From f0033151897f47daa0dd33f60c1fbb5a3f05438e Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 16 Apr 2026 12:19:52 -0400 Subject: [PATCH] import UBI libarchive-3.7.7-8.el10_1 --- 0006-Fix-CVE-2026-4424.patch | 31 +++++++++++++++++++++++++++++++ libarchive.spec | 25 ++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 0006-Fix-CVE-2026-4424.patch diff --git a/0006-Fix-CVE-2026-4424.patch b/0006-Fix-CVE-2026-4424.patch new file mode 100644 index 0000000..1c807ee --- /dev/null +++ b/0006-Fix-CVE-2026-4424.patch @@ -0,0 +1,31 @@ +# This patch originally consisted of 3 hunks on the upstream: +# https://github.com/libarchive/libarchive/pull/2898/changes/e1907c5832b6489c7b4198b0825f857c93a03c10 +# https://github.com/libarchive/libarchive/pull/2898/changes/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 +# but only the first and third hunk needs to be backported since the +# logic fix the second hunk provides does not need to be added +# as the logic is still correct in the current version of libarchive (3.7.7) +# thus the vulnerability in the code does not yet exist +diff -Naur libarchive-3.7.7/libarchive/archive_read_support_format_rar.c libarchive-3.7.7_patched/libarchive/archive_read_support_format_rar.c +--- libarchive-3.7.7/libarchive/archive_read_support_format_rar.c 2024-10-13 10:11:23.000000000 +0200 ++++ libarchive-3.7.7_patched/libarchive/archive_read_support_format_rar.c 2026-04-08 12:50:20.721234057 +0200 +@@ -2503,7 +2503,8 @@ + return (r); + } + +- if (!rar->dictionary_size || !rar->lzss.window) ++ if (!rar->dictionary_size || !rar->lzss.window || ++ (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size) + { + /* Seems as though dictionary sizes are not used. Even so, minimize + * memory usage as much as possible. +@@ -3266,6 +3267,10 @@ + else + blocklength = prog ? prog->oldfilterlength : 0; + ++ if (blocklength > rar->dictionary_size || ++ blocklength > (uint32_t)(rar->lzss.mask + 1)) ++ return 0; ++ + registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS; + registers[4] = blocklength; + registers[5] = prog ? prog->usagecount : 0; diff --git a/libarchive.spec b/libarchive.spec index 01f7c89..8b62a75 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.7.7 -Release: 5%{?dist} +Release: 8%{?dist} Summary: A library for handling streaming archive formats # Licenses: @@ -52,6 +52,9 @@ Patch0003: 0003-Fix-CVE-2025-25724.patch Patch0004: 0004-rar-Fix-double-free-with-over-4-billion-nodes-2598.patch # Source: https://github.com/mmatuska/libarchive/commit/ec19fcbd20b18bd3b0fdcf2b3fb97789cd1bf575 Patch0005: 0005-Infinite-loop-in-Rar5-decompression.patch +# Source: https://github.com/libarchive/libarchive/pull/2898/changes/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 +# and: https://github.com/libarchive/libarchive/pull/2898/changes/e1907c5832b6489c7b4198b0825f857c93a03c10 +Patch0006: 0006-Fix-CVE-2026-4424.patch %description Libarchive is a programming library that can create and read several different @@ -178,6 +181,17 @@ cat_logs () run_testsuite () { rc=0 + # Workaround: libtool wrappers (e.g. ./bsdcpio) copy the real binary from + # .libs/bsdcpio to .libs/lt-bsdcpio and execute that, so argv[0] becomes + # "lt-bsdcpio". On filesystems with large inode numbers (e.g. ppc64le), + # cpio newc format tests emit truncation warnings containing the program + # name and fail because they expect "bsdcpio:" but get "lt-bsdcpio:". + # Fix by patching the wrapper scripts to not use the lt- prefix. + for f in bsdcpio bsdtar bsdcat bsdunzip; do + if [ -f "$f" ] && grep -q "lt-$f" "$f" 2>/dev/null; then + sed -i "s|lt-$f|$f|g" "$f" + fi + done %make_build check -j1 || { # error happened - try to extract in koji as much info as possible cat_logs @@ -250,6 +264,15 @@ run_testsuite %changelog +* Wed Apr 08 2026 Pavol Sloboda - 3.7.7-8 +- Resolves: CVE-2026-4424 + +* Wed Mar 25 2026 Lukas Javorsky - 3.7.7-7 +- Release bump for typo in dist + +* Tue Mar 24 2026 Lukas Javorsky - 3.7.7-6 +- Release bump + * Mon Mar 16 2026 Lukas Javorsky - 3.7.7-5 - Resolves: CVE-2026-4111