microsoft · jslobodzian · Oct 18, 2024 · Oct 17, 2024
@@ -0,0 +1,126 @@
+From 0d2efd8e6869b21dffdd956a50ba2f220f11e238 Mon Sep 17 00:00:00 2001
+From: Nan Liu <[email protected]>
+Date: Tue, 15 Oct 2024 18:31:23 +0000
+Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or
+ too-small length (CVE-2024-20696)
+
+---
+From 020c40df9e31ec727201a8e3ddf1f94093f8fc02 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <[email protected]>
+Date: Mon, 15 Jan 2024 22:16:27 -0600
+Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or
+ too-small length
+
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+
+A lzss opcode chain could be cosntructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+
+---
+ libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index f9cbe2a..024711c 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
+                               struct huffman_table_entry *, int, int);
+ static int expand(struct archive_read *, int64_t *);
+ static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
+-                                        int64_t, int);
++                                        int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
+                         uint8_t);
+@@ -2059,7 +2059,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+         bs = rar->unp_buffer_size - rar->unp_offset;
+       else
+         bs = (size_t)rar->bytes_uncopied;
+-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+       if (ret != ARCHIVE_OK)
+         return (ret);
+       rar->offset += bs;
+@@ -2199,7 +2199,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+       bs = rar->unp_buffer_size - rar->unp_offset;
+     else
+       bs = (size_t)rar->bytes_uncopied;
+-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+     if (ret != ARCHIVE_OK)
+       return (ret);
+     rar->offset += bs;
+@@ -3080,11 +3080,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+
+ static int
+ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+-                             int64_t startpos, int length)
++                             int64_t startpos, size_t length)
+ {
+   int windowoffs, firstpart;
+   struct rar *rar = (struct rar *)(a->format->data);
+
++  if (length > rar->unp_buffer_size)
++  {
++    goto fatal;
++  }
++
+   if (!rar->unp_buffer)
+   {
+     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -3096,17 +3101,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   }
+
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
++  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+            length);
+-  } else if (length <= lzss_size(&rar->lzss)) {
++  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+     firstpart = lzss_size(&rar->lzss) - windowoffs;
+     if (firstpart < 0) {
+       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                         "Bad RAR file data");
+       return (ARCHIVE_FATAL);
+     }
+-    if (firstpart < length) {
++    if ((size_t)firstpart < length) {
+       memcpy(&rar->unp_buffer[rar->unp_offset],
+              &rar->lzss.window[windowoffs], firstpart);
+       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -3116,9 +3121,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+              &rar->lzss.window[windowoffs], length);
+     }
+   } else {
+-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+-                        "Bad RAR file data");
+-      return (ARCHIVE_FATAL);
++      goto fatal;
+   }
+   rar->unp_offset += length;
+   if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -3126,6 +3129,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   else
+     *buffer = NULL;
+   return (ARCHIVE_OK);
++
++fatal:
++  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                    "Bad RAR file data");
++  return (ARCHIVE_FATAL);
+ }
+
+ static const void *
+-- 
+2.34.1
+
@@ -0,0 +1,35 @@
+From 9a6a505a1da891df29909eb2aeb6f067fe46f7d3 Mon Sep 17 00:00:00 2001
+From: Nan Liu <[email protected]>
+Date: Tue, 15 Oct 2024 18:44:56 +0000
+Subject: [PATCH] fix: OOB in rar audio filter(CVE-2024-48957)
+
+---
+From 3ad7b9b6cc37d8a197a6c55af4634560df13771f Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <[email protected]>
+Date: Fri, 26 Apr 2024 16:35:06 +0900
+Subject: [PATCH] fix: OOB in rar audio filter
+
+---
+ libarchive/archive_read_support_format_rar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index dae2309..6510bcf 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3716,6 +3716,12 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+     memset(&state, 0, sizeof(state));
+     for (j = i; j < length; j += numchannels)
+     {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
+       int8_t delta = (int8_t)*src++;
+       uint8_t predbyte, byte;
+       int prederror;
+-- 
+2.34.1
+
@@ -0,0 +1,38 @@
+From b76fa2148bed31bd38acd896c19ee8a9a420eeae Mon Sep 17 00:00:00 2001
+From: Nan Liu <[email protected]>
+Date: Tue, 15 Oct 2024 18:37:24 +0000
+Subject: [PATCH] fix: OOB in rar delta filter(CVE-2024-48958)
+
+---
+From 17d9d73ee92eeb1a08b0a56659d010d8120af33a Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <[email protected]>
+Date: Fri, 26 Apr 2024 13:58:34 +0900
+Subject: [PATCH] fix: OOB in rar delta filter
+
+---
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 024711c..dae2309 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3606,7 +3606,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+   {
+     uint8_t lastbyte = 0;
+     for (idx = i; idx < length; idx += numchannels)
++    {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
+       lastbyte = dst[idx] = lastbyte - *src++;
++    }
+   }
+
+   filter->filteredblockaddress = length;
+-- 
+2.34.1
+
@@ -1,7 +1,7 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.6.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
@@ -10,6 +10,10 @@ URL:            https://www.libarchive.org/
 Source0:        https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Patch0:         CVE-2022-36227.patch
 Patch1:         CVE-2024-26256.patch
+# Please remove the following patches when upgrading to v3.7.5 and above
+Patch2:         CVE-2024-20696.patch
+Patch3:         CVE-2024-48958.patch
+Patch4:         CVE-2024-48957.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -62,6 +66,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Oct 15 2024 Nan Liu <[email protected]> - 3.6.1-4
+- Patch CVE-2024-48957, CVE-2024-48958, CVE-2024-20696
+
 * Thu Jun 06 2024 Nan Liu <[email protected]> - 3.6.1-3
 - Patch CVE-2024-26256
 

