mirror of
https://git.yoctoproject.org/poky
synced 2026-05-31 00:39:46 +00:00
libarchive: fix CVE-2024-26256
libarchive Remote Code Execution Vulnerability References: https://nvd.nist.gov/vuln/detail/CVE-2024-26256 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-26256 (From OE-Core rev: 1ee5ba41cab2ce490fa0ddf67b83f57af1206c35) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Yogita Urade
committed by
Steve Sakoman
Steve Sakoman
parent
2af7a635be
commit
6d2a4fcdba
@@ -0,0 +1,29 @@
|
|||||||
|
From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wei-Cheng Pan <legnaleurc@gmail.com>
|
||||||
|
Date: Tue, 14 May 2024 08:50:44 +0000
|
||||||
|
Subject: [PATCH] fix: OOB in rar e8 filter (#2135) This patch fixes an
|
||||||
|
out-of-bound error in rar e8 filter.
|
||||||
|
|
||||||
|
CVE: CVE-2024-26256
|
||||||
|
Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
|
||||||
|
|
||||||
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
||||||
|
---
|
||||||
|
libarchive/archive_read_support_format_rar.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
||||||
|
index 793e8e9..b8397d0 100644
|
||||||
|
--- a/libarchive/archive_read_support_format_rar.c
|
||||||
|
+++ b/libarchive/archive_read_support_format_rar.c
|
||||||
|
@@ -3624,7 +3624,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
|
||||||
|
uint32_t filesize = 0x1000000;
|
||||||
|
uint32_t i;
|
||||||
|
|
||||||
|
- if (length > PROGRAM_WORK_SIZE || length < 4)
|
||||||
|
+ if (length > PROGRAM_WORK_SIZE || length <= 4)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
for (i = 0; i <= length - 5; i++)
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -29,8 +29,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
|
|||||||
EXTRA_OECONF += "--enable-largefile --without-iconv"
|
EXTRA_OECONF += "--enable-largefile --without-iconv"
|
||||||
|
|
||||||
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
|
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
|
||||||
file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
|
file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
|
||||||
"
|
file://CVE-2024-26256.patch \
|
||||||
|
"
|
||||||
UPSTREAM_CHECK_URI = "http://libarchive.org/"
|
UPSTREAM_CHECK_URI = "http://libarchive.org/"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
|
SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
|
||||||
|
|||||||
Reference in New Issue
Block a user