From 6a5619d4df37f84ee1d4f59215171310d518773a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 28 2022 08:28:50 +0000 Subject: import libarchive-3.5.3-2.el9_0 --- diff --git a/SOURCES/libarchive-3.5.3-Fix-CVE-2022-26280.patch b/SOURCES/libarchive-3.5.3-Fix-CVE-2022-26280.patch new file mode 100644 index 0000000..1fd9431 --- /dev/null +++ b/SOURCES/libarchive-3.5.3-Fix-CVE-2022-26280.patch @@ -0,0 +1,14 @@ +# Patch sources from libarchive upstream +# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff + +--- libarchive-3.5.3/libarchive/archive_read_support_format_zip.c.old 2022-05-18 08:55:50.861574517 +0000 ++++ libarchive-3.5.3/libarchive/archive_read_support_format_zip.c 2022-05-18 08:57:03.049574517 +0000 +@@ -1657,7 +1657,7 @@ zipx_lzma_alone_init(struct archive_read + */ + + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Truncated lzma data"); + return (ARCHIVE_FATAL); diff --git a/SPECS/libarchive.spec b/SPECS/libarchive.spec index e79cd78..6623fa2 100644 --- a/SPECS/libarchive.spec +++ b/SPECS/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.5.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library for handling streaming archive formats License: BSD @@ -10,6 +10,8 @@ URL: https://www.libarchive.org/ Source0: https://libarchive.org/downloads/%{name}-%{version}.tar.gz Patch1: openssl3-rmd160failure.patch +# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff +Patch2: %{name}-3.5.3-Fix-CVE-2022-26280.patch BuildRequires: automake BuildRequires: bison @@ -213,6 +215,9 @@ run_testsuite %changelog +* Wed May 18 2022 Lukas Javorsky - 3.5.3-2 +- Resolves: CVE-2022-26280 + * Mon Feb 14 2022 Lukas Javorsky - 3.5.3-1 - Rebase to version 3.5.3