[scarthgap] libarchive: backport fix for CVE-2024-26256

Message ID	20240724191126.29999-1-asharma@mvista.com
State	Rejected
Delegated to:	Steve Sakoman
Headers	show Return-Path: <asharma@mvista.com> ip: 209.85.214.176, mailfrom: asharma@mvista.com) From: Ashish Sharma <asharma@mvista.com> To: openembedded-core@lists.openembedded.org Cc: Ashish Sharma <asharma@mvista.com> Subject: [OE-core][scarthgap][PATCH] libarchive: backport fix for CVE-2024-26256 Date: Thu, 25 Jul 2024 00:41:26 +0530 Message-ID: <20240724191126.29999-1-asharma@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap] libarchive: backport fix for CVE-2024-26256 \| expand [scarthgap] libarchive: backport fix for CVE-2024-26256

Message ID

20240724191126.29999-1-asharma@mvista.com

State

Rejected

Delegated to:

Steve Sakoman

Headers

From: Ashish Sharma <asharma@mvista.com>
To: openembedded-core@lists.openembedded.org
Cc: Ashish Sharma <asharma@mvista.com>
Subject: [OE-core][scarthgap][PATCH] libarchive: backport fix for
 CVE-2024-26256
Date: Thu, 25 Jul 2024 00:41:26 +0530
Message-ID: <20240724191126.29999-1-asharma@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap] libarchive: backport fix for CVE-2024-26256 | expand

Commit Message

Ashish Sharma July 24, 2024, 7:11 p.m. UTC

This patch fixes an out-of-bound error in rar e8 filter.

Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
---
 .../libarchive/CVE-2024-26256.patch           | 27 +++++++++++++++++++
 .../libarchive/libarchive_3.7.4.bb            |  4 ++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch

Comments

Steve Sakoman July 25, 2024, 1:38 p.m. UTC | #1

I'm getting the following error at build time:

ERROR: libarchive-native-3.7.4-r0 do_patch: Applying patch
'CVE-2024-26256.patch' on target directory
'/home/steve/builds/poky-contrib-scarthgap/build/tmp/work/x86_64-linux/libarchive-native/3.7.4/libarchive-3.7.4'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-scarthgap/build/tmp/work/x86_64-linux/libarchive-native/3.7.4/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch CVE-2024-26256.patch
patching file libarchive/archive_read_support_format_rar.c
Hunk #1 FAILED at 3615.
1 out of 1 hunk FAILED -- rejects in file
libarchive/archive_read_support_format_rar.c
Patch CVE-2024-26256.patch can be reverse-applied

Steve

On Wed, Jul 24, 2024 at 12:13 PM Ashish Sharma via
lists.openembedded.org <asharma=mvista.com@lists.openembedded.org>
wrote:
>
> This patch fixes an out-of-bound error in rar e8 filter.
>
> Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
> Signed-off-by: Ashish Sharma <asharma@mvista.com>
> ---
>  .../libarchive/CVE-2024-26256.patch           | 27 +++++++++++++++++++
>  .../libarchive/libarchive_3.7.4.bb            |  4 ++-
>  2 files changed, 30 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
>
> diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
> new file mode 100644
> index 00000000000..f9be4fe255d
> --- /dev/null
> +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
> @@ -0,0 +1,27 @@
> +From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
> +From: Wei-Cheng Pan <legnaleurc@gmail.com>
> +Date: Mon, 22 Apr 2024 01:55:41 +0900
> +Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
> +
> +This patch fixes an out-of-bound error in rar e8 filter.
> +
> +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
> +CVE: CVE-2024-26256
> +Signed-off-by: Ashish Sharma <asharma@mvista.com>
> +
> + libarchive/archive_read_support_format_rar.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
> +index 99a11d1700..266d0ee995 100644
> +--- a/libarchive/archive_read_support_format_rar.c
> ++++ b/libarchive/archive_read_support_format_rar.c
> +@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
> +   uint32_t filesize = 0x1000000;
> +   uint32_t i;
> +
> +-  if (length > PROGRAM_WORK_SIZE || length < 4)
> ++  if (length > PROGRAM_WORK_SIZE || length <= 4)
> +     return 0;
> +
> +   for (i = 0; i <= length - 5; i++)
> diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> index da857641168..22e398f5989 100644
> --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> +++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> @@ -30,7 +30,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
>  EXTRA_OECONF += "--enable-largefile --without-iconv"
>
>  SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
> -SRC_URI += "file://configurehack.patch"
> +SRC_URI += "file://configurehack.patch \
> +            file://CVE-2024-26256.patch \
> +"
>  UPSTREAM_CHECK_URI = "http://libarchive.org/"
>
>  SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
> --
> 2.44.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#202479): https://lists.openembedded.org/g/openembedded-core/message/202479
> Mute This Topic: https://lists.openembedded.org/mt/107529739/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
new file mode 100644
index 00000000000..f9be4fe255d
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
@@ -0,0 +1,27 @@ 
+From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 22 Apr 2024 01:55:41 +0900
+Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
+
+This patch fixes an out-of-bound error in rar e8 filter.
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
+CVE: CVE-2024-26256
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 99a11d1700..266d0ee995 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x1000000;
+   uint32_t i;
+ 
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+     return 0;
+ 
+   for (i = 0; i <= length - 5; i++)
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
index da857641168..22e398f5989 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
@@ -30,7 +30,9 @@  PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
-SRC_URI += "file://configurehack.patch"
+SRC_URI += "file://configurehack.patch \
+            file://CVE-2024-26256.patch \
+"
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 
 SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"