diff --git a/SPECS/libarchive/CVE-2024-26256.patch b/SPECS/libarchive/CVE-2024-26256.patch deleted file mode 100644 index 20c8e9ff2e9..00000000000 --- a/SPECS/libarchive/CVE-2024-26256.patch +++ /dev/null @@ -1,23 +0,0 @@ -From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001 -From: Wei-Cheng Pan -Date: Mon, 22 Apr 2024 01:55:41 +0900 -Subject: [PATCH] fix: OOB in rar e8 filter (#2135) - -This patch fixes an out-of-bound error in rar e8 filter. ---- - libarchive/archive_read_support_format_rar.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c -index 99a11d1700..266d0ee995 100644 ---- a/libarchive/archive_read_support_format_rar.c -+++ b/libarchive/archive_read_support_format_rar.c -@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz - uint32_t filesize = 0x1000000; - uint32_t i; - -- if (length > PROGRAM_WORK_SIZE || length < 4) -+ if (length > PROGRAM_WORK_SIZE || length <= 4) - return 0; - - for (i = 0; i <= length - 5; i++) diff --git a/SPECS/libarchive/CVE-2024-37407.patch b/SPECS/libarchive/CVE-2024-37407.patch deleted file mode 100644 index 43db7a1c548..00000000000 --- a/SPECS/libarchive/CVE-2024-37407.patch +++ /dev/null @@ -1,24 +0,0 @@ -From b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Thu, 25 Apr 2024 09:18:30 +0000 -Subject: [PATCH] zip: Fix out of boundary access (#2145) - -If a ZIP file contains a file with an empty name and mac-ext option is -set, then a check accesses memory out of bound of `name`. ---- - libarchive/archive_read_support_format_zip.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c -index d7b6f082ee..7552a1a1a2 100644 ---- a/libarchive/archive_read_support_format_zip.c -+++ b/libarchive/archive_read_support_format_zip.c -@@ -4089,7 +4089,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, - * as the actual resource fork doesn't end with '/'. - */ - size_t tmp_length = filename_length; -- if (name[tmp_length - 1] == '/') { -+ if (tmp_length > 0 && name[tmp_length - 1] == '/') { - tmp_length--; - r = rsrc_basename(name, tmp_length); - } diff --git a/SPECS/libarchive/libarchive.signatures.json b/SPECS/libarchive/libarchive.signatures.json index b4c15926c53..f32783f4e68 100644 --- a/SPECS/libarchive/libarchive.signatures.json +++ b/SPECS/libarchive/libarchive.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0" - } + "Signatures": { + "libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff" + } } diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec index 25d8a39b371..99ce351dcfe 100644 --- a/SPECS/libarchive/libarchive.spec +++ b/SPECS/libarchive/libarchive.spec @@ -1,18 +1,13 @@ Summary: Multi-format archive and compression library Name: libarchive -Version: 3.7.1 -Release: 2%{?dist} +Version: 3.7.7 +Release: 1%{?dist} # Certain files have individual licenses. For more details see contents of "COPYING". License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.libarchive.org/ Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch0: CVE-2024-26256.patch -# https://github.com/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB (CVE-2024-37407) patch) -# Please remove when upgrading to v3.7.4 and above -Patch1: update-appledouble-support-directories.patch -Patch2: CVE-2024-37407.patch Provides: bsdtar = %{version}-%{release} BuildRequires: xz-libs @@ -65,6 +60,10 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog +* Tue Oct 15 2024 Nan Liu - 3.7.7-1 +- Upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696 +- Remove unused patches + * Tue Jun 25 2024 Neha Agarwal - 3.7.1-2 - Patch CVE-2024-26256 and CVE-2024-37407 diff --git a/SPECS/libarchive/update-appledouble-support-directories.patch b/SPECS/libarchive/update-appledouble-support-directories.patch deleted file mode 100644 index 6e41ea4c6ce..00000000000 --- a/SPECS/libarchive/update-appledouble-support-directories.patch +++ /dev/null @@ -1,189 +0,0 @@ -From 91f27004a5c88589658e38d68e46d223da6b75ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Martin=20Matu=C5=A1ka?