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
-libarchive-3.6.1-3.cm2.aarch64.rpm
-libarchive-devel-3.6.1-3.cm2.aarch64.rpm
+libarchive-3.6.1-4.cm2.aarch64.rpm
+libarchive-devel-3.6.1-4.cm2.aarch64.rpm
 rpm-4.18.0-4.cm2.aarch64.rpm
 rpm-build-4.18.0-4.cm2.aarch64.rpm
 rpm-build-libs-4.18.0-4.cm2.aarch64.rpm

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-35.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
-libarchive-3.6.1-3.cm2.x86_64.rpm
-libarchive-devel-3.6.1-3.cm2.x86_64.rpm
+libarchive-3.6.1-4.cm2.x86_64.rpm
+libarchive-devel-3.6.1-4.cm2.x86_64.rpm
 rpm-4.18.0-4.cm2.x86_64.rpm
 rpm-build-4.18.0-4.cm2.x86_64.rpm
 rpm-build-libs-4.18.0-4.cm2.x86_64.rpm

@@ -144,9 +144,9 @@ krb5-1.19.4-3.cm2.aarch64.rpm
 krb5-debuginfo-1.19.4-3.cm2.aarch64.rpm
 krb5-devel-1.19.4-3.cm2.aarch64.rpm
 krb5-lang-1.19.4-3.cm2.aarch64.rpm
-libarchive-3.6.1-3.cm2.aarch64.rpm
-libarchive-debuginfo-3.6.1-3.cm2.aarch64.rpm
-libarchive-devel-3.6.1-3.cm2.aarch64.rpm
+libarchive-3.6.1-4.cm2.aarch64.rpm
+libarchive-debuginfo-3.6.1-4.cm2.aarch64.rpm
+libarchive-devel-3.6.1-4.cm2.aarch64.rpm
 libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm

@@ -150,9 +150,9 @@ krb5-1.19.4-3.cm2.x86_64.rpm
 krb5-debuginfo-1.19.4-3.cm2.x86_64.rpm
 krb5-devel-1.19.4-3.cm2.x86_64.rpm
 krb5-lang-1.19.4-3.cm2.x86_64.rpm
-libarchive-3.6.1-3.cm2.x86_64.rpm
-libarchive-debuginfo-3.6.1-3.cm2.x86_64.rpm
-libarchive-devel-3.6.1-3.cm2.x86_64.rpm
+libarchive-3.6.1-4.cm2.x86_64.rpm
+libarchive-debuginfo-3.6.1-4.cm2.x86_64.rpm
+libarchive-devel-3.6.1-4.cm2.x86_64.rpm
 libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm