diff --git a/SPECS/libarchive/CVE-2024-20696.patch b/SPECS/libarchive/CVE-2024-20696.patch new file mode 100644 index 00000000000..22b376887e7 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-20696.patch @@ -0,0 +1,126 @@ +From 0d2efd8e6869b21dffdd956a50ba2f220f11e238 Mon Sep 17 00:00:00 2001 +From: Nan Liu +Date: Tue, 15 Oct 2024 18:31:23 +0000 +Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or + too-small length (CVE-2024-20696) + +--- +From 020c40df9e31ec727201a8e3ddf1f94093f8fc02 Mon Sep 17 00:00:00 2001 +From: "Dustin L. Howett" +Date: Mon, 15 Jan 2024 22:16:27 -0600 +Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or + too-small length + +copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where +both of its callers were holding a `size_t`. + +A lzss opcode chain could be cosntructed that resulted in a negative +copy length, which when passed into memcpy would result in a very, very +large positive number. + +Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to +properly bounds-check length. + +In addition, this patch also ensures that `length` is not itself larger +than the destination buffer. + +--- + libarchive/archive_read_support_format_rar.c | 28 +++++++++++++------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index f9cbe2a..024711c 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int, + struct huffman_table_entry *, int, int); + static int expand(struct archive_read *, int64_t *); + static int copy_from_lzss_window_to_unp(struct archive_read *, const void **, +- int64_t, int); ++ int64_t, size_t); + static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *); + static int parse_filter(struct archive_read *, const uint8_t *, uint16_t, + uint8_t); +@@ -2059,7 +2059,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, + bs = rar->unp_buffer_size - rar->unp_offset; + else + bs = (size_t)rar->bytes_uncopied; +- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); ++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); + if (ret != ARCHIVE_OK) + return (ret); + rar->offset += bs; +@@ -2199,7 +2199,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, + bs = rar->unp_buffer_size - rar->unp_offset; + else + bs = (size_t)rar->bytes_uncopied; +- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); ++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); + if (ret != ARCHIVE_OK) + return (ret); + rar->offset += bs; +@@ -3080,11 +3080,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer, + + static int + copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, +- int64_t startpos, int length) ++ int64_t startpos, size_t length) + { + int windowoffs, firstpart; + struct rar *rar = (struct rar *)(a->format->data); + ++ if (length > rar->unp_buffer_size) ++ { ++ goto fatal; ++ } ++ + if (!rar->unp_buffer) + { + if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL) +@@ -3096,17 +3101,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, + } + + windowoffs = lzss_offset_for_position(&rar->lzss, startpos); +- if(windowoffs + length <= lzss_size(&rar->lzss)) { ++ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) { + memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs], + length); +- } else if (length <= lzss_size(&rar->lzss)) { ++ } else if (length <= (size_t)lzss_size(&rar->lzss)) { + firstpart = lzss_size(&rar->lzss) - windowoffs; + if (firstpart < 0) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Bad RAR file data"); + return (ARCHIVE_FATAL); + } +- if (firstpart < length) { ++ if ((size_t)firstpart < length) { + memcpy(&rar->unp_buffer[rar->unp_offset], + &rar->lzss.window[windowoffs], firstpart); + memcpy(&rar->unp_buffer[rar->unp_offset + firstpart], +@@ -3116,9 +3121,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, + &rar->lzss.window[windowoffs], length); + } + } else { +- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, +- "Bad RAR file data"); +- return (ARCHIVE_FATAL); ++ goto fatal; + } + rar->unp_offset += length; + if (rar->unp_offset >= rar->unp_buffer_size) +@@ -3126,6 +3129,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, + else + *buffer = NULL; + return (ARCHIVE_OK); ++ ++fatal: ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Bad RAR file data"); ++ return (ARCHIVE_FATAL); + } + + static const void * +-- +2.34.1 + diff --git a/SPECS/libarchive/CVE-2024-48957.patch b/SPECS/libarchive/CVE-2024-48957.patch new file mode 100644 index 00000000000..9f24e86f8b5 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-48957.patch @@ -0,0 +1,35 @@ +From 9a6a505a1da891df29909eb2aeb6f067fe46f7d3 Mon Sep 17 00:00:00 2001 +From: Nan Liu +Date: Tue, 15 Oct 2024 18:44:56 +0000 +Subject: [PATCH] fix: OOB in rar audio filter(CVE-2024-48957) + +--- +From 3ad7b9b6cc37d8a197a6c55af4634560df13771f Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Fri, 26 Apr 2024 16:35:06 +0900 +Subject: [PATCH] fix: OOB in rar audio filter + +--- + libarchive/archive_read_support_format_rar.