libarchive: fix CVE-2024-48957 & CVE-2024-48958

Backport fixes for: * CVE-2024-48957 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b * CVE-2024-48958 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 (From OE-Core rev: 8b520c3cea136591128f6601718c23334afd7a55) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-06-02 01:19:52 +00:00 · 2024-10-11 10:53:08 +05:30
parent afbf467405
commit f88e92a7b3
3 changed files with 80 additions and 1 deletions
@@ -0,0 +1,36 @@
 From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
 From: Wei-Cheng Pan <legnaleurc@gmail.com>
 Date: Mon, 29 Apr 2024 06:53:19 +0900
 Subject: [PATCH] fix: OOB in rar audio filter (#2149)
 This patch ensures that `src` won't move ahead of `dst`, so `src` will
 not OOB. Similar situation like in a1cb648.
 Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
 CVE: CVE-2024-48957
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 ---
 libarchive/archive_read_support_format_rar.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
 index 79669a8..95a91dc 100644
 --- a/libarchive/archive_read_support_format_rar.c
 +++ b/libarchive/archive_read_support_format_rar.c
@@ -3714,6 +3714,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
     memset(&state, 0, sizeof(state));
     for (j = i; j < length; j += numchannels)
     {
 +      /*
 +       * The src block should not overlap with the dst block.
 +       * If so it would be better to consider this archive is broken.
 +       */
 +      if (src >= dst)
 +        return 0;
 +
       int8_t delta = (int8_t)*src++;
       uint8_t predbyte, byte;
       int prederror;
 -- 
 2.25.1
@@ -0,0 +1,40 @@
 From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
 From: Wei-Cheng Pan <legnaleurc@gmail.com>
 Date: Mon, 29 Apr 2024 06:50:22 +0900
 Subject: [PATCH] fix: OOB in rar delta filter (#2148)
 Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
 Since `dst` won't move in this function, and we are only increasing `src`
 position, this check should be enough. It should be safe to early return
 because this function does not allocate resources.
 Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
 CVE: CVE-2024-48958
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 ---
 libarchive/archive_read_support_format_rar.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
 index 95a91dc..4fc6626 100644
 --- a/libarchive/archive_read_support_format_rar.c
 +++ b/libarchive/archive_read_support_format_rar.c
@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
   {
     uint8_t lastbyte = 0;
     for (idx = i; idx < length; idx += numchannels)
 +    {
 +      /*
 +       * The src block should not overlap with the dst block.
 +       * If so it would be better to consider this archive is broken.
 +       */
 +      if (src >= dst)
 +        return 0;
       lastbyte = dst[idx] = lastbyte - *src++;
 +    }
   }
   filter->filteredblockaddress = length;
 -- 
 2.25.1
@@ -30,7 +30,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
-SRC_URI += "file://configurehack.patch"
+SRC_URI += "file://configurehack.patch \
            file://CVE-2024-48957.patch \
            file://CVE-2024-48958.patch \
 	"
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"