From e79a026fe5595cf692850f9a66d5071c7dee68a0 Mon Sep 17 00:00:00 2001 From: Lukas Javorsky Date: Wed, 25 May 2022 10:18:54 +0000 Subject: [PATCH] Fix for CVE-2022-26280 Resolves: #2086977 --- libarchive-3.5.3-Fix-CVE-2022-26280.patch | 14 ++++++++++++++ libarchive.spec | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 libarchive-3.5.3-Fix-CVE-2022-26280.patch diff --git a/libarchive-3.5.3-Fix-CVE-2022-26280.patch b/libarchive-3.5.3-Fix-CVE-2022-26280.patch new file mode 100644 index 0000000..1fd9431 --- /dev/null +++ b/libarchive-3.5.3-Fix-CVE-2022-26280.patch @@ -0,0 +1,14 @@ +# Patch sources from libarchive upstream +# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff + +--- libarchive-3.5.3/libarchive/archive_read_support_format_zip.c.old 2022-05-18 08:55:50.861574517 +0000 ++++ libarchive-3.5.3/libarchive/archive_read_support_format_zip.c 2022-05-18 08:57:03.049574517 +0000 +@@ -1657,7 +1657,7 @@ zipx_lzma_alone_init(struct archive_read + */ + + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Truncated lzma data"); + return (ARCHIVE_FATAL); diff --git a/libarchive.spec b/libarchive.spec index e79cd78..6623fa2 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.5.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library for handling streaming archive formats License: BSD @@ -10,6 +10,8 @@ URL: https://www.libarchive.org/ Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.gz Patch1: openssl3-rmd160failure.patch +# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff +Patch2: %{name}-3.5.3-Fix-CVE-2022-26280.patch BuildRequires: automake BuildRequires: bison @@ -213,6 +215,9 @@ run_testsuite %changelog +* Wed May 18 2022 Lukas Javorsky - 3.5.3-2 +- Resolves: CVE-2022-26280 + * Mon Feb 14 2022 Lukas Javorsky - 3.5.3-1 - Rebase to version 3.5.3