= -Date: Sun, 21 Apr 2024 05:23:22 +0200 -Subject: [PATCH] Update AppleDouble support for directories (#2108) - -This is a clone of the reverted pull request #2100. Due to the latest -circumstances we should require a more deep review of each new PR. - ---------- - -Co-authored-by: Justin Vreeland ---- - libarchive/archive_read_support_format_zip.c | 13 ++- - libarchive/archive_write_disk_posix.c | 3 +- - libarchive/test/test_write_disk_appledouble.c | 84 +++++++++++++++++++ - .../test_write_disk_appledouble_zip.zip.uu | 27 ++++++ - 4 files changed, 125 insertions(+), 2 deletions(-) - create mode 100644 libarchive/test/test_write_disk_appledouble_zip.zip.uu - -diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c -index 212bfff9fa..d7b6f082ee 100644 ---- a/libarchive/archive_read_support_format_zip.c -+++ b/libarchive/archive_read_support_format_zip.c -@@ -4083,6 +4083,17 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, - } else { - /* Generate resource fork name to find its - * resource file at zip->tree_rsrc. */ -+ -+ /* If this is an entry ending with slash, -+ * make the resource for name slash-less -+ * as the actual resource fork doesn't end with '/'. -+ */ -+ size_t tmp_length = filename_length; -+ if (name[tmp_length - 1] == '/') { -+ tmp_length--; -+ r = rsrc_basename(name, tmp_length); -+ } -+ - archive_strcpy(&(zip_entry->rsrcname), - "__MACOSX/"); - archive_strncat(&(zip_entry->rsrcname), -@@ -4090,7 +4101,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, - archive_strcat(&(zip_entry->rsrcname), "._"); - archive_strncat(&(zip_entry->rsrcname), - name + (r - name), -- filename_length - (r - name)); -+ tmp_length - (r - name)); - /* Register an entry to RB tree to sort it by - * file offset. */ - __archive_rb_tree_insert_node(&zip->tree, -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index 58265ee0dc..92db4ff05b 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -4427,7 +4427,8 @@ fixup_appledouble(struct archive_write_disk *a, const char *pathname) - #else - la_stat(datafork.s, &st) == -1 || - #endif -- (st.st_mode & AE_IFMT) != AE_IFREG) -+ (((st.st_mode & AE_IFMT) != AE_IFREG) && -+ ((st.st_mode & AE_IFMT) != AE_IFDIR))) - goto skip_appledouble; - - /* -diff --git a/libarchive/test/test_write_disk_appledouble.c b/libarchive/test/test_write_disk_appledouble.c -index 3265a94d2f..8de6c8b504 100644 ---- a/libarchive/test/test_write_disk_appledouble.c -+++ b/libarchive/test/test_write_disk_appledouble.c -@@ -236,3 +236,87 @@ DEFINE_TEST(test_write_disk_appledouble) - assertEqualFile("hfscmp/file3", "nocmp/file3"); - #endif - } -+ -+/* Test writing apple doubles to disk from zip format */ -+DEFINE_TEST(test_write_disk_appledouble_zip) -+{ -+#if !defined(__APPLE__) || !defined(UF_COMPRESSED) || !defined(HAVE_SYS_XATTR_H)\ -+ || !defined(HAVE_ZLIB_H) -+ skipping("MacOS-specific AppleDouble test"); -+#else -+ const char *refname = "test_write_disk_appledouble_zip.zip"; -+ struct archive *ad, *a; -+ struct archive_entry *ae; -+ struct stat st; -+ -+ extract_reference_file(refname); -+ -+ /* -+ * Extract an archive to disk. -+ */ -+ assert((ad = archive_write_disk_new()) != NULL); -+ assertEqualIntA(ad, ARCHIVE_OK, -+ archive_write_disk_set_standard_lookup(ad)); -+ assertEqualIntA(ad, ARCHIVE_OK, -+ archive_write_disk_set_options(ad, -+ ARCHIVE_EXTRACT_TIME | -+ ARCHIVE_EXTRACT_SECURE_SYMLINKS | -+ ARCHIVE_EXTRACT_SECURE_NODOTDOT)); -+ -+ assert((a = archive_read_new()) != NULL); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, -+ refname, 512 * 20)); -+ -+ /* Skip The top level directory */ -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); -+ assertEqualString("apple_double_dir/", archive_entry_pathname(ae)); -+ -+ /* Extract apple_double_test */ -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); -+ assertEqualString("apple_double_dir/apple_double_dir_test/", archive_entry_pathname(ae)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); -+ -+ /* Extract ._apple_double_dir_test which will be merged into apple_double_dir_test as metadata. */ -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); -+ assertEqualString("apple_double_dir/._apple_double_dir_test", archive_entry_pathname(ae)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); -+ -+ /* Extract test_file */ -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); -+ assertEqualString("apple_double_dir/test_file", archive_entry_pathname(ae)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); -+ -+ /* Extract ._test_file which will be merged into test_file as metadata. */ -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); -+ assertEqualString("apple_double_dir/._test_file", archive_entry_pathname(ae)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); -+ -+ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); -+ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); -+ assertEqualIntA(ad, ARCHIVE_OK, archive_write_free(ad)); -+ -+ /* Test test_file */ -+ assertEqualInt(0, stat("apple_double_dir/test_file", &st)); -+ assertFileSize("apple_double_dir/test_file", 5); -+ failure("'%s' should have Resource Fork", "test_file"); -+ assertEqualInt(1, has_xattr("apple_double_dir/test_file", "com.apple.ResourceFork")); -+ -+ /* Test apple_double_dir_test */ -+ failure("'%s' should have quarantine xattr", "apple_double_dir_test"); -+ assertEqualInt(1, has_xattr("apple_double_dir/apple_double_dir_test", "com.apple.quarantine")); -+ -+ /* Test ._test_file. */ -+ failure("'apple_double_dir/._test_file' should be merged and removed"); -+ assertFileNotExists("apple_double_dir/._test_file"); -+ -+ /* Test ._apple_double_dir_test */ -+ failure("'apple_double_dir/._._apple_double_dir_test' should be merged and removed"); -+ assertFileNotExists("apple_double_dir/._apple_double_dir_test"); -+ -+ assertChdir(".."); -+ -+#endif -+} -diff --git a/libarchive/test/test_write_disk_appledouble_zip.zip.uu b/libarchive/test/test_write_disk_appledouble_zip.zip.uu -new file mode 100644 -index 0000000000..5ab67533d5 ---- /dev/null -+++ b/libarchive/test/test_write_disk_appledouble_zip.zip.uu -@@ -0,0 +1,27 @@ -+begin 644 test_write_disk_appledouble_zip.zip -+M4$L#!`H```````MM?%@````````````````1`!``87!P;&5?9&]U8FQE7V1I -+M +Date: Sun, 25 Aug 2024 21:33:03 +0200 +Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in + ins_typebuf + +Problem: heap-buffer-overflow in ins_typebuf + (SuyueGuo) +Solution: When flushing the typeahead buffer, validate that there + is enough space left + +Github Advisory: +https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh + +Signed-off-by: Christian Brabandt + +Removed binary test file and test only changes for security fix + +--- + src/getchar.c | 15 ++++++++++++--- + 1 files changed, 12 insertions(+), 3 deletions(-) + create mode 100644 src/testdir/crash/heap_overflow3 + +diff --git a/src/getchar.c b/src/getchar.c +index 29323fa328bd1..96e180f4ae1a9 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead) + + if (flush_typeahead == FLUSH_MINIMAL) + { +- // remove mapped characters at the start only +- typebuf.tb_off += typebuf.tb_maplen; +- typebuf.tb_len -= typebuf.tb_maplen; ++ // remove mapped characters at the start only, ++ // but only when enough space left in typebuf ++ if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen) ++ { ++ typebuf.tb_off = MAXMAPLEN; ++ typebuf.tb_len = 0; ++ } ++ else ++ { ++ typebuf.tb_off += typebuf.tb_maplen; ++ typebuf.tb_len -= typebuf.tb_maplen; ++ } + #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL) + if (typebuf.tb_len == 0) + typebuf_was_filled = FALSE; diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index 726e7876622..21729fbac48 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -2,7 +2,7 @@ Summary: Text editor Name: vim Version: 9.0.2190 -Release: 5%{?dist} +Release: 6%{?dist} License: Vim Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,7 +14,7 @@ Patch0: CVE-2024-41957.patch Patch1: fix_save_unnamed_buffer_correctly.patch Patch2: CVE-2024-41965.patch Patch3: CVE-2024-43374.patch - +Patch4: CVE-2024-43802.patch BuildRequires: ncurses-devel BuildRequires: python3-devel Requires(post): sed @@ -222,6 +222,9 @@ fi %{_rpmconfigdir}/macros.d/macros.vim %changelog +* Tue Oct 08 2024 Sam Meluch - 9.0.2190-6 +- Add patch to resolve CVE-2024-43802 + * Tue Aug 20 2024 Brian Fjeldstad - 9.0.2190-5 - Add patch to resolve CVE-2024-43374 diff --git a/cgmanifest.json b/cgmanifest.json index 4cbae68d84d..ec1be667d18 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8601,8 +8601,8 @@ "type": "other", "other": { "name": "libarchive", - "version": "3.7.1", - "downloadUrl": "https://github.com/libarchive/libarchive/releases/download/v3.7.1/libarchive-3.7.1.tar.gz" + "version": "3.7.7", + "downloadUrl": "https://github.com/libarchive/libarchive/releases/download/v3.7.7/libarchive-3.7.7.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 87169d839ef..e0dc8fcd6ca 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.aarch64.rpm libcap-2.69-1.azl3.aarch64.rpm libcap-devel-2.69-1.azl3.aarch64.rpm debugedit-5.0-2.azl3.aarch64.rpm -libarchive-3.7.1-2.azl3.aarch64.rpm -libarchive-devel-3.7.1-2.azl3.aarch64.rpm +libarchive-3.7.7-1.azl3.aarch64.rpm +libarchive-devel-3.7.7-1.azl3.aarch64.rpm rpm-4.18.2-1.azl3.aarch64.rpm rpm-build-4.18.2-1.azl3.aarch64.rpm rpm-build-libs-4.18.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 1f71b3cd6dd..1bbe5e8755c 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.x86_64.rpm libcap-2.69-1.azl3.x86_64.rpm libcap-devel-2.69-1.azl3.x86_64.rpm debugedit-5.0-2.azl3.x86_64.rpm -libarchive-3.7.1-2.azl3.x86_64.rpm -libarchive-devel-3.7.1-2.azl3.x86_64.rpm +libarchive-3.7.7-1.azl3.x86_64.rpm +libarchive-devel-3.7.7-1.azl3.x86_64.rpm rpm-4.18.2-1.azl3.x86_64.rpm rpm-build-4.18.2-1.azl3.x86_64.rpm rpm-build-libs-4.18.2-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1f1819d759e..741afded59d 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -166,9 +166,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm krb5-lang-1.21.3-2.azl3.aarch64.rpm libacl-2.3.1-2.azl3.aarch64.rpm libacl-devel-2.3.1-2.azl3.aarch64.rpm -libarchive-3.7.1-2.azl3.aarch64.rpm -libarchive-debuginfo-3.7.1-2.azl3.aarch64.rpm -libarchive-devel-3.7.1-2.azl3.aarch64.rpm +libarchive-3.7.7-1.azl3.aarch64.rpm +libarchive-debuginfo-3.7.7-1.azl3.aarch64.rpm +libarchive-devel-3.7.7-1.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 1c3f8e3334d..ac42be01633 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -172,9 +172,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm krb5-lang-1.21.3-2.azl3.x86_64.rpm libacl-2.3.1-2.azl3.x86_64.rpm libacl-devel-2.3.1-2.azl3.x86_64.rpm -libarchive-3.7.1-2.azl3.x86_64.rpm -libarchive-debuginfo-3.7.1-2.azl3.x86_64.rpm -libarchive-devel-3.7.1-2.azl3.x86_64.rpm +libarchive-3.7.7-1.azl3.x86_64.rpm +libarchive-debuginfo-3.7.7-1.azl3.x86_64.rpm +libarchive-devel-3.7.7-1.azl3.x86_64.rpm libassuan-2.5.6-1.azl3.x86_64.rpm libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm libassuan-devel-2.5.6-1.azl3.x86_64.rpm