mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
libarchive: Fix CVE-2026-4424
Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 [2] https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10 [3] https://security-tracker.debian.org/tracker/CVE-2026-4424 (From OE-Core rev: 7fa280872275e194152cc2d355ad39c81a477d50) Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
0c7beb2bd7
commit
5bfb71633f
@@ -0,0 +1,61 @@
|
||||
From fa32110f851b121a3e1c19fda347e86396fde2bd Mon Sep 17 00:00:00 2001
|
||||
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
|
||||
Date: Sat, 7 Mar 2026 22:32:09 +0200
|
||||
Subject: [PATCH 1/2] rar: fix LZSS window size mismatch after PPMd block
|
||||
|
||||
When a PPMd-compressed block updates dictionary_size, the LZSS window
|
||||
from a prior block is not reallocated. The allocation guard only checks
|
||||
if dictionary_size is zero or the window pointer is NULL, not whether
|
||||
the existing window is large enough. This allows copy_from_lzss_window()
|
||||
to read past the allocated buffer.
|
||||
|
||||
Fix the guard to also check whether the current window is undersized.
|
||||
Add bounds checks in copy_from_lzss_window() and parse_filter() as
|
||||
defense in depth.
|
||||
|
||||
CVE: CVE-2026-4424
|
||||
Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375]
|
||||
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||
---
|
||||
libarchive/archive_read_support_format_rar.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
||||
index 88eab627..b23be937 100644
|
||||
--- a/libarchive/archive_read_support_format_rar.c
|
||||
+++ b/libarchive/archive_read_support_format_rar.c
|
||||
@@ -2503,7 +2503,8 @@ parse_codes(struct archive_read *a)
|
||||
return (r);
|
||||
}
|
||||
|
||||
- if (!rar->dictionary_size || !rar->lzss.window)
|
||||
+ if (!rar->dictionary_size || !rar->lzss.window ||
|
||||
+ (rar->lzss.mask + 1) < rar->dictionary_size)
|
||||
{
|
||||
/* Seems as though dictionary sizes are not used. Even so, minimize
|
||||
* memory usage as much as possible.
|
||||
@@ -3104,6 +3105,11 @@ copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
|
||||
|
||||
windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
|
||||
firstpart = lzss_size(&rar->lzss) - windowoffs;
|
||||
+ if (length > lzss_size(&rar->lzss)) {
|
||||
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
||||
+ "Bad RAR file data");
|
||||
+ return (ARCHIVE_FATAL);
|
||||
+ }
|
||||
if (firstpart < 0) {
|
||||
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
||||
"Bad RAR file data");
|
||||
@@ -3266,7 +3272,8 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
|
||||
else
|
||||
blocklength = prog ? prog->oldfilterlength : 0;
|
||||
|
||||
- if (blocklength > rar->dictionary_size)
|
||||
+ if (blocklength > rar->dictionary_size ||
|
||||
+ blocklength > (uint32_t)(rar->lzss.mask + 1))
|
||||
return 0;
|
||||
|
||||
registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -0,0 +1,28 @@
|
||||
From d696008467844efca026bf198a8814a8647ec2d2 Mon Sep 17 00:00:00 2001
|
||||
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
|
||||
Date: Sun, 8 Mar 2026 15:29:46 +0200
|
||||
Subject: [PATCH 2/2] Fix -Wsign-compare: cast mask+1 to unsigned int
|
||||
|
||||
CVE: CVE-2026-4424
|
||||
Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10]
|
||||
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||
---
|
||||
libarchive/archive_read_support_format_rar.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
||||
index b23be937..a28a6cba 100644
|
||||
--- a/libarchive/archive_read_support_format_rar.c
|
||||
+++ b/libarchive/archive_read_support_format_rar.c
|
||||
@@ -2504,7 +2504,7 @@ parse_codes(struct archive_read *a)
|
||||
}
|
||||
|
||||
if (!rar->dictionary_size || !rar->lzss.window ||
|
||||
- (rar->lzss.mask + 1) < rar->dictionary_size)
|
||||
+ (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size)
|
||||
{
|
||||
/* Seems as though dictionary sizes are not used. Even so, minimize
|
||||
* memory usage as much as possible.
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -47,6 +47,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
|
||||
file://CVE-2026-4111-1.patch \
|
||||
file://CVE-2026-4111-2.patch \
|
||||
file://CVE-2026-4426.patch \
|
||||
file://CVE-2026-4424-1.patch \
|
||||
file://CVE-2026-4424-2.patch \
|
||||
"
|
||||
UPSTREAM_CHECK_URI = "http://libarchive.org/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user