From a5364520b1aa1061155f1ad7ad0527c2a0055b47 Mon Sep 17 00:00:00 2001 From: Andrew Phelps Date: Tue, 22 Oct 2024 12:05:25 -0700 Subject: [PATCH] =?UTF-8?q?Revert=20"libarchive:=20Upgrade=20to=203.7.7=20?= =?UTF-8?q?to=20fix=20CVE-2024-48957,=20CVE-2024-=E2=80=A6=20(#10807)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SPECS/libarchive/CVE-2024-26256.patch | 23 +++ SPECS/libarchive/CVE-2024-37407.patch | 24 +++ SPECS/libarchive/libarchive.signatures.json | 6 +- SPECS/libarchive/libarchive.spec | 13 +- ...date-appledouble-support-directories.patch | 189 ++++++++++++++++++ cgmanifest.json | 4 +- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 6 +- .../manifests/package/toolchain_x86_64.txt | 6 +- 10 files changed, 258 insertions(+), 21 deletions(-) create mode 100644 SPECS/libarchive/CVE-2024-26256.patch create mode 100644 SPECS/libarchive/CVE-2024-37407.patch create mode 100644 SPECS/libarchive/update-appledouble-support-directories.patch diff --git a/SPECS/libarchive/CVE-2024-26256.patch b/SPECS/libarchive/CVE-2024-26256.patch new file mode 100644 index 00000000000..20c8e9ff2e9 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-26256.patch @@ -0,0 +1,23 @@ +From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001 +From: Wei-Cheng Pan +Date: Mon, 22 Apr 2024 01:55:41 +0900 +Subject: [PATCH] fix: OOB in rar e8 filter (#2135) + +This patch fixes an out-of-bound error in rar e8 filter. +--- + libarchive/archive_read_support_format_rar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 99a11d1700..266d0ee995 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz + uint32_t filesize = 0x1000000; + uint32_t i; + +- if (length > PROGRAM_WORK_SIZE || length < 4) ++ if (length > PROGRAM_WORK_SIZE || length <= 4) + return 0; + + for (i = 0; i <= length - 5; i++) diff --git a/SPECS/libarchive/CVE-2024-37407.patch b/SPECS/libarchive/CVE-2024-37407.patch new file mode 100644 index 00000000000..43db7a1c548 --- /dev/null +++ b/SPECS/libarchive/CVE-2024-37407.patch @@ -0,0 +1,24 @@ +From b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 25 Apr 2024 09:18:30 +0000 +Subject: [PATCH] zip: Fix out of boundary access (#2145) + +If a ZIP file contains a file with an empty name and mac-ext option is +set, then a check accesses memory out of bound of `name`. +--- + libarchive/archive_read_support_format_zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index d7b6f082ee..7552a1a1a2 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -4089,7 +4089,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + * as the actual resource fork doesn't end with '/'. + */ + size_t tmp_length = filename_length; +- if (name[tmp_length - 1] == '/') { ++ if (tmp_length > 0 && name[tmp_length - 1] == '/') { + tmp_length--; + r = rsrc_basename(name, tmp_length); + } diff --git a/SPECS/libarchive/libarchive.signatures.json b/SPECS/libarchive/libarchive.signatures.json index f32783f4e68..b4c15926c53 100644 --- a/SPECS/libarchive/libarchive.signatures.json +++ b/SPECS/libarchive/libarchive.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff" - } + "Signatures": { + "libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0" + } } diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec index 99ce351dcfe..25d8a39b371 100644 --- a/SPECS/libarchive/libarchive.spec +++ b/SPECS/libarchive/libarchive.spec @@ -1,13 +1,18 @@ Summary: Multi-format archive and compression library Name: libarchive -Version: 3.7.7 -Release: 1%{?dist} +Version: 3.7.1 +Release: 2%{?dist} # Certain files have individual licenses. For more details see contents of "COPYING". License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.libarchive.org/ Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2024-26256.patch +# https://github.com/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB (CVE-2024-37407) patch) +# Please remove when upgrading to v3.7.4 and above +Patch1: update-appledouble-support-directories.patch +Patch2: CVE-2024-37407.patch Provides: bsdtar = %{version}-%{release} BuildRequires: xz-libs @@ -60,10 +65,6 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog -* Tue Oct 15 2024 Nan Liu - 3.7.7-1 -- Upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696 -- Remove unused patches - * Tue Jun 25 2024 Neha Agarwal - 3.7.1-2 - Patch CVE-2024-26256 and CVE-2024-37407 diff --git a/SPECS/libarchive/update-appledouble-support-directories.patch b/SPECS/libarchive/update-appledouble-support-directories.patch new file mode 100644 index 00000000000..6e41ea4c6ce --- /dev/null +++ b/SPECS/libarchive/update-appledouble-support-directories.patch @@ -0,0 +1,189 @@ +From 91f27004a5c88589658e38d68e46d223da6b75ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Matu=C5=A1ka?