packages/libarchive
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:ca8878ff8883f243b680ad019743681e5462da34
Branches Tags
packages:main
..
compare: packages:3e09a03b547e03439cac5e8cfd35c75419cc006e
Branches Tags
packages:main

No commits in common. "ca8878ff8883f243b680ad019743681e5462da34" and "3e09a03b547e03439cac5e8cfd35c75419cc006e" have entirely different histories.
ca8878ff88 ... 3e09a03b54

8 changed files with 1 additions and 364 deletions
Show Stats Expand all files Collapse all files

116
backport-CVE-2024-20696.patch
View File

@ -1,116 +0,0 @@
From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
From: "Dustin L. Howett" <dustin@howett.net>
Date: Thu, 9 May 2024 18:59:17 -0500
Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
both of its callers were holding a `size_t`.
A lzss opcode chain could be constructed that resulted in a negative
copy length, which when passed into memcpy would result in a very, very
large positive number.
Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
properly bounds-check length.
In addition, this patch also ensures that `length` is not itself larger
than the destination buffer.
Security: CVE-2024-20696
---
libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 4fc6626ca..5776df4bd 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
struct huffman_table_entry *, int, int);
static int expand(struct archive_read *, int64_t *);
static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
- int64_t, int);
+ int64_t, size_t);
static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
uint8_t);
@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
bs = rar->unp_buffer_size - rar->unp_offset;
else
bs = (size_t)rar->bytes_uncopied;
- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
if (ret != ARCHIVE_OK)
return (ret);
rar->offset += bs;
@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
bs = rar->unp_buffer_size - rar->unp_offset;
else
bs = (size_t)rar->bytes_uncopied;
- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
+ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
if (ret != ARCHIVE_OK)
return (ret);
rar->offset += bs;
@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
static int
copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
- int64_t startpos, int length)
+ int64_t startpos, size_t length)
{
int windowoffs, firstpart;
struct rar *rar = (struct rar *)(a->format->data);
+ if (length > rar->unp_buffer_size)
+ {
+ goto fatal;
+ }
+
if (!rar->unp_buffer)
{
if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
}
windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
- if(windowoffs + length <= lzss_size(&rar->lzss)) {
+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
length);
- } else if (length <= lzss_size(&rar->lzss)) {
+ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
firstpart = lzss_size(&rar->lzss) - windowoffs;
if (firstpart < 0) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
"Bad RAR file data");
return (ARCHIVE_FATAL);
}
- if (firstpart < length) {
+ if ((size_t)firstpart < length) {
memcpy(&rar->unp_buffer[rar->unp_offset],
&rar->lzss.window[windowoffs], firstpart);
memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
&rar->lzss.window[windowoffs], length);
}
} else {
- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
- "Bad RAR file data");
- return (ARCHIVE_FATAL);
+ goto fatal;
}
rar->unp_offset += length;
if (rar->unp_offset >= rar->unp_buffer_size)
@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
else
*buffer = NULL;
return (ARCHIVE_OK);
+
+fatal:
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Bad RAR file data");
+ return (ARCHIVE_FATAL);
}
static const void *

23
backport-CVE-2024-20697-CVE-2024-26256.patch
View File

@ -1,23 +0,0 @@
From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <legnaleurc@gmail.com>
Date: Mon, 22 Apr 2024 01:55:41 +0900
Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
This patch fixes an out-of-bound error in rar e8 filter.
---
libarchive/archive_read_support_format_rar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 99a11d1700..266d0ee995 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
uint32_t filesize = 0x1000000;
uint32_t i;
- if (length > PROGRAM_WORK_SIZE || length < 4)
+ if (length > PROGRAM_WORK_SIZE || length <= 4)
return 0;
for (i = 0; i <= length - 5; i++)

33
backport-CVE-2024-26256-CVE-2024-43495.patch
View File

@ -1,33 +0,0 @@
From b7b0c7c4379531206a53634a12a02a8d45b28a2f Mon Sep 17 00:00:00 2001
From: terrynini <terrynini38514@gmail.com>
Date: Wed, 14 Aug 2024 16:01:21 +0800
Subject: [PATCH] Fix CVE-2024-26256 (#2269)
Opening a manipulated RAR archive could lead to remote code execution
Security: CVE-2024-26256
Co-authored-by: Timothy Lyanguzov <theta682@gmail.com>
---
libarchive/archive_read_support_format_rar.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index fb7cfde7..f4dcb752 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3428,6 +3428,12 @@ run_filters(struct archive_read *a)
return 0;
}
+ if (filter->blocklength > VM_MEMORY_SIZE)
+ {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, "Bad RAR file data");
+ return 0;
+ }
+
ret = copy_from_lzss_window(a, filters->vm->memory, start, filter->blocklength);
if (ret != ARCHIVE_OK)
return 0;
--
2.33.0

29
backport-CVE-2024-48957.patch
View File

@ -1,29 +0,0 @@
From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <legnaleurc@gmail.com>
Date: Mon, 29 Apr 2024 06:53:19 +0900
Subject: [PATCH] fix: OOB in rar audio filter (#2149)
This patch ensures that `src` won't move ahead of `dst`, so `src` will
not OOB. Similar situation like in a1cb648.
---
libarchive/archive_read_support_format_rar.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 619ee81e2..4fc6626ca 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
memset(&state, 0, sizeof(state));
for (j = i; j < length; j += numchannels)
{
+ /*
+ * The src block should not overlap with the dst block.
+ * If so it would be better to consider this archive is broken.
+ */
+ if (src >= dst)
+ return 0;
+
int8_t delta = (int8_t)*src++;
uint8_t predbyte, byte;
int prederror;

