packages/libarchive
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:4d0a2dbdec232ee80cb89e303e754e8c7fb2c630
Branches Tags
packages:main
..
compare: packages:e64e38d469ac01471082c86bcb7dc15eaa502b7e
Branches Tags
packages:main

No commits in common. "4d0a2dbdec232ee80cb89e303e754e8c7fb2c630" and "e64e38d469ac01471082c86bcb7dc15eaa502b7e" have entirely different histories.
4d0a2dbdec ... e64e38d469

8 changed files with 61 additions and 361 deletions
Show Stats Expand all files Collapse all files

46
backport-0001-CVE-2021-36976.patch
View File

@ -1,46 +0,0 @@
From 29fd0178a8861af36ab60407cd718b3f262dda15 Mon Sep 17 00:00:00 2001
From: Emil Velikov <emil.l.velikov@gmail.com>
Date: Sun, 21 Nov 2021 18:05:19 +0000
Subject: [PATCH] tar: demote -xa from error to a warning
It's fairly common for people to use caf and xaf on Linux. The former in
itself being GNU tar specific - libarchive tar does not allow xa.
While it makes little sense to use xaf with libarchive tar, that is
implementation detail which gets in the way when trying to write trivial
tooling/scripts.
For the sake of compatibility, reduce the error to a warning and augment
the message itself. Making it clear that the option makes little sense.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reference:https://github.com/libarchive/libarchive/commit/56c920eab3352f7877ee0cf9e472c1ab376c7e3e
Conflict:NA
---
tar/bsdtar.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tar/bsdtar.c b/tar/bsdtar.c
index af41be5..f4f008b 100644
--- a/tar/bsdtar.c
+++ b/tar/bsdtar.c
@@ -796,8 +796,14 @@ main(int argc, char **argv)
"Must specify one of -c, -r, -t, -u, -x");
/* Check boolean options only permitted in certain modes. */
- if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS)
- only_mode(bsdtar, "-a", "c");
+ if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS) {
+ only_mode(bsdtar, "-a", "cx");
+ if (bsdtar->mode == 'x') {
+ bsdtar->flags &= ~OPTFLAG_AUTO_COMPRESS;
+ lafe_warnc(0,
+ "Ignoring option -a in mode -x");
+ }
+ }
if (bsdtar->readdisk_flags & ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS)
only_mode(bsdtar, "--one-file-system", "cru");
if (bsdtar->flags & OPTFLAG_FAST_READ)
--
2.27.0

67
backport-0002-CVE-2021-36976.patch
View File

@ -1,67 +0,0 @@
From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
From: Grzegorz Antoniak <ga@anadoxin.org>
Date: Fri, 12 Feb 2021 20:18:31 +0100
Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
RAR5 reader uses several variables to manage the window buffer during
extraction: the buffer itself (`window_buf`), the current size of the
window buffer (`window_size`), and a helper variable (`window_mask`)
that is used to constrain read and write offsets to the window buffer.
Some specially crafted files can force the unpacker to update the
`window_mask` variable to a value that is out of sync with current
buffer size. If the `window_mask` will be bigger than the actual buffer
size, then an invalid access operation can happen (SIGSEGV).
This commit ensures that if the `window_size` and `window_mask` will be
changed, the window buffer will be reallocated to the proper size, so no
invalid memory operation should be possible.
This commit contains a test file from OSSFuzz #30442.
Reference:https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
Conflict:NA
---
libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
1 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
index a91c73f8b..880ba6612 100644
--- a/libarchive/archive_read_support_format_rar5.c
+++ b/libarchive/archive_read_support_format_rar5.c
@@ -1772,14 +1772,29 @@ static int process_head_file(struct archive_read* a, struct rar5* rar,
}
}
- /* If we're currently switching volumes, ignore the new definition of
- * window_size. */
- if(rar->cstate.switch_multivolume == 0) {
- /* Values up to 64M should fit into ssize_t on every
- * architecture. */
- rar->cstate.window_size = (ssize_t) window_size;
+ if(rar->cstate.window_size < (ssize_t) window_size &&
+ rar->cstate.window_buf)
+ {
+ /* If window_buf has been allocated before, reallocate it, so
+ * that its size will match new window_size. */
+
+ uint8_t* new_window_buf =
+ realloc(rar->cstate.window_buf, window_size);
+
+ if(!new_window_buf) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
+ "Not enough memory when trying to realloc the window "
+ "buffer.");
+ return ARCHIVE_FATAL;
+ }
+
+ rar->cstate.window_buf = new_window_buf;
}
+ /* Values up to 64M should fit into ssize_t on every
+ * architecture. */
+ rar->cstate.window_size = (ssize_t) window_size;
+
if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
/* Solid files have to have the same window_size across
whole archive. Remember the window_size parameter

