fix CVE-2024-20697 CVE-2024-26256

backport-CVE-2024-20697-CVE-2024-26256.patch

@@ -0,0 +1,23 @@
+From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 22 Apr 2024 01:55:41 +0900
+Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
+
+This patch fixes an out-of-bound error in rar e8 filter.
+---
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 99a11d1700..266d0ee995 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x1000000;
+   uint32_t i;
+ 
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+     return 0;
+ 
+   for (i = 0; i <= length - 5; i++)

libarchive.spec

@@ -2,12 +2,14 @@
 
 Name:           libarchive
 Version:        3.7.1
-Release:        1
+Release:        2
 Summary:        Multi-format archive and compression library
 License:        BSD
 URL:            https://www.libarchive.org/
 Source0:        https://libarchive.org/downloads/%{name}-%{version}.tar.gz
 
+Patch6000:      backport-CVE-2024-20697-CVE-2024-26256.patch
+
 BuildRequires:  gcc bison sharutils zlib-devel bzip2-devel xz-devel
 BuildRequires:  lzo-devel e2fsprogs-devel libacl-devel libattr-devel
 BuildRequires:  openssl-devel libxml2-devel lz4-devel automake libzstd-devel
@@ -198,6 +200,12 @@ run_testsuite
 %{_mandir}/*/bsdunzip*
 
 %changelog
+* Fri May 24 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-2
+- Type:CVE
+- ID:CVE-2024-20697,CVE-2024-26256
+- SUG:NA
+- DESC:fix CVE-2024-20697 CVE-2024-26256
+
 * Thu Aug  3 2023 dillon chen<dillon.chen@gmail.com> - 3.7.1-1
 - Upgrade to 3.7.1
 - Add new bsdunzip subpackage