!81 [sync] PR-79: fix CVE-2024-48957 CVE-2024-48958

From: @openeuler-sync-bot 
Reviewed-by: @shenyangyang01 
Signed-off-by: @shenyangyang01

backport-CVE-2024-20696.patch

@@ -0,0 +1,116 @@
+From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <dustin@howett.net>
+Date: Thu, 9 May 2024 18:59:17 -0500
+Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
+
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+
+A lzss opcode chain could be constructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+
+Security: CVE-2024-20696
+---
+ libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 4fc6626ca..5776df4bd 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
+                               struct huffman_table_entry *, int, int);
+ static int expand(struct archive_read *, int64_t *);
+ static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
+-                                        int64_t, int);
++                                        int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
+                         uint8_t);
+@@ -2060,7 +2060,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+         bs = rar->unp_buffer_size - rar->unp_offset;
+       else
+         bs = (size_t)rar->bytes_uncopied;
+-      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++      ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+       if (ret != ARCHIVE_OK)
+         return (ret);
+       rar->offset += bs;
+@@ -2213,7 +2213,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+       bs = rar->unp_buffer_size - rar->unp_offset;
+     else
+       bs = (size_t)rar->bytes_uncopied;
+-    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++    ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+     if (ret != ARCHIVE_OK)
+       return (ret);
+     rar->offset += bs;
+@@ -3094,11 +3094,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+ 
+ static int
+ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+-                             int64_t startpos, int length)
++                             int64_t startpos, size_t length)
+ {
+   int windowoffs, firstpart;
+   struct rar *rar = (struct rar *)(a->format->data);
+ 
++  if (length > rar->unp_buffer_size)
++  {
++    goto fatal;
++  }
++
+   if (!rar->unp_buffer)
+   {
+     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -3110,17 +3115,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   }
+ 
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
++  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+            length);
+-  } else if (length <= lzss_size(&rar->lzss)) {
++  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+     firstpart = lzss_size(&rar->lzss) - windowoffs;
+     if (firstpart < 0) {
+       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                         "Bad RAR file data");
+       return (ARCHIVE_FATAL);
+     }
+-    if (firstpart < length) {
++    if ((size_t)firstpart < length) {
+       memcpy(&rar->unp_buffer[rar->unp_offset],
+              &rar->lzss.window[windowoffs], firstpart);
+       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -3130,9 +3135,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+              &rar->lzss.window[windowoffs], length);
+     }
+   } else {
+-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+-                        "Bad RAR file data");
+-      return (ARCHIVE_FATAL);
++      goto fatal;
+   }
+   rar->unp_offset += length;
+   if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -3140,6 +3143,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+   else
+     *buffer = NULL;
+   return (ARCHIVE_OK);
++
++fatal:
++  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                    "Bad RAR file data");
++  return (ARCHIVE_FATAL);
+ }
+ 
+ static const void *

backport-CVE-2024-20697-CVE-2024-26256.patch

@@ -0,0 +1,23 @@
+From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 22 Apr 2024 01:55:41 +0900
+Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
+
+This patch fixes an out-of-bound error in rar e8 filter.
+---
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 99a11d1700..266d0ee995 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x1000000;
+   uint32_t i;
+ 
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+     return 0;
+ 
+   for (i = 0; i <= length - 5; i++)

backport-CVE-2024-26256-CVE-2024-43495.patch

@@ -0,0 +1,33 @@
+From b7b0c7c4379531206a53634a12a02a8d45b28a2f Mon Sep 17 00:00:00 2001
+From: terrynini <terrynini38514@gmail.com>
+Date: Wed, 14 Aug 2024 16:01:21 +0800
+Subject: [PATCH] Fix CVE-2024-26256 (#2269)
+
+Opening a manipulated RAR archive could lead to remote code execution
+
+Security: CVE-2024-26256
+Co-authored-by: Timothy Lyanguzov <theta682@gmail.com>
+---
+ libarchive/archive_read_support_format_rar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index fb7cfde7..f4dcb752 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3428,6 +3428,12 @@ run_filters(struct archive_read *a)
+       return 0;
+   }
+ 
++  if (filter->blocklength > VM_MEMORY_SIZE)
++  {
++    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, "Bad RAR file data");
++    return 0;
++  }
++
+   ret = copy_from_lzss_window(a, filters->vm->memory, start, filter->blocklength);
+   if (ret != ARCHIVE_OK)
+     return 0;
+-- 
+2.33.0
+

backport-CVE-2024-48957.patch

@@ -0,0 +1,29 @@
+From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:53:19 +0900
+Subject: [PATCH] fix: OOB in rar audio filter (#2149)
+
+This patch ensures that `src` won't move ahead of `dst`, so `src` will
+not OOB. Similar situation like in a1cb648.
+---
+ libarchive/archive_read_support_format_rar.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 619ee81e2..4fc6626ca 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+     memset(&state, 0, sizeof(state));
+     for (j = i; j < length; j += numchannels)
+     {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
++
+       int8_t delta = (int8_t)*src++;
+       uint8_t predbyte, byte;
+       int prederror;

backport-CVE-2024-48958.patch

@@ -0,0 +1,33 @@
+From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:50:22 +0900
+Subject: [PATCH] fix: OOB in rar delta filter (#2148)
+
+Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
+Since `dst` won't move in this function, and we are only increasing `src`
+position, this check should be enough. It should be safe to early return
+because this function does not allocate resources.
+---
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 79669a8f4..619ee81e2 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+   {
+     uint8_t lastbyte = 0;
+     for (idx = i; idx < length; idx += numchannels)
++    {
++      /*
++       * The src block should not overlap with the dst block.
++       * If so it would be better to consider this archive is broken.
++       */
++      if (src >= dst)
++        return 0;
+       lastbyte = dst[idx] = lastbyte - *src++;
++    }
+   }
+ 
+   filter->filteredblockaddress = length;

