From 3a704b176426aa9c9f2ae0015df0600405f69ab1 Mon Sep 17 00:00:00 2001
From: Pavol Sloboda <psloboda@redhat.com>
Date: Wed, 8 Apr 2026 13:49:55 +0200
Subject: [PATCH] Fix for CVE-2026-4424

Resolves: RHEL-157397
---
 0006-Fix-CVE-2026-4424.patch | 31 +++++++++++++++++++++++++++++++
 libarchive.spec              |  3 +++
 2 files changed, 34 insertions(+)
 create mode 100644 0006-Fix-CVE-2026-4424.patch

diff --git a/0006-Fix-CVE-2026-4424.patch b/0006-Fix-CVE-2026-4424.patch
new file mode 100644
index 0000000..1c807ee
--- /dev/null
+++ b/0006-Fix-CVE-2026-4424.patch
@@ -0,0 +1,31 @@
+# This patch originally consisted of 3 hunks on the upstream:
+# https://github.com/libarchive/libarchive/pull/2898/changes/e1907c5832b6489c7b4198b0825f857c93a03c10
+# https://github.com/libarchive/libarchive/pull/2898/changes/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375
+# but only the first and third hunk needs to be backported since the
+# logic fix the second hunk provides does not need to be added
+# as the logic is still correct in the current version of libarchive (3.7.7)
+# thus the vulnerability in the code does not yet exist
+diff -Naur libarchive-3.7.7/libarchive/archive_read_support_format_rar.c libarchive-3.7.7_patched/libarchive/archive_read_support_format_rar.c
+--- libarchive-3.7.7/libarchive/archive_read_support_format_rar.c	2024-10-13 10:11:23.000000000 +0200
++++ libarchive-3.7.7_patched/libarchive/archive_read_support_format_rar.c	2026-04-08 12:50:20.721234057 +0200
+@@ -2503,7 +2503,8 @@
+       return (r);
+   }
+ 
+-  if (!rar->dictionary_size || !rar->lzss.window)
++  if (!rar->dictionary_size || !rar->lzss.window ||
++      (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size)
+   {
+     /* Seems as though dictionary sizes are not used. Even so, minimize
+      * memory usage as much as possible.
+@@ -3266,6 +3267,10 @@
+   else
+     blocklength = prog ? prog->oldfilterlength : 0;
+ 
++  if (blocklength > rar->dictionary_size ||
++      blocklength > (uint32_t)(rar->lzss.mask + 1))
++    return 0;
++
+   registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
+   registers[4] = blocklength;
+   registers[5] = prog ? prog->usagecount : 0;
diff --git a/libarchive.spec b/libarchive.spec
index 5f46135..22ddd40 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -52,6 +52,9 @@ Patch0003: 0003-Fix-CVE-2025-25724.patch
 Patch0004: 0004-rar-Fix-double-free-with-over-4-billion-nodes-2598.patch
 # Source: https://github.com/mmatuska/libarchive/commit/ec19fcbd20b18bd3b0fdcf2b3fb97789cd1bf575
 Patch0005: 0005-Infinite-loop-in-Rar5-decompression.patch
+# Source: https://github.com/libarchive/libarchive/pull/2898/changes/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375
+# and: https://github.com/libarchive/libarchive/pull/2898/changes/e1907c5832b6489c7b4198b0825f857c93a03c10
+Patch0006: 0006-Fix-CVE-2026-4424.patch
 
 %description
 Libarchive is a programming library that can create and read several different