Control: tags 1072107 + patch Control: tags 1072107 + pending
Dear maintainer, I've prepared an NMU for libarchive (versioned as 3.7.2-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libarchive-3.7.2/debian/changelog libarchive-3.7.2/debian/changelog --- libarchive-3.7.2/debian/changelog 2024-03-30 19:11:06.000000000 +0100 +++ libarchive-3.7.2/debian/changelog 2024-06-01 15:50:51.000000000 +0200 @@ -1,3 +1,12 @@ +libarchive (3.7.2-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * fix: OOB in rar e8 filter (CVE-2024-26256) (Closes: #1072107) + * fix: OOB in rar delta filter + * fix: OOB in rar audio filter + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 01 Jun 2024 15:50:51 +0200 + libarchive (3.7.2-2) unstable; urgency=medium [ Luca Boccassi ] diff -Nru libarchive-3.7.2/debian/patches/fix-OOB-in-rar-audio-filter-2149.patch libarchive-3.7.2/debian/patches/fix-OOB-in-rar-audio-filter-2149.patch --- libarchive-3.7.2/debian/patches/fix-OOB-in-rar-audio-filter-2149.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.7.2/debian/patches/fix-OOB-in-rar-audio-filter-2149.patch 2024-06-01 15:50:09.000000000 +0200 @@ -0,0 +1,32 @@ +From: Wei-Cheng Pan <legnale...@gmail.com> +Date: Mon, 29 Apr 2024 06:53:19 +0900 +Subject: fix: OOB in rar audio filter (#2149) +Origin: https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b + +This patch ensures that `src` won't move ahead of `dst`, so `src` will +not OOB. Similar situation like in a1cb648. +--- + libarchive/archive_read_support_format_rar.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 619ee81e2b59..4fc6626cacfd 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) + memset(&state, 0, sizeof(state)); + for (j = i; j < length; j += numchannels) + { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; ++ + int8_t delta = (int8_t)*src++; + uint8_t predbyte, byte; + int prederror; +-- +2.45.1 + diff -Nru libarchive-3.7.2/debian/patches/fix-OOB-in-rar-delta-filter-2148.patch libarchive-3.7.2/debian/patches/fix-OOB-in-rar-delta-filter-2148.patch --- libarchive-3.7.2/debian/patches/fix-OOB-in-rar-delta-filter-2148.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.7.2/debian/patches/fix-OOB-in-rar-delta-filter-2148.patch 2024-06-01 15:49:18.000000000 +0200 @@ -0,0 +1,36 @@ +From: Wei-Cheng Pan <legnale...@gmail.com> +Date: Mon, 29 Apr 2024 06:50:22 +0900 +Subject: fix: OOB in rar delta filter (#2148) +Origin: https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 + +Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. +Since `dst` won't move in this function, and we are only increasing `src` +position, this check should be enough. It should be safe to early return +because this function does not allocate resources. +--- + libarchive/archive_read_support_format_rar.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 79669a8f40f9..619ee81e2b59 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) + { + uint8_t lastbyte = 0; + for (idx = i; idx < length; idx += numchannels) ++ { ++ /* ++ * The src block should not overlap with the dst block. ++ * If so it would be better to consider this archive is broken. ++ */ ++ if (src >= dst) ++ return 0; + lastbyte = dst[idx] = lastbyte - *src++; ++ } + } + + filter->filteredblockaddress = length; +-- +2.45.1 + diff -Nru libarchive-3.7.2/debian/patches/fix-OOB-in-rar-e8-filter-2135.patch libarchive-3.7.2/debian/patches/fix-OOB-in-rar-e8-filter-2135.patch --- libarchive-3.7.2/debian/patches/fix-OOB-in-rar-e8-filter-2135.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.7.2/debian/patches/fix-OOB-in-rar-e8-filter-2135.patch 2024-06-01 09:42:15.000000000 +0200 @@ -0,0 +1,29 @@ +From: Wei-Cheng Pan <legnale...@gmail.com> +Date: Mon, 22 Apr 2024 01:55:41 +0900 +Subject: fix: OOB in rar e8 filter (#2135) +Origin: https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237 +Bug-Debian: https://bugs.debian.org/1072107 +Bug: https://github.com/libarchive/libarchive/pull/2135 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-26256 + +This patch fixes an out-of-bound error in rar e8 filter. +--- + libarchive/archive_read_support_format_rar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 99a11d170074..266d0ee9959a 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz + uint32_t filesize = 0x1000000; + uint32_t i; + +- if (length > PROGRAM_WORK_SIZE || length < 4) ++ if (length > PROGRAM_WORK_SIZE || length <= 4) + return 0; + + for (i = 0; i <= length - 5; i++) +-- +2.45.1 + diff -Nru libarchive-3.7.2/debian/patches/series libarchive-3.7.2/debian/patches/series --- libarchive-3.7.2/debian/patches/series 2024-03-30 19:11:06.000000000 +0100 +++ libarchive-3.7.2/debian/patches/series 2024-06-01 15:50:15.000000000 +0200 @@ -2,3 +2,6 @@ iso9660-hash.patch test-zstd-32bit.patch robust-error-reporting.patch +fix-OOB-in-rar-e8-filter-2135.patch +fix-OOB-in-rar-delta-filter-2148.patch +fix-OOB-in-rar-audio-filter-2149.patch
