.azl3.x86_64.rpm
rpm-build-4.18.2-1.azl3.x86_64.rpm
rpm-build-libs-4.18.2-1.azl3.x86_64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,9 +166,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm
krb5-lang-1.21.3-2.azl3.aarch64.rpm
libacl-2.3.1-2.azl3.aarch64.rpm
libacl-devel-2.3.1-2.azl3.aarch64.rpm
libarchive-3.7.1-2.azl3.aarch64.rpm
libarchive-debuginfo-3.7.1-2.azl3.aarch64.rpm
libarchive-devel-3.7.1-2.azl3.aarch64.rpm
libarchive-3.7.7-1.azl3.aarch64.rpm
libarchive-debuginfo-3.7.7-1.azl3.aarch64.rpm
libarchive-devel-3.7.7-1.azl3.aarch64.rpm
libassuan-2.5.6-1.azl3.aarch64.rpm
libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
libassuan-devel-2.5.6-1.azl3.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,9 +172,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm
krb5-lang-1.21.3-2.azl3.x86_64.rpm
libacl-2.3.1-2.azl3.x86_64.rpm
libacl-devel-2.3.1-2.azl3.x86_64.rpm
libarchive-3.7.1-2.azl3.x86_64.rpm
libarchive-debuginfo-3.7.1-2.azl3.x86_64.rpm
libarchive-devel-3.7.1-2.azl3.x86_64.rpm
libarchive-3.7.7-1.azl3.x86_64.rpm
libarchive-debuginfo-3.7.7-1.azl3.x86_64.rpm
libarchive-devel-3.7.7-1.azl3.x86_64.rpm
libassuan-2.5.6-1.azl3.x86_64.rpm
libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
libassuan-devel-2.5.6-1.azl3.x86_64.rpm
Expand Down

0 comments on commit 1f3f00e

Please sign in to comment.