Hi Yoann, This CVE fix already included in libarchive version 3.8.6 on the master branch.
https://github.com/libarchive/libarchive/releases/tag/v3.8.6 . I will cherry-pick libarchive-3.8.6 from master and submit the patch to Whinlatter branch. Thanks & Regards, Vijay On Sat, Apr 4, 2026 at 3:37 AM Yoann Congal <[email protected]> wrote: > On Thu Mar 26, 2026 at 8:58 AM CET, Vijay Anusuri via > lists.openembedded.org wrote: > > From: Vijay Anusuri <[email protected]> > > > > Pick patch according to [1] > > > > [1] https://security-tracker.debian.org/tracker/CVE-2026-4111 > > [2] https://github.com/libarchive/libarchive/pull/2877 > > [3] https://access.redhat.com/errata/RHSA-2026:5080 > > > > Signed-off-by: Vijay Anusuri <[email protected]> > > --- > > Hello, > > As far as I can tell, this CVE applies to whinlatter and master. > Since this is the end of kirkstone soon, I'll take it into the reviews > series but can only merge it if there is a patch sent for this CVE in > those branches. > > Regards, > > > .../libarchive/CVE-2026-4111-1.patch | 32 ++ > > .../libarchive/CVE-2026-4111-2.patch | 308 ++++++++++++++++++ > > .../libarchive/libarchive_3.6.2.bb | 2 + > > 3 files changed, 342 insertions(+) > > create mode 100644 > meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > > create mode 100644 > meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > > > > diff --git > a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > > new file mode 100644 > > index 0000000000..1f065b1364 > > --- /dev/null > > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > > @@ -0,0 +1,32 @@ > > +From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001 > > +From: Tim Kientzle <[email protected]> > > +Date: Sun, 1 Mar 2026 20:24:56 -0800 > > +Subject: [PATCH] Reject filters when the block length is nonsensical > > + > > +Credit: Grzegorz Antoniak @antekone > > + > > +Upstream-Status: Backport [ > https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168 > ] > > +CVE: CVE-2026-4111 > > +Signed-off-by: Vijay Anusuri <[email protected]> > > +--- > > + libarchive/archive_read_support_format_rar5.c | 4 +++- > > + 1 file changed, 3 insertions(+), 1 deletion(-) > > + > > +diff --git a/libarchive/archive_read_support_format_rar5.c > b/libarchive/archive_read_support_format_rar5.c > > +index 38979cb..867f0a8 100644 > > +--- a/libarchive/archive_read_support_format_rar5.c > > ++++ b/libarchive/archive_read_support_format_rar5.c > > +@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, > const uint8_t* p) { > > + if(block_length < 4 || > > + block_length > 0x400000 || > > + filter_type > FILTER_ARM || > > +- !is_valid_filter_block_start(rar, block_start)) > > ++ !is_valid_filter_block_start(rar, block_start) || > > ++ (rar->cstate.window_size > 0 && > > ++ (ssize_t)block_length > rar->cstate.window_size >> 1)) > > + { > > + archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT, > > + "Invalid filter encountered"); > > +-- > > +2.25.1 > > + > > diff --git > a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > > new file mode 100644 > > index 0000000000..243a03a8e5 > > --- /dev/null > > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > > @@ -0,0 +1,308 @@ > > +From ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 Mon Sep 17 00:00:00 2001 > > +From: Tim Kientzle <[email protected]> > > +Date: Sun, 1 Mar 2026 10:04:01 -0800 > > +Subject: [PATCH] Infinite loop in Rar5 decompression > > + > > +Found by: Elhanan Haenel > > + > > +Upstream-Status: Backport [ > https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 > ] > > +CVE: CVE-2026-4111 > > +Signed-off-by: Vijay Anusuri <[email protected]> > > +--- > > + Makefile.am | 2 + > > + libarchive/test/CMakeLists.txt | 1 + > > + .../test/test_read_format_rar5_loop_bug.c | 53 +++++ > > + .../test_read_format_rar5_loop_bug.rar.uu | 189 ++++++++++++++++++ > > + 4 files changed, 245 insertions(+) > > + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c > > + create mode 100644 > libarchive/test/test_read_format_rar5_loop_bug.rar.uu > > + > > +diff --git a/Makefile.am b/Makefile.am > > +index dd1620d..14edb2a 100644 > > +--- a/Makefile.am > > ++++ b/Makefile.am > > +@@ -507,6 +507,7 @@ libarchive_test_SOURCES= \ > > + libarchive/test/test_read_format_rar_invalid1.c \ > > + libarchive/test/test_read_format_rar_overflow.c \ > > + libarchive/test/test_read_format_rar5.c \ > > ++ libarchive/test/test_read_format_rar5_loop_bug.c \ > > + libarchive/test/test_read_format_raw.c \ > > + libarchive/test/test_read_format_tar.c \ > > + libarchive/test/test_read_format_tar_concatenated.c \ > > +@@ -869,6 +870,7 @@ libarchive_test_EXTRA_DIST=\ > > + > libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \ > > + libarchive/test/test_read_format_rar5_leftshift1.rar.uu \ > > + libarchive/test/test_read_format_rar5_leftshift2.rar.uu \ > > ++ libarchive/test/test_read_format_rar5_loop_bug.rar.uu \ > > + libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \ > > + libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \ > > + libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \ > > +diff --git a/libarchive/test/CMakeLists.txt > b/libarchive/test/CMakeLists.txt > > +index 05c6fd7..c8f2e90 100644 > > +--- a/libarchive/test/CMakeLists.txt > > ++++ b/libarchive/test/CMakeLists.txt > > +@@ -156,6 +156,7 @@ IF(ENABLE_TEST) > > + test_read_format_rar_filter.c > > + test_read_format_rar_overflow.c > > + test_read_format_rar5.c > > ++ test_read_format_rar5_loop_bug.c > > + test_read_format_raw.c > > + test_read_format_tar.c > > + test_read_format_tar_concatenated.c > > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c > b/libarchive/test/test_read_format_rar5_loop_bug.c > > +new file mode 100644 > > +index 0000000..77dd78c > > +--- /dev/null > > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.c > > +@@ -0,0 +1,53 @@ > > ++/*- > > ++ * Copyright (c) 2026 Tim Kientzle > > ++ * All rights reserved. > > ++ * > > ++ * Redistribution and use in source and binary forms, with or without > > ++ * modification, are permitted provided that the following conditions > > ++ * are met: > > ++ * 1. Redistributions of source code must retain the above copyright > > ++ * notice, this list of conditions and the following disclaimer. > > ++ * 2. Redistributions in binary form must reproduce the above copyright > > ++ * notice, this list of conditions and the following disclaimer in > the > > ++ * documentation and/or other materials provided with the > distribution. > > ++ * > > ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY > EXPRESS OR > > ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED > WARRANTIES > > ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE > DISCLAIMED. > > ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, > > ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES > (INCLUDING, BUT > > ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS > OF USE, > > ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON > ANY > > ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > > ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE > USE OF > > ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > > ++ */ > > ++#include "test.h" > > ++ > > ++DEFINE_TEST(test_read_format_rar5_loop_bug) > > ++{ > > ++ const char *reffile = "test_read_format_rar5_loop_bug.rar"; > > ++ struct archive_entry *ae; > > ++ struct archive *a; > > ++ const void *buf; > > ++ size_t size; > > ++ la_int64_t offset; > > ++ > > ++ extract_reference_file(reffile); > > ++ assert((a = archive_read_new()) != NULL); > > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); > > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); > > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, > reffile, 10240)); > > ++ > > ++ // This has just one entry > > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); > > ++ > > ++ // Read blocks until the end of the entry > > ++ while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, > &offset)) { > > ++ } > > ++ > > ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); > > ++ > > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); > > ++ assertEqualInt(ARCHIVE_OK, archive_free(a)); > > ++} > > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > > +new file mode 100644 > > +index 0000000..3e47004 > > +--- /dev/null > > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > > +@@ -0,0 +1,189 @@ > > ++begin 644 test_read_format_rar5_loop_bug.rar > > ++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^ > > ++M8@!.`B`H```````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++M```````````````````````````````````````````````````````````` > > ++5```````````````````Y^;*!`@4` > > ++` > > ++end > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > > index e74326b40f..85fe6e5baa 100644 > > --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > > @@ -50,6 +50,8 @@ SRC_URI = " > http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > > > file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \ > > file://CVE-2025-60753-01.patch \ > > file://CVE-2025-60753-02.patch \ > > + file://CVE-2026-4111-1.patch \ > > + file://CVE-2026-4111-2.patch \ > > " > > UPSTREAM_CHECK_URI = "http://libarchive.org/"; > > > > > -- > Yoann Congal > Smile ECS > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234611): https://lists.openembedded.org/g/openembedded-core/message/234611 Mute This Topic: https://lists.openembedded.org/mt/118514709/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
