I'm getting the following error at build time:
ERROR: libarchive-native-3.7.4-r0 do_patch: Applying patch
'CVE-2024-26256.patch' on target directory
'/home/steve/builds/poky-contrib-scarthgap/build/tmp/work/x86_64-linux/libarchive-native/3.7.4/libarchive-3.7.4'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-scarthgap/build/tmp/work/x86_64-linux/libarchive-native/3.7.4/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch CVE-2024-26256.patch
patching file libarchive/archive_read_support_format_rar.c
Hunk #1 FAILED at 3615.
1 out of 1 hunk FAILED -- rejects in file
libarchive/archive_read_support_format_rar.c
Patch CVE-2024-26256.patch can be reverse-applied
Steve
On Wed, Jul 24, 2024 at 12:13 PM Ashish Sharma via
lists.openembedded.org <[email protected]>
wrote:
>
> This patch fixes an out-of-bound error in rar e8 filter.
>
> Upstream-Status: Backport
> [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
> Signed-off-by: Ashish Sharma <[email protected]>
> ---
> .../libarchive/CVE-2024-26256.patch | 27 +++++++++++++++++++
> .../libarchive/libarchive_3.7.4.bb | 4 ++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
> create mode 100644
> meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
>
> diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
> b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
> new file mode 100644
> index 00000000000..f9be4fe255d
> --- /dev/null
> +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch
> @@ -0,0 +1,27 @@
> +From eb7939b24a681a04648a59cdebd386b1e9dc9237 Mon Sep 17 00:00:00 2001
> +From: Wei-Cheng Pan <[email protected]>
> +Date: Mon, 22 Apr 2024 01:55:41 +0900
> +Subject: [PATCH] fix: OOB in rar e8 filter (#2135)
> +
> +This patch fixes an out-of-bound error in rar e8 filter.
> +
> +Upstream-Status: Backport
> [https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237]
> +CVE: CVE-2024-26256
> +Signed-off-by: Ashish Sharma <[email protected]>
> +
> + libarchive/archive_read_support_format_rar.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libarchive/archive_read_support_format_rar.c
> b/libarchive/archive_read_support_format_rar.c
> +index 99a11d1700..266d0ee995 100644
> +--- a/libarchive/archive_read_support_format_rar.c
> ++++ b/libarchive/archive_read_support_format_rar.c
> +@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct
> rar_virtual_machine *vm, siz
> + uint32_t filesize = 0x1000000;
> + uint32_t i;
> +
> +- if (length > PROGRAM_WORK_SIZE || length < 4)
> ++ if (length > PROGRAM_WORK_SIZE || length <= 4)
> + return 0;
> +
> + for (i = 0; i <= length - 5; i++)
> diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> index da857641168..22e398f5989 100644
> --- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> +++ b/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
> @@ -30,7 +30,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
> EXTRA_OECONF += "--enable-largefile --without-iconv"
>
> SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz";
> -SRC_URI += "file://configurehack.patch"
> +SRC_URI += "file://configurehack.patch \
> + file://CVE-2024-26256.patch \
> +"
> UPSTREAM_CHECK_URI = "http://libarchive.org/";
>
> SRC_URI[sha256sum] =
> "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
> --
> 2.44.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202503):
https://lists.openembedded.org/g/openembedded-core/message/202503
Mute This Topic: https://lists.openembedded.org/mt/107529739/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
