-
Notifications
You must be signed in to change notification settings - Fork 540
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…VE-2024-20696 - branch main (#10770) Co-authored-by: Nan Liu <[email protected]>
- Loading branch information
1 parent
054eed9
commit cdd7571
Showing
8 changed files
with
217 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| From 0d2efd8e6869b21dffdd956a50ba2f220f11e238 Mon Sep 17 00:00:00 2001 | ||
| From: Nan Liu <[email protected]> | ||
| Date: Tue, 15 Oct 2024 18:31:23 +0000 | ||
| Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or | ||
| too-small length (CVE-2024-20696) | ||
|
|
||
| --- | ||
| From 020c40df9e31ec727201a8e3ddf1f94093f8fc02 Mon Sep 17 00:00:00 2001 | ||
| From: "Dustin L. Howett" <[email protected]> | ||
| Date: Mon, 15 Jan 2024 22:16:27 -0600 | ||
| Subject: [PATCH] rar4 reader: protect copy_..._to_unp from too-big or | ||
| too-small length | ||
|
|
||
| copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where | ||
| both of its callers were holding a `size_t`. | ||
|
|
||
| A lzss opcode chain could be cosntructed that resulted in a negative | ||
| copy length, which when passed into memcpy would result in a very, very | ||
| large positive number. | ||
|
|
||
| Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to | ||
| properly bounds-check length. | ||
|
|
||
| In addition, this patch also ensures that `length` is not itself larger | ||
| than the destination buffer. | ||
|
|
||
| --- | ||
| libarchive/archive_read_support_format_rar.c | 28 +++++++++++++------- | ||
| 1 file changed, 18 insertions(+), 10 deletions(-) | ||
|
|
||
| diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
| index f9cbe2a..024711c 100644 | ||
| --- a/libarchive/archive_read_support_format_rar.c | ||
| +++ b/libarchive/archive_read_support_format_rar.c | ||
| @@ -432,7 +432,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int, | ||
| struct huffman_table_entry *, int, int); | ||
| static int expand(struct archive_read *, int64_t *); | ||
| static int copy_from_lzss_window_to_unp(struct archive_read *, const void **, | ||
| - int64_t, int); | ||
| + int64_t, size_t); | ||
| static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *); | ||
| static int parse_filter(struct archive_read *, const uint8_t *, uint16_t, | ||
| uint8_t); | ||
| @@ -2059,7 +2059,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, | ||
| bs = rar->unp_buffer_size - rar->unp_offset; | ||
| else | ||
| bs = (size_t)rar->bytes_uncopied; | ||
| - ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); | ||
| + ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); | ||
| if (ret != ARCHIVE_OK) | ||
| return (ret); | ||
| rar->offset += bs; | ||
| @@ -2199,7 +2199,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size, | ||
| bs = rar->unp_buffer_size - rar->unp_offset; | ||
| else | ||
| bs = (size_t)rar->bytes_uncopied; | ||
| - ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); | ||
| + ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); | ||
| if (ret != ARCHIVE_OK) | ||
| return (ret); | ||
| rar->offset += bs; | ||
| @@ -3080,11 +3080,16 @@ copy_from_lzss_window(struct archive_read *a, void *buffer, | ||
|
|
||
| static int | ||
| copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, | ||
| - int64_t startpos, int length) | ||
| + int64_t startpos, size_t length) | ||
| { | ||
| int windowoffs, firstpart; | ||
| struct rar *rar = (struct rar *)(a->format->data); | ||
|
|
||
| + if (length > rar->unp_buffer_size) | ||
| + { | ||
| + goto fatal; | ||
| + } | ||
| + | ||
| if (!rar->unp_buffer) | ||
| { | ||
| if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL) | ||
| @@ -3096,17 +3101,17 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, | ||
| } | ||
|
|
||
| windowoffs = lzss_offset_for_position(&rar->lzss, startpos); | ||
| - if(windowoffs + length <= lzss_size(&rar->lzss)) { | ||
| + if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) { | ||
| memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs], | ||
| length); | ||
| - } else if (length <= lzss_size(&rar->lzss)) { | ||
| + } else if (length <= (size_t)lzss_size(&rar->lzss)) { | ||
| firstpart = lzss_size(&rar->lzss) - windowoffs; | ||
| if (firstpart < 0) { | ||
| archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
| "Bad RAR file data"); | ||
| return (ARCHIVE_FATAL); | ||
| } | ||
| - if (firstpart < length) { | ||
| + if ((size_t)firstpart < length) { | ||
| memcpy(&rar->unp_buffer[rar->unp_offset], | ||
| &rar->lzss.window[windowoffs], firstpart); | ||
| memcpy(&rar->unp_buffer[rar->unp_offset + firstpart], | ||