= +Date: Sun, 21 Apr 2024 05:23:22 +0200 +Subject: [PATCH] Update AppleDouble support for directories (#2108) + +This is a clone of the reverted pull request #2100. Due to the latest +circumstances we should require a more deep review of each new PR. + +--------- + +Co-authored-by: Justin Vreeland +--- + libarchive/archive_read_support_format_zip.c | 13 ++- + libarchive/archive_write_disk_posix.c | 3 +- + libarchive/test/test_write_disk_appledouble.c | 84 +++++++++++++++++++ + .../test_write_disk_appledouble_zip.zip.uu | 27 ++++++ + 4 files changed, 125 insertions(+), 2 deletions(-) + create mode 100644 libarchive/test/test_write_disk_appledouble_zip.zip.uu + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 212bfff9fa..d7b6f082ee 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -4083,6 +4083,17 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + } else { + /* Generate resource fork name to find its + * resource file at zip->tree_rsrc. */ ++ ++ /* If this is an entry ending with slash, ++ * make the resource for name slash-less ++ * as the actual resource fork doesn't end with '/'. ++ */ ++ size_t tmp_length = filename_length; ++ if (name[tmp_length - 1] == '/') { ++ tmp_length--; ++ r = rsrc_basename(name, tmp_length); ++ } ++ + archive_strcpy(&(zip_entry->rsrcname), + "__MACOSX/"); + archive_strncat(&(zip_entry->rsrcname), +@@ -4090,7 +4101,7 @@ slurp_central_directory(struct archive_read *a, struct archive_entry* entry, + archive_strcat(&(zip_entry->rsrcname), "._"); + archive_strncat(&(zip_entry->rsrcname), + name + (r - name), +- filename_length - (r - name)); ++ tmp_length - (r - name)); + /* Register an entry to RB tree to sort it by + * file offset. */ + __archive_rb_tree_insert_node(&zip->tree, +diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +index 58265ee0dc..92db4ff05b 100644 +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -4427,7 +4427,8 @@ fixup_appledouble(struct archive_write_disk *a, const char *pathname) + #else + la_stat(datafork.s, &st) == -1 || + #endif +- (st.st_mode & AE_IFMT) != AE_IFREG) ++ (((st.st_mode & AE_IFMT) != AE_IFREG) && ++ ((st.st_mode & AE_IFMT) != AE_IFDIR))) + goto skip_appledouble; + + /* +diff --git a/libarchive/test/test_write_disk_appledouble.c b/libarchive/test/test_write_disk_appledouble.c +index 3265a94d2f..8de6c8b504 100644 +--- a/libarchive/test/test_write_disk_appledouble.c ++++ b/libarchive/test/test_write_disk_appledouble.c +@@ -236,3 +236,87 @@ DEFINE_TEST(test_write_disk_appledouble) + assertEqualFile("hfscmp/file3", "nocmp/file3"); + #endif + } ++ ++/* Test writing apple doubles to disk from zip format */ ++DEFINE_TEST(test_write_disk_appledouble_zip) ++{ ++#if !defined(__APPLE__) || !defined(UF_COMPRESSED) || !defined(HAVE_SYS_XATTR_H)\ ++ || !defined(HAVE_ZLIB_H) ++ skipping("MacOS-specific AppleDouble test"); ++#else ++ const char *refname = "test_write_disk_appledouble_zip.zip"; ++ struct archive *ad, *a; ++ struct archive_entry *ae; ++ struct stat st; ++ ++ extract_reference_file(refname); ++ ++ /* ++ * Extract an archive to disk. ++ */ ++ assert((ad = archive_write_disk_new()) != NULL); ++ assertEqualIntA(ad, ARCHIVE_OK, ++ archive_write_disk_set_standard_lookup(ad)); ++ assertEqualIntA(ad, ARCHIVE_OK, ++ archive_write_disk_set_options(ad, ++ ARCHIVE_EXTRACT_TIME | ++ ARCHIVE_EXTRACT_SECURE_SYMLINKS | ++ ARCHIVE_EXTRACT_SECURE_NODOTDOT)); ++ ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, ++ refname, 512 * 20)); ++ ++ /* Skip The top level directory */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/", archive_entry_pathname(ae)); ++ ++ /* Extract apple_double_test */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/apple_double_dir_test/", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract ._apple_double_dir_test which will be merged into apple_double_dir_test as metadata. */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/._apple_double_dir_test", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract test_file */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/test_file", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ /* Extract ._test_file which will be merged into test_file as metadata. */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualString("apple_double_dir/._test_file", archive_entry_pathname(ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_extract2(a, ae, ad)); ++ ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++ assertEqualIntA(ad, ARCHIVE_OK, archive_write_free(ad)); ++ ++ /* Test test_file */ ++ assertEqualInt(0, stat("apple_double_dir/test_file", &st)); ++ assertFileSize("apple_double_dir/test_file", 5); ++ failure("'%s' should have Resource Fork", "test_file"); ++ assertEqualInt(1, has_xattr("apple_double_dir/test_file", "com.apple.ResourceFork")); ++ ++ /* Test apple_double_dir_test */ ++ failure("'%s' should have quarantine xattr", "apple_double_dir_test"); ++ assertEqualInt(1, has_xattr("apple_double_dir/apple_double_dir_test", "com.apple.quarantine")); ++ ++ /* Test ._test_file. */ ++ failure("'apple_double_dir/._test_file' should be merged and removed"); ++ assertFileNotExists("apple_double_dir/._test_file"); ++ ++ /* Test ._apple_double_dir_test */ ++ failure("'apple_double_dir/._._apple_double_dir_test' should be merged and removed"); ++ assertFileNotExists("apple_double_dir/._apple_double_dir_test"); ++ ++ assertChdir(".."); ++ ++#endif ++} +diff --git a/libarchive/test/test_write_disk_appledouble_zip.zip.uu b/libarchive/test/test_write_disk_appledouble_zip.zip.uu +new file mode 100644 +index 0000000000..5ab67533d5 +--- /dev/null ++++ b/libarchive/test/test_write_disk_appledouble_zip.zip.uu +@@ -0,0 +1,27 @@ ++begin 644 test_write_disk_appledouble_zip.zip ++M4$L#!`H```````MM?%@````````````````1`!``87!P;&5?9&]U8FQE7V1I ++M