[AUTO-CHERRYPICK] libarchive: Upgrade to 3.7.7 to fix CVE-2024-48957, C…

…VE-2024-48958, CVE-2024-20696 - branch 3.0-dev (#10773) Co-authored-by: Nan Liu <[email protected]>
microsoft · Oct 18, 2024 · 090bbf6 · 090bbf6
1 parent a12d27d
commit 090bbf6
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 258 deletions.
diff --git a/SPECS/libarchive/CVE-2024-26256.patch b/SPECS/libarchive/CVE-2024-26256.patch
diff --git a/SPECS/libarchive/CVE-2024-37407.patch b/SPECS/libarchive/CVE-2024-37407.patch
diff --git a/SPECS/libarchive/libarchive.signatures.json b/SPECS/libarchive/libarchive.signatures.json
@@ -1,5 +1,5 @@
 {
- "Signatures": {
- "libarchive-3.7.1.tar.gz": "5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0"
- }
+  "Signatures": {
+  "libarchive-3.7.7.tar.gz": "4cc540a3e9a1eebdefa1045d2e4184831100667e6d7d5b315bb1cbc951f8ddff"
+  }
 }
diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec
@@ -1,18 +1,13 @@
 Summary: Multi-format archive and compression library
 Name: libarchive
-Version: 3.7.1
-Release: 2%{?dist}
+Version: 3.7.7
+Release: 1%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor: Microsoft Corporation
 Distribution: Azure Linux
 URL: https://www.libarchive.org/
 Source0: https:/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Patch0: CVE-2024-26256.patch
-# https:/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB (CVE-2024-37407) patch)
-# Please remove when upgrading to v3.7.4 and above
-Patch1: update-appledouble-support-directories.patch
-Patch2: CVE-2024-37407.patch
 Provides: bsdtar = %{version}-%{release}
 
 BuildRequires: xz-libs
@@ -65,6 +60,10 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Oct 15 2024 Nan Liu <[email protected]> - 3.7.7-1
+- Upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696
+- Remove unused patches
+
 * Tue Jun 25 2024 Neha Agarwal <[email protected]> - 3.7.1-2
 - Patch CVE-2024-26256 and CVE-2024-37407
 

diff --git a/SPECS/libarchive/update-appledouble-support-directories.patch b/SPECS/libarchive/update-appledouble-support-directories.patch
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -8601,8 +8601,8 @@
  "type": "other",
  "other": {
  "name": "libarchive",
- "version": "3.7.1",
- "downloadUrl": "https:/libarchive/libarchive/releases/download/v3.7.1/libarchive-3.7.1.tar.gz"
+ "version": "3.7.7",
+ "downloadUrl": "https:/libarchive/libarchive/releases/download/v3.7.7/libarchive-3.7.7.tar.gz"
  }
  }
  },

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.aarch64.rpm
 libcap-2.69-1.azl3.aarch64.rpm
 libcap-devel-2.69-1.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
-libarchive-3.7.1-2.azl3.aarch64.rpm
-libarchive-devel-3.7.1-2.azl3.aarch64.rpm
+libarchive-3.7.7-1.azl3.aarch64.rpm
+libarchive-devel-3.7.7-1.azl3.aarch64.rpm
 rpm-4.18.2-1.azl3.aarch64.rpm
 rpm-build-4.18.2-1.azl3.aarch64.rpm
 rpm-build-libs-4.18.2-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -178,8 +178,8 @@ openssl-static-3.3.2-1.azl3.x86_64.rpm
 libcap-2.69-1.azl3.x86_64.rpm
 libcap-devel-2.69-1.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
-libarchive-3.7.1-2.azl3.x86_64.rpm
-libarchive-devel-3.7.1-2.azl3.x86_64.rpm
+libarchive-3.7.7-1.azl3.x86_64.rpm
+libarchive-devel-3.7.7-1.azl3.x86_64.rpm
 rpm-4.18.2-1.azl3.x86_64.rpm
 rpm-build-4.18.2-1.azl3.x86_64.rpm
 rpm-build-libs-4.18.2-1.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -166,9 +166,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm
 krb5-lang-1.21.3-2.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
-libarchive-3.7.1-2.azl3.aarch64.rpm
-libarchive-debuginfo-3.7.1-2.azl3.aarch64.rpm
-libarchive-devel-3.7.1-2.azl3.aarch64.rpm
+libarchive-3.7.7-1.azl3.aarch64.rpm
+libarchive-debuginfo-3.7.7-1.azl3.aarch64.rpm
+libarchive-devel-3.7.7-1.azl3.aarch64.rpm
 libassuan-2.5.6-1.azl3.aarch64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
 libassuan-devel-2.5.6-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -172,9 +172,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm
 krb5-lang-1.21.3-2.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
-libarchive-3.7.1-2.azl3.x86_64.rpm
-libarchive-debuginfo-3.7.1-2.azl3.x86_64.rpm
-libarchive-devel-3.7.1-2.azl3.x86_64.rpm
+libarchive-3.7.7-1.azl3.x86_64.rpm
+libarchive-debuginfo-3.7.7-1.azl3.x86_64.rpm
+libarchive-devel-3.7.7-1.azl3.x86_64.rpm
 libassuan-2.5.6-1.azl3.x86_64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
 libassuan-devel-2.5.6-1.azl3.x86_64.rpm