backport-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch

@@ -1,42 +0,0 @@
-From 1f35c466aaa9444335a1b854b0b7223b0d2346c2 Mon Sep 17 00:00:00 2001
-From: Peter Pentchev <roam@ringlet.net>
-Date: Thu, 29 Dec 2022 00:04:40 +0200
-Subject: [PATCH] Only add "iconv" to the .pc file if needed (#1825)
-
-Hi,
-
-Thanks for writing and maintaining libarchive!
-
-What do you think about this trivial change that does not add "iconv" to
-the pkg-config file's list of required packages unless it is actually
-needed? On at least Debian GNU/Linux systems, the iconv(3) function is
-part of the system C library and there is no Debian package that
-installs an iconv.pc file, so I had to make this change to the Debian
-package of libarchive.
-
-Thanks again, and keep up the great work!
-
-G'luck,
-Peter
----
- configure.ac | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 99bff20d..e2715cfd 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -378,7 +378,9 @@ if test "x$with_iconv" != "xno"; then
-     AC_CHECK_HEADERS([localcharset.h])
-     am_save_LIBS="$LIBS"
-     LIBS="${LIBS} ${LIBICONV}"
--    LIBSREQUIRED="$LIBSREQUIRED${LIBSREQUIRED:+ }iconv"
-+    if test -n "$LIBICONV"; then
-+      LIBSREQUIRED="$LIBSREQUIRED${LIBSREQUIRED:+ }iconv"
-+    fi
-     AC_CHECK_FUNCS([locale_charset])
-     LIBS="${am_save_LIBS}"
-     if test "x$ac_cv_func_locale_charset" != "xyes"; then
--- 
-2.33.0
-

libarchive.spec

@@ -1,14 +1,18 @@
 %bcond_without check
 
 Name:           libarchive
-Version:        3.6.2
-Release:        2
+Version:        3.7.1
+Release:        5
 Summary:        Multi-format archive and compression library
 License:        BSD
 URL:            https://www.libarchive.org/
 Source0:        https://libarchive.org/downloads/%{name}-%{version}.tar.gz
 
-Patch6000: backport-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch
+Patch6000:      backport-CVE-2024-20697-CVE-2024-26256.patch
+Patch6001:      backport-CVE-2024-20696.patch
+Patch6002:      backport-CVE-2024-26256-CVE-2024-43495.patch
+Patch6003:      backport-CVE-2024-48957.patch
+Patch6004:      backport-CVE-2024-48958.patch
 
 BuildRequires:  gcc bison sharutils zlib-devel bzip2-devel xz-devel
 BuildRequires:  lzo-devel e2fsprogs-devel libacl-devel libattr-devel
@@ -40,7 +44,6 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 The bsdtar package contains standalone bsdtar utility split off regular
 libarchive packages.
  
- 
 %package -n bsdcpio
 Summary:        Copy files to and from archives
 Requires:       %{name}%{?_isa} = %{version}-%{release}
@@ -49,7 +52,6 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 The bsdcpio package contains standalone bsdcpio utility split off regular
 libarchive packages.
  
- 
 %package -n bsdcat
 Summary:        Expand files to standard output
 Requires:       %{name}%{?_isa} = %{version}-%{release}
@@ -59,6 +61,14 @@ The bsdcat program typically takes a filename as an argument or reads standard
 input when used in a pipe.  In both cases decompressed data it written to
 standard output.
 
+%package -n bsdunzip
+Summary:        Extract files from a ZIP archive
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description -n bsdunzip
+The bsdunzip package contains standalone bsdunzip utility split off regular
+libarchive packages. It is designed to provide an interface compatible with Info-ZIP's
+
 %prep
 %autosetup -n %{name}-%{version} -p1
 
@@ -186,7 +196,42 @@ run_testsuite
 %doc NEWS README.md
 %{_bindir}/bsdcat
 
+%files -n bsdunzip
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc NEWS README.md
+%{_bindir}/bsdunzip
+%{_mandir}/*/bsdunzip*
+
 %changelog
+* Sat Oct 12 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-5
+- Type:CVE
+- ID:CVE-2024-48957,CVE-2024-48958
+- SUG:NA
+- DESC:fix CVE-2024-48957 CVE-2024-48958
+
+* Thu Sep 19 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-4
+- Type:CVE
+- ID:CVE-2024-26256,CVE-2024-43495
+- SUG:NA
+- DESC:fix CVE-2024-26256 CVE-2024-43495
+
+* Thu Jun 06 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-3
+- Type:CVE
+- ID:CVE-2024-20696
+- SUG:NA
+- DESC:fix CVE-2024-20696
+
+* Fri May 24 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-2
+- Type:CVE
+- ID:CVE-2024-20697,CVE-2024-26256
+- SUG:NA
+- DESC:fix CVE-2024-20697 CVE-2024-26256
+
+* Thu Aug  3 2023 dillon chen<dillon.chen@gmail.com> - 3.7.1-1
+- Upgrade to 3.7.1
+- Add new bsdunzip subpackage
+
 * Thu Jun 15 2023 renhongxun<renhongxun@h-partners.com> - 3.6.2-2
 - Only add iconv to the .pc file if needed