libarchive: add patch to resolve CVE-2024-26256 (#9340)

Author: liunan-ms

SPECS/libarchive/CVE-2024-26256.patch

@@ -0,0 +1,22 @@
+From 2910a5736c3f238d2cde6cc757b01868d877ebcb Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Sun, 21 Apr 2024 19:11:42 +0900
+Subject: [PATCH] fix: OOB in rar e8 filter
+
+---
+ libarchive/archive_read_support_format_rar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 99a11d1700..266d0ee995 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3615,7 +3615,7 @@ execute_filter_e8(struct rar_filter *filter, struct rar_virtual_machine *vm, siz
+   uint32_t filesize = 0x1000000;
+   uint32_t i;
+ 
+-  if (length > PROGRAM_WORK_SIZE || length < 4)
++  if (length > PROGRAM_WORK_SIZE || length <= 4)
+     return 0;
+ 
+   for (i = 0; i <= length - 5; i++)

SPECS/libarchive/libarchive.spec

@@ -1,14 +1,15 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.6.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.libarchive.org/
 Source0:        https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Patch0:         CVE-2022-36227.patch
+Patch1:         CVE-2024-26256.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -61,6 +62,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Thu Jun 06 2024 Nan Liu <liunan@microsoft.com> - 3.6.1-3
+- Patch CVE-2024-26256
+
 * Thu Dec 01 2022 Muhammad Falak <mwani@microsoft.com> - 3.6.1-2
 - Patch CVE-2022-36227
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-32.cm2.aarch64.rpm
 libcap-2.60-2.cm2.aarch64.rpm
 libcap-devel-2.60-2.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
-libarchive-3.6.1-2.cm2.aarch64.rpm
-libarchive-devel-3.6.1-2.cm2.aarch64.rpm
+libarchive-3.6.1-3.cm2.aarch64.rpm
+libarchive-devel-3.6.1-3.cm2.aarch64.rpm
 rpm-4.18.0-4.cm2.aarch64.rpm
 rpm-build-4.18.0-4.cm2.aarch64.rpm
 rpm-build-libs-4.18.0-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-32.cm2.x86_64.rpm
 libcap-2.60-2.cm2.x86_64.rpm
 libcap-devel-2.60-2.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
-libarchive-3.6.1-2.cm2.x86_64.rpm
-libarchive-devel-3.6.1-2.cm2.x86_64.rpm
+libarchive-3.6.1-3.cm2.x86_64.rpm
+libarchive-devel-3.6.1-3.cm2.x86_64.rpm
 rpm-4.18.0-4.cm2.x86_64.rpm
 rpm-build-4.18.0-4.cm2.x86_64.rpm
 rpm-build-libs-4.18.0-4.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -144,9 +144,9 @@ krb5-1.19.4-2.cm2.aarch64.rpm
 krb5-debuginfo-1.19.4-2.cm2.aarch64.rpm
 krb5-devel-1.19.4-2.cm2.aarch64.rpm
 krb5-lang-1.19.4-2.cm2.aarch64.rpm
-libarchive-3.6.1-2.cm2.aarch64.rpm
-libarchive-debuginfo-3.6.1-2.cm2.aarch64.rpm
-libarchive-devel-3.6.1-2.cm2.aarch64.rpm
+libarchive-3.6.1-3.cm2.aarch64.rpm
+libarchive-debuginfo-3.6.1-3.cm2.aarch64.rpm
+libarchive-devel-3.6.1-3.cm2.aarch64.rpm
 libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -150,9 +150,9 @@ krb5-1.19.4-2.cm2.x86_64.rpm
 krb5-debuginfo-1.19.4-2.cm2.x86_64.rpm
 krb5-devel-1.19.4-2.cm2.x86_64.rpm
 krb5-lang-1.19.4-2.cm2.x86_64.rpm
-libarchive-3.6.1-2.cm2.x86_64.rpm
-libarchive-debuginfo-3.6.1-2.cm2.x86_64.rpm
-libarchive-devel-3.6.1-2.cm2.x86_64.rpm
+libarchive-3.6.1-3.cm2.x86_64.rpm
+libarchive-debuginfo-3.6.1-3.cm2.x86_64.rpm
+libarchive-devel-3.6.1-3.cm2.x86_64.rpm
 libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm