diff --git a/0005-fix-OOB-in-rar-audio-filter-2149.patch b/0005-fix-OOB-in-rar-audio-filter-2149.patch new file mode 100644 index 0000000..7f31830 --- /dev/null +++ b/0005-fix-OOB-in-rar-audio-filter-2149.patch @@ -0,0 +1,32 @@ +From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 29 Apr 2024 06:53:19 +0900 +Subject: [PATCH] fix: OOB in rar audio filter (#2149) + +This patch ensures that `src` won't move ahead of `dst`, so `src` will +not OOB. Similar situation like in a1cb648. +--- + libarchive/archive_read_support_format_rar.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 619ee81e..4fc6626c 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) + memset(&state, 0, sizeof(state)); + for (j = i; j < length; j += numchannels) + { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; ++ + int8_t delta = (int8_t)*src++; + uint8_t predbyte, byte; + int prederror; +-- +2.46.2 + diff --git a/0006-fix-OOB-in-rar-delta-filter-2148.patch b/0006-fix-OOB-in-rar-delta-filter-2148.patch new file mode 100644 index 0000000..a65a09d --- /dev/null +++ b/0006-fix-OOB-in-rar-delta-filter-2148.patch @@ -0,0 +1,36 @@ +From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 29 Apr 2024 06:50:22 +0900 +Subject: [PATCH] fix: OOB in rar delta filter (#2148) + +Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. +Since `dst` won't move in this function, and we are only increasing `src` +position, this check should be enough. It should be safe to early return +because this function does not allocate resources. +--- + libarchive/archive_read_support_format_rar.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 79669a8f..619ee81e 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) + { + uint8_t lastbyte = 0; + for (idx = i; idx < length; idx += numchannels) ++ { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; + lastbyte = dst[idx] = lastbyte - *src++; ++ } + } + + filter->filteredblockaddress = length; +-- +2.46.2 + diff --git a/libarchive.spec b/libarchive.spec index 60b32f0..ec41097 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.7.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A library for handling streaming archive formats # Licenses: @@ -56,6 +56,13 @@ Patch0003: 0003-fix-OOB-in-rar-e8-filter.patch # Fixes CVE-2024-20696 Patch0004: 0004-rar4-reader-protect-copy_from_lzss_window_to_unp-217.patch +# Upstream patches: +# https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b +# https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 +# Fixes CVE-2024-48957 +Patch0005: 0005-fix-OOB-in-rar-audio-filter-2149.patch +Patch0006: 0006-fix-OOB-in-rar-delta-filter-2148.patch + %description Libarchive is a programming library that can create and read several different streaming archive formats, including most popular tar variants, several cpio @@ -253,6 +260,10 @@ run_testsuite %changelog +* Mon Oct 14 2024 Lukas Javorsky - 3.7.2-7 +- Fix CVE-2024-48957 +- Resolves: RHEL-62015 + * Mon Jun 24 2024 Troy Dawson - 3.7.2-7 - Bump release for June 2024 mass rebuild