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index dae2309..6510bcf 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3716,6 +3716,12 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) + memset(&state, 0, sizeof(state)); + for (j = i; j < length; j += numchannels) + { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; + int8_t delta = (int8_t)*src++; + uint8_t predbyte, byte; + int prederror; +-- +2.34.1 + diff --git a/SPECS/libarchive/CVE-2024-48958.patch b/SPECS/libarchive/CVE-2024-48958.patch new file mode 100644 index 00000000000..99f4f3edabd --- /dev/null +++ b/SPECS/libarchive/CVE-2024-48958.patch @@ -0,0 +1,38 @@ +From b76fa2148bed31bd38acd896c19ee8a9a420eeae Mon Sep 17 00:00:00 2001 +From: Nan Liu +Date: Tue, 15 Oct 2024 18:37:24 +0000 +Subject: [PATCH] fix: OOB in rar delta filter(CVE-2024-48958) + +--- +From 17d9d73ee92eeb1a08b0a56659d010d8120af33a Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Fri, 26 Apr 2024 13:58:34 +0900 +Subject: [PATCH] fix: OOB in rar delta filter + +--- + libarchive/archive_read_support_format_rar.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 024711c..dae2309 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3606,7 +3606,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) + { + uint8_t lastbyte = 0; + for (idx = i; idx < length; idx += numchannels) ++ { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; + lastbyte = dst[idx] = lastbyte - *src++; ++ } + } + + filter->filteredblockaddress = length; +-- +2.34.1 + diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec index 62114524033..20681c9a840 100644 --- a/SPECS/libarchive/libarchive.spec +++ b/SPECS/libarchive/libarchive.spec @@ -1,7 +1,7 @@ Summary: Multi-format archive and compression library Name: libarchive Version: 3.6.1 -Release: 3%{?dist} +Release: 4%{?dist} # Certain files have individual licenses. For more details see contents of "COPYING". License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) Vendor: Microsoft Corporation @@ -10,6 +10,10 @@ URL: https://www.libarchive.org/ Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz Patch0: CVE-2022-36227.patch Patch1: CVE-2024-26256.patch +# Please remove the following patches when upgrading to v3.7.5 and above +Patch2: CVE-2024-20696.patch +Patch3: CVE-2024-48958.patch +Patch4: CVE-2024-48957.patch Provides: bsdtar = %{version}-%{release} BuildRequires: xz-libs @@ -62,6 +66,9 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog +* Tue Oct 15 2024 Nan Liu - 3.6.1-4 +- Patch CVE-2024-48957, CVE-2024-48958, CVE-2024-20696 + * Thu Jun 06 2024 Nan Liu - 3.6.1-3 - Patch CVE-2024-26256 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index fe8367c6403..73bc8609fb0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.aarch64.rpm libcap-2.60-2.cm2.aarch64.rpm libcap-devel-2.60-2.cm2.aarch64.rpm debugedit-5.0-2.cm2.aarch64.rpm -libarchive-3.6.1-3.cm2.aarch64.rpm -libarchive-devel-3.6.1-3.cm2.aarch64.rpm +libarchive-3.6.1-4.cm2.aarch64.rpm +libarchive-devel-3.6.1-4.cm2.aarch64.rpm rpm-4.18.0-4.cm2.aarch64.rpm rpm-build-4.18.0-4.cm2.aarch64.rpm rpm-build-libs-4.18.0-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index b4365a0e48e..c1b55e69d88 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.x86_64.rpm libcap-2.60-2.cm2.x86_64.rpm libcap-devel-2.60-2.cm2.x86_64.rpm debugedit-5.0-2.cm2.x86_64.rpm -libarchive-3.6.1-3.cm2.x86_64.rpm -libarchive-devel-3.6.1-3.cm2.x86_64.rpm +libarchive-3.6.1-4.cm2.x86_64.rpm +libarchive-devel-3.6.1-4.cm2.x86_64.rpm rpm-4.18.0-4.cm2.x86_64.rpm rpm-build-4.18.0-4.cm2.x86_64.rpm rpm-build-libs-4.18.0-4.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 8fd395bd6b7..5b68f1b1e04 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -144,9 +144,9 @@ krb5-1.19.4-3.cm2.aarch64.rpm krb5-debuginfo-1.19.4-3.cm2.aarch64.rpm krb5-devel-1.19.4-3.cm2.aarch64.rpm krb5-lang-1.19.4-3.cm2.aarch64.rpm -libarchive-3.6.1-3.cm2.aarch64.rpm -libarchive-debuginfo-3.6.1-3.cm2.aarch64.rpm -libarchive-devel-3.6.1-3.cm2.aarch64.rpm +libarchive-3.6.1-4.cm2.aarch64.rpm +libarchive-debuginfo-3.6.1-4.cm2.aarch64.rpm +libarchive-devel-3.6.1-4.cm2.aarch64.rpm libassuan-2.5.5-2.cm2.aarch64.rpm libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm libassuan-devel-2.5.5-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ca2f99cec08..8ac34795b6e 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -150,9 +150,9 @@ krb5-1.19.4-3.cm2.x86_64.rpm krb5-debuginfo-1.19.4-3.cm2.x86_64.rpm krb5-devel-1.19.4-3.cm2.x86_64.rpm krb5-lang-1.19.4-3.cm2.x86_64.rpm -libarchive-3.6.1-3.cm2.x86_64.rpm -libarchive-debuginfo-3.6.1-3.cm2.x86_64.rpm -libarchive-devel-3.6.1-3.cm2.x86_64.rpm +libarchive-3.6.1-4.cm2.x86_64.rpm +libarchive-debuginfo-3.6.1-4.cm2.x86_64.rpm +libarchive-devel-3.6.1-4.cm2.x86_64.rpm libassuan-2.5.5-2.cm2.x86_64.rpm libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm libassuan-devel-2.5.5-2.cm2.x86_64.rpm