58
backport-CVE-2021-36976.patch Normal file
View File

@ -0,0 +1,58 @@
From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Sat, 28 Aug 2021 11:58:00 +0000
Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob
The size_t data type on 32 bit systems is smaller than int64_t. Check
the int64_t value before casting to size_t. If the value is too large
then stop operation instead of continuing operation with truncated
value.
Conflict:NA
Reference:https://github.com/libarchive/libarchive/commit/a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537
---
libarchive/archive_read_support_format_tar.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index 7e8febacf..773796a5d 100644
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
struct archive_entry *entry, const void *h, size_t *unconsumed)
{
int64_t size;
+ size_t msize;
const void *data;
const char *p, *name;
const wchar_t *wp, *wname;
@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
/* Read the body as a Mac OS metadata blob. */
size = archive_entry_size(entry);
+ msize = (size_t)size;
+ if (size < 0 || (uintmax_t)msize != (uintmax_t)size) {
+ *unconsumed = 0;
+ return (ARCHIVE_FATAL);
+ }
/*
* TODO: Look beyond the body here to peek at the next header.
@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
* Q: Is the above idea really possible? Even
* when there are GNU or pax extension entries?
*/
- data = __archive_read_ahead(a, (size_t)size, NULL);
+ data = __archive_read_ahead(a, msize, NULL);
if (data == NULL) {
*unconsumed = 0;
return (ARCHIVE_FATAL);
}
- archive_entry_copy_mac_metadata(entry, data, (size_t)size);
- *unconsumed = (size_t)((size + 511) & ~ 511);
+ archive_entry_copy_mac_metadata(entry, data, msize);
+ *unconsumed = (msize + 511) & ~ 511;
tar_flush_unconsumed(a, unconsumed);
return (tar_read_header(a, tar, entry, unconsumed));
}

28
backport-CVE-2022-26280.patch
View File

@ -1,28 +0,0 @@
From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Thu, 24 Mar 2022 10:35:00 +0100
Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
zipx_lzma_alone_init()
Fixes #1672
Conflict:NA
Reference:https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
---
libarchive/archive_read_support_format_zip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index 38ada70b5..9d6c900b2 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
*/
/* Read magic1,magic2,lzma_params from the ZIPX stream. */
- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
"Truncated lzma data");
return (ARCHIVE_FATAL);

38
backport-CVE-2022-36227.patch
View File

@ -1,38 +0,0 @@
From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
From: obiwac <obiwac@gmail.com>
Date: Fri, 22 Jul 2022 22:41:10 +0200
Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
Conflict:NA
Reference:https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
---
libarchive/archive_write.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
index 66592e826..27626b541 100644
--- a/libarchive/archive_write.c
+++ b/libarchive/archive_write.c
@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
struct archive_write_filter *f;
f = calloc(1, sizeof(*f));
+
+ if (f == NULL)
+ return (NULL);
+
f->archive = _a;
f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
if (a->filter_first == NULL)
@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data,
a->client_data = client_data;
client_filter = __archive_write_allocate_filter(_a);
+
+ if (client_filter == NULL)
+ return (ARCHIVE_FATAL);
+
client_filter->open = archive_write_client_open;
client_filter->write = archive_write_client_write;
client_filter->close = archive_write_client_close;

119
backport-CVE-2024-20696.patch
View File

@ -1,119 +0,0 @@
From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
From: "Dustin L. Howett" <dustin@howett.net>
Date: Thu, 9 May 2024 18:59:17 -0500
Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
both of its callers were holding a `size_t`.
A lzss opcode chain could be constructed that resulted in a negative
copy length, which when passed into memcpy would result in a very, very
large positive number.
Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
properly bounds-check length.
In addition, this patch also ensures that `length` is not itself larger
than the destination buffer.
Security: CVE-2024-20696
Reference:https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1
Conflict:copy_from_lzss_window_to_unp() -> copy_from_lzss_window();adapt context
---
libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index c2666b2..512f5a6 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -358,7 +358,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
struct huffman_table_entry *, int, int);
static int64_t expand(struct archive_read *, int64_t);
static int copy_from_lzss_window(struct archive_read *, const void **,
- int64_t, int);
+ int64_t, size_t);
static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
/*
@@ -1936,7 +1936,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
bs = rar->unp_buffer_size - rar->unp_offset;
else
bs = (size_t)rar->bytes_uncopied;
- ret = copy_from_lzss_window(a, buff, rar->offset, (int)bs);
+ ret = copy_from_lzss_window(a, buff, rar->offset, bs);
if (ret != ARCHIVE_OK)
return (ret);
rar->offset += bs;
@@ -2065,7 +2065,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
bs = rar->unp_buffer_size - rar->unp_offset;
else
bs = (size_t)rar->bytes_uncopied;
- ret = copy_from_lzss_window(a, buff, rar->offset, (int)bs);
+ ret = copy_from_lzss_window(a, buff, rar->offset, bs);
if (ret != ARCHIVE_OK)
return (ret);
rar->offset += bs;
@@ -2923,11 +2923,16 @@ bad_data:
static int
copy_from_lzss_window(struct archive_read *a, const void **buffer,
- int64_t startpos, int length)
+ int64_t startpos, size_t length)
{
int windowoffs, firstpart;
struct rar *rar = (struct rar *)(a->format->data);
+ if (length > rar->unp_buffer_size)
+ {
+ goto fatal;
+ }
+
if (!rar->unp_buffer)
{
if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
@@ -2939,17 +2944,17 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
}
windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
- if(windowoffs + length <= lzss_size(&rar->lzss)) {
+ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
length);
- } else if (length <= lzss_size(&rar->lzss)) {
+ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
firstpart = lzss_size(&rar->lzss) - windowoffs;
if (firstpart < 0) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
"Bad RAR file data");
return (ARCHIVE_FATAL);
}
- if (firstpart < length) {
+ if ((size_t)firstpart < length) {
memcpy(&rar->unp_buffer[rar->unp_offset],
&rar->lzss.window[windowoffs], firstpart);
memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
@@ -2959,9 +2964,7 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
&rar->lzss.window[windowoffs], length);
}
} else {
- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
- "Bad RAR file data");
- return (ARCHIVE_FATAL);
+ goto fatal;
}
rar->unp_offset += length;
if (rar->unp_offset >= rar->unp_buffer_size)
@@ -2969,6 +2972,11 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
else
*buffer = NULL;
return (ARCHIVE_OK);
+
+fatal:
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Bad RAR file data");
+ return (ARCHIVE_FATAL);
}
static const void *

34
backport-CVE-2025-25724.patch
View File

@ -1,34 +0,0 @@
From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter@piie.net>
Date: Wed, 5 Mar 2025 15:01:14 +0100
Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.
Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
Signed-off-by: Peter Kaestle <peter@piie.net>
---
tar/util.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tar/util.c b/tar/util.c
index 3b099cb5f..f3cbdf0bb 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
#else
ltime = localtime(&tim);
#endif
- strftime(tmp, sizeof(tmp), fmt, ltime);
+ if (ltime)
+ strftime(tmp, sizeof(tmp), fmt, ltime);
+ else
+ sprintf(tmp, "-- -- ----");
fprintf(out, " %s ", tmp);
safe_fprintf(out, "%s", archive_entry_pathname(entry));

32
libarchive.spec
View File

@ -2,7 +2,7 @@
Name: libarchive Name: libarchive
Version: 3.5.2 Version: 3.5.2
Release: 8 Release: 3
Summary: Multi-format archive and compression library Summary: Multi-format archive and compression library
License: BSD License: BSD
@ -14,13 +14,8 @@ BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel
BuildRequires: openssl-devel libxml2-devel lz4-devel automake libzstd-devel BuildRequires: openssl-devel libxml2-devel lz4-devel automake libzstd-devel
Patch6000: backport-libarchive-3.5.2-symlink-fix.patch Patch6000: backport-libarchive-3.5.2-symlink-fix.patch
Patch6001: backport-0001-CVE-2021-36976.patch Patch6001: backport-CVE-2021-36976.patch
Patch6002: backport-0002-CVE-2021-36976.patch Patch6002: backport-CVE-2021-31566.patch
Patch6003: backport-CVE-2021-31566.patch
Patch6004: backport-CVE-2022-26280.patch
Patch6005: backport-CVE-2022-36227.patch
Patch6006: backport-CVE-2024-20696.patch
Patch6007: backport-CVE-2025-25724.patch
Patch9000: libarchive-uninitialized-value.patch Patch9000: libarchive-uninitialized-value.patch
@ -195,27 +190,6 @@ run_testsuite
%{_bindir}/bsdcat %{_bindir}/bsdcat
%changelog %changelog
* Tue Mar 11 2025 lingsheng <lingsheng1@h-partners.com> - 3.5.2-8
- Type:CVE
- ID:CVE-2025-25724
- SUG:NA
- DESC:fix CVE-2025-25724
* Thu Jun 06 2024 lingsheng <lingsheng1@h-partners.com> - 3.5.2-7
- Type:CVE
- ID:CVE-2024-20696
- SUG:NA
- DESC:fix CVE-2024-20696
* Thu Mar 02 2023 zhangpan <zhangpan103@h-paetners.com> - 3.5.2-6
- fix CVE-2021-36976 patch
* Fri Nov 25 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-5
- fix CVE-2022-36227
* Mon Jul 04 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-4
- fix CVE-2022-26280
* Sat Apr 09 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-3 * Sat Apr 09 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-3
- fix CVE-2021-36976,CVE-2021-31566,fix fuzz test - fix CVE-2021-36976,CVE-2021-31566,fix fuzz test