From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>
Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 [2] https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10 [3] https://security-tracker.debian.org/tracker/CVE-2026-4424 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> Reviewed-by: Bruno VERNAY <[email protected]> --- .../libarchive/CVE-2026-4424-1.patch | 61 +++++++++++++++++++ .../libarchive/CVE-2026-4424-2.patch | 28 +++++++++ .../libarchive/libarchive_3.7.9.bb | 2 + 3 files changed, 91 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-1.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-2.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-1.patch new file mode 100644 index 0000000000..c805092746 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-1.patch @@ -0,0 +1,61 @@ +From fa32110f851b121a3e1c19fda347e86396fde2bd Mon Sep 17 00:00:00 2001 +From: elhananhaenel <[email protected]> +Date: Sat, 7 Mar 2026 22:32:09 +0200 +Subject: [PATCH 1/2] rar: fix LZSS window size mismatch after PPMd block + +When a PPMd-compressed block updates dictionary_size, the LZSS window +from a prior block is not reallocated. The allocation guard only checks +if dictionary_size is zero or the window pointer is NULL, not whether +the existing window is large enough. This allows copy_from_lzss_window() +to read past the allocated buffer. + +Fix the guard to also check whether the current window is undersized. +Add bounds checks in copy_from_lzss_window() and parse_filter() as +defense in depth. + +CVE: CVE-2026-4424 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375] +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + libarchive/archive_read_support_format_rar.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 88eab627..b23be937 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2503,7 +2503,8 @@ parse_codes(struct archive_read *a) + return (r); + } + +- if (!rar->dictionary_size || !rar->lzss.window) ++ if (!rar->dictionary_size || !rar->lzss.window || ++ (rar->lzss.mask + 1) < rar->dictionary_size) + { + /* Seems as though dictionary sizes are not used. Even so, minimize + * memory usage as much as possible. +@@ -3104,6 +3105,11 @@ copy_from_lzss_window(struct archive_read *a, uint8_t *buffer, + + windowoffs = lzss_offset_for_position(&rar->lzss, startpos); + firstpart = lzss_size(&rar->lzss) - windowoffs; ++ if (length > lzss_size(&rar->lzss)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Bad RAR file data"); ++ return (ARCHIVE_FATAL); ++ } + if (firstpart < 0) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Bad RAR file data"); +@@ -3266,7 +3272,8 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint + else + blocklength = prog ? prog->oldfilterlength : 0; + +- if (blocklength > rar->dictionary_size) ++ if (blocklength > rar->dictionary_size || ++ blocklength > (uint32_t)(rar->lzss.mask + 1)) + return 0; + + registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS; +-- +2.43.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-2.patch new file mode 100644 index 0000000000..a5c6ba2d2b --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4424-2.patch @@ -0,0 +1,28 @@ +From d696008467844efca026bf198a8814a8647ec2d2 Mon Sep 17 00:00:00 2001 +From: elhananhaenel <[email protected]> +Date: Sun, 8 Mar 2026 15:29:46 +0200 +Subject: [PATCH 2/2] Fix -Wsign-compare: cast mask+1 to unsigned int + +CVE: CVE-2026-4424 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10] +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + libarchive/archive_read_support_format_rar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index b23be937..a28a6cba 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2504,7 +2504,7 @@ parse_codes(struct archive_read *a) + } + + if (!rar->dictionary_size || !rar->lzss.window || +- (rar->lzss.mask + 1) < rar->dictionary_size) ++ (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size) + { + /* Seems as though dictionary sizes are not used. Even so, minimize + * memory usage as much as possible. +-- +2.43.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index de9682400a..c167b164b4 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -47,6 +47,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2026-4111-1.patch \ file://CVE-2026-4111-2.patch \ file://CVE-2026-4426.patch \ + file://CVE-2026-4424-1.patch \ + file://CVE-2026-4424-2.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/"; -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237431): https://lists.openembedded.org/g/openembedded-core/message/237431 Mute This Topic: https://lists.openembedded.org/mt/119404853/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
