Fix for CVE-2024-48957

Resolves: RHEL-62015
This commit is contained in:
Lukas Javorsky 2024-10-14 13:57:44 +00:00
parent d6e946d4e7
commit a274f6e5d2
3 changed files with 80 additions and 1 deletions

View File

@ -0,0 +1,32 @@
From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <legnaleurc@gmail.com>
Date: Mon, 29 Apr 2024 06:53:19 +0900
Subject: [PATCH] fix: OOB in rar audio filter (#2149)
This patch ensures that `src` won't move ahead of `dst`, so `src` will
not OOB. Similar situation like in a1cb648.
---
libarchive/archive_read_support_format_rar.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 619ee81e..4fc6626c 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
memset(&state, 0, sizeof(state));
for (j = i; j < length; j += numchannels)
{
+ /*
+ * The src block should not overlap with the dst block.
+ * If so it would be better to consider this archive is broken.
+ */
+ if (src >= dst)
+ return 0;
+
int8_t delta = (int8_t)*src++;
uint8_t predbyte, byte;
int prederror;
--
2.46.2

View File

@ -0,0 +1,36 @@
From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
From: Wei-Cheng Pan <legnaleurc@gmail.com>
Date: Mon, 29 Apr 2024 06:50:22 +0900
Subject: [PATCH] fix: OOB in rar delta filter (#2148)
Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
Since `dst` won't move in this function, and we are only increasing `src`
position, this check should be enough. It should be safe to early return
because this function does not allocate resources.
---
libarchive/archive_read_support_format_rar.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 79669a8f..619ee81e 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
{
uint8_t lastbyte = 0;
for (idx = i; idx < length; idx += numchannels)
+ {
+ /*
+ * The src block should not overlap with the dst block.
+ * If so it would be better to consider this archive is broken.
+ */
+ if (src >= dst)
+ return 0;
lastbyte = dst[idx] = lastbyte - *src++;
+ }
}
filter->filteredblockaddress = length;
--
2.46.2

View File

@ -2,7 +2,7 @@
Name: libarchive
Version: 3.7.2
Release: 7%{?dist}
Release: 8%{?dist}
Summary: A library for handling streaming archive formats
# Licenses:
@ -56,6 +56,13 @@ Patch0003: 0003-fix-OOB-in-rar-e8-filter.patch
# Fixes CVE-2024-20696
Patch0004: 0004-rar4-reader-protect-copy_from_lzss_window_to_unp-217.patch
# Upstream patches:
# https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b
# https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7
# Fixes CVE-2024-48957
Patch0005: 0005-fix-OOB-in-rar-audio-filter-2149.patch
Patch0006: 0006-fix-OOB-in-rar-delta-filter-2148.patch
%description
Libarchive is a programming library that can create and read several different
streaming archive formats, including most popular tar variants, several cpio
@ -253,6 +260,10 @@ run_testsuite
%changelog
* Mon Oct 14 2024 Lukas Javorsky <ljavorsk@redhat.com> - 3.7.2-7
- Fix CVE-2024-48957
- Resolves: RHEL-62015
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.7.2-7
- Bump release for June 2024 mass rebuild