33
backport-CVE-2024-48958.patch
View File

@ -1,33 +0,0 @@
From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <legnaleurc@gmail.com>
Date: Mon, 29 Apr 2024 06:50:22 +0900
Subject: [PATCH] fix: OOB in rar delta filter (#2148)
Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
Since `dst` won't move in this function, and we are only increasing `src`
position, this check should be enough. It should be safe to early return
because this function does not allocate resources.
---
libarchive/archive_read_support_format_rar.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 79669a8f4..619ee81e2 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
{
uint8_t lastbyte = 0;
for (idx = i; idx < length; idx += numchannels)
+ {
+ /*
+ * The src block should not overlap with the dst block.
+ * If so it would be better to consider this archive is broken.
+ */
+ if (src >= dst)
+ return 0;
lastbyte = dst[idx] = lastbyte - *src++;
+ }
}
filter->filteredblockaddress = length;

57
backport-CVE-2025-1632.patch
View File

@ -1,57 +0,0 @@
From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter@piie.net>
Date: Wed, 5 Mar 2025 15:34:44 +0100
Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside
list()
Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname()
and replacing it by "INVALID PATH" string.
Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc
Signed-off-by: Peter Kaestle <peter@piie.net>
---
unzip/bsdunzip.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
index 7c8cafc3e..4a9028b79 100644
--- a/unzip/bsdunzip.c
+++ b/unzip/bsdunzip.c
@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
char buf[20];
time_t mtime;
struct tm *tm;
+ const char *pathname;
mtime = archive_entry_mtime(e);
tm = localtime(&mtime);
@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
else
strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
+ pathname = archive_entry_pathname(e);
+ if (!pathname)
+ pathname = "";
if (!zipinfo_mode) {
if (v_opt == 1) {
printf(" %8ju %s %s\n",
(uintmax_t)archive_entry_size(e),
- buf, archive_entry_pathname(e));
+ buf, pathname);
} else if (v_opt == 2) {
printf("%8ju Stored %7ju 0%% %s %08x %s\n",
(uintmax_t)archive_entry_size(e),
(uintmax_t)archive_entry_size(e),
buf,
0U,
- archive_entry_pathname(e));
+ pathname);
}
} else {
if (Z1_opt)
- printf("%s\n",archive_entry_pathname(e));
+ printf("%s\n", pathname);
}
ac(archive_read_data_skip(a));
}

34
backport-CVE-2025-25724.patch
View File

@ -1,34 +0,0 @@
From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter@piie.net>
Date: Wed, 5 Mar 2025 15:01:14 +0100
Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.
Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
Signed-off-by: Peter Kaestle <peter@piie.net>
---
tar/util.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tar/util.c b/tar/util.c
index 3b099cb5f..f3cbdf0bb 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
#else
ltime = localtime(&tim);
#endif
- strftime(tmp, sizeof(tmp), fmt, ltime);
+ if (ltime)
+ strftime(tmp, sizeof(tmp), fmt, ltime);
+ else
+ sprintf(tmp, "-- -- ----");
fprintf(out, " %s ", tmp);
safe_fprintf(out, "%s", archive_entry_pathname(entry));

40
libarchive.spec
View File

@ -2,20 +2,12 @@
Name: libarchive
Version: 3.7.1
Release: 6
Release: 1
Summary: Multi-format archive and compression library
License: BSD
URL: https://www.libarchive.org/
Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.gz
Patch6000: backport-CVE-2024-20697-CVE-2024-26256.patch
Patch6001: backport-CVE-2024-20696.patch
Patch6002: backport-CVE-2024-26256-CVE-2024-43495.patch
Patch6003: backport-CVE-2024-48957.patch
Patch6004: backport-CVE-2024-48958.patch
Patch6005: backport-CVE-2025-1632.patch
Patch6006: backport-CVE-2025-25724.patch
BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel
BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel
BuildRequires: openssl-devel libxml2-devel lz4-devel automake libzstd-devel
@ -206,36 +198,6 @@ run_testsuite
%{_mandir}/*/bsdunzip*
%changelog
* Tue Mar 11 2025 lingsheng <lingsheng1@h-partners.com> - 3.7.1-6
- Type:CVE
- ID:CVE-2025-1632,CVE-2025-25724
- SUG:NA
- DESC:fix CVE-2025-1632 CVE-2025-25724
* Sat Oct 12 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-5
- Type:CVE
- ID:CVE-2024-48957,CVE-2024-48958
- SUG:NA
- DESC:fix CVE-2024-48957 CVE-2024-48958
* Thu Sep 19 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-4
- Type:CVE
- ID:CVE-2024-26256,CVE-2024-43495
- SUG:NA
- DESC:fix CVE-2024-26256 CVE-2024-43495
* Thu Jun 06 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-3
- Type:CVE
- ID:CVE-2024-20696
- SUG:NA
- DESC:fix CVE-2024-20696
* Fri May 24 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-2
- Type:CVE
- ID:CVE-2024-20697,CVE-2024-26256
- SUG:NA
- DESC:fix CVE-2024-20697 CVE-2024-26256
* Thu Aug 3 2023 dillon chen<dillon.chen@gmail.com> - 3.7.1-1
- Upgrade to 3.7.1
- Add new bsdunzip subpackage