| @@ -3116,9 +3121,7 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, | ||
| &rar->lzss.window[windowoffs], length); | ||
| } | ||
| } else { | ||
| - archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
| - "Bad RAR file data"); | ||
| - return (ARCHIVE_FATAL); | ||
| + goto fatal; | ||
| } | ||
| rar->unp_offset += length; | ||
| if (rar->unp_offset >= rar->unp_buffer_size) | ||
| @@ -3126,6 +3129,11 @@ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, | ||
| else | ||
| *buffer = NULL; | ||
| return (ARCHIVE_OK); | ||
| + | ||
| +fatal: | ||
| + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
| + "Bad RAR file data"); | ||
| + return (ARCHIVE_FATAL); | ||
| } | ||
|
|
||
| static const void * | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| From 9a6a505a1da891df29909eb2aeb6f067fe46f7d3 Mon Sep 17 00:00:00 2001 | ||
| From: Nan Liu <[email protected]> | ||
| Date: Tue, 15 Oct 2024 18:44:56 +0000 | ||
| Subject: [PATCH] fix: OOB in rar audio filter(CVE-2024-48957) | ||
|
|
||
| --- | ||
| From 3ad7b9b6cc37d8a197a6c55af4634560df13771f Mon Sep 17 00:00:00 2001 | ||
| From: Wei-Cheng Pan <[email protected]> | ||
| Date: Fri, 26 Apr 2024 16:35:06 +0900 | ||
| Subject: [PATCH] fix: OOB in rar audio filter | ||
|
|
||
| --- | ||
| libarchive/archive_read_support_format_rar.c | 6 ++++++ | ||
| 1 file changed, 6 insertions(+) | ||
|
|
||
| diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
| index dae2309..6510bcf 100644 | ||
| --- a/libarchive/archive_read_support_format_rar.c | ||
| +++ b/libarchive/archive_read_support_format_rar.c | ||
| @@ -3716,6 +3716,12 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm) | ||
| memset(&state, 0, sizeof(state)); | ||
| for (j = i; j < length; j += numchannels) | ||
| { | ||
| + /* | ||
| + * The src block should not overlap with the dst block. | ||
| + * If so it would be better to consider this archive is broken. | ||
| + */ | ||
| + if (src >= dst) | ||
| + return 0; | ||
| int8_t delta = (int8_t)*src++; | ||
| uint8_t predbyte, byte; | ||
| int prederror; | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From b76fa2148bed31bd38acd896c19ee8a9a420eeae Mon Sep 17 00:00:00 2001 | ||
| From: Nan Liu <[email protected]> | ||
| Date: Tue, 15 Oct 2024 18:37:24 +0000 | ||
| Subject: [PATCH] fix: OOB in rar delta filter(CVE-2024-48958) | ||
|
|
||
| --- | ||
| From 17d9d73ee92eeb1a08b0a56659d010d8120af33a Mon Sep 17 00:00:00 2001 | ||
| From: Wei-Cheng Pan <[email protected]> | ||
| Date: Fri, 26 Apr 2024 13:58:34 +0900 | ||
| Subject: [PATCH] fix: OOB in rar delta filter | ||
|
|
||
| --- | ||
| libarchive/archive_read_support_format_rar.c | 8 ++++++++ | ||
| 1 file changed, 8 insertions(+) | ||
|
|
||
| diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
| index 024711c..dae2309 100644 | ||
| --- a/libarchive/archive_read_support_format_rar.c | ||
| +++ b/libarchive/archive_read_support_format_rar.c | ||
| @@ -3606,7 +3606,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm) | ||
| { | ||
| uint8_t lastbyte = 0; | ||
| for (idx = i; idx < length; idx += numchannels) | ||
| + { | ||
| + /* | ||
| + * The src block should not overlap with the dst block. | ||
| + * If so it would be better to consider this archive is broken. | ||
| + */ | ||
| + if (src >= dst) | ||
| + return 0; | ||
| lastbyte = dst[idx] = lastbyte - *src++; | ||
| + } | ||
| } | ||
|
|
||
| filter->filteredblockaddress = length; | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: Multi-format archive and compression library | ||
| Name: libarchive | ||
| Version: 3.6.1 | ||
| Release: 3%{?dist} | ||
| Release: 4%{?dist} | ||
| # Certain files have individual licenses. For more details see contents of "COPYING". | ||
| License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) | ||
| Vendor: Microsoft Corporation | ||
|
|
@@ -10,6 +10,10 @@ URL: https://www.libarchive.org/ | |
| Source0: https:/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz | ||
| Patch0: CVE-2022-36227.patch | ||
| Patch1: CVE-2024-26256.patch | ||
| # Please remove the following patches when upgrading to v3.7.5 and above | ||
| Patch2: CVE-2024-20696.patch | ||
| Patch3: CVE-2024-48958.patch | ||
| Patch4: CVE-2024-48957.patch | ||
| Provides: bsdtar = %{version}-%{release} | ||
|
|
||
| BuildRequires: xz-libs | ||
|
|
@@ -62,6 +66,9 @@ make %{?_smp_mflags} check | |
| %{_libdir}/pkgconfig/*.pc | ||
|
|
||
| %changelog | ||
| * Tue Oct 15 2024 Nan Liu <[email protected]> - 3.6.1-4 | ||
| - Patch CVE-2024-48957, CVE-2024-48958, CVE-2024-20696 | ||
|
|
||
| * Thu Jun 06 2024 Nan Liu <[email protected]> - 3.6.1-3 | ||
| - Patch CVE-2024-26256 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters