diff --git a/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch b/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
new file mode 100644
index 0000000..1811e77
--- /dev/null
+++ b/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
@@ -0,0 +1,31 @@
+From 1abcbf1af5209631ccf4fca4ddcab3c863294c85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Patrik=20Novotn=C3=BD?= <panovotn@redhat.com>
+Date: Wed, 15 Jan 2020 16:10:04 +0100
+Subject: [PATCH] RAR reader: fix use after free
+
+If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed
+to continue with next archive headers. We need to set rar->start_new_table
+after the ppmd7_context got freed, otherwise it won't be allocated again.
+---
+ libarchive/archive_read_support_format_rar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32..9c26ef97 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1037,8 +1037,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
+ case COMPRESS_METHOD_GOOD:
+ case COMPRESS_METHOD_BEST:
+ ret = read_data_compressed(a, buff, size, offset);
+- if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
++ if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
+ __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context, &g_szalloc);
++ rar->start_new_table = 1;
++ }
+ break;
+
+ default:
+--
+2.24.1
+
diff --git a/SOURCES/libarchive-3.3.2-CVE-2019-19221.patch b/SOURCES/libarchive-3.3.2-CVE-2019-19221.patch
new file mode 100644
index 0000000..86279ad
--- /dev/null
+++ b/SOURCES/libarchive-3.3.2-CVE-2019-19221.patch
@@ -0,0 +1,98 @@
+From 72085b30bf30867360c4aa77bd43de5e1788d875 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 24 Mar 2020 09:22:47 +0100
+Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
+
+The cal to mbrtowc() or mbtowc() should read up to mbs_length
+bytes and not wcs_length. This avoids out-of-bounds reads.
+
+mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
+they encounter an invalid multibyte character and (size_t)-2 when
+they they encounter an incomplete multibyte character. As we return
+failure and all our callers error out it makes no sense to continue
+parsing mbs.
+
+As we allocate `len` wchars at the beginning and each wchar has
+at least one byte, there will never be need to grow the buffer,
+so the code can be left out. On the other hand, we are always
+allocatng more memory than we need.
+
+As long as wcs_length == mbs_length == len we can omit wcs_length.
+We keep the old code commented if we decide to save memory and
+use autoexpanding wcs_length in the future.
+---
+ libarchive/archive_string.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 5ae09b6..d7541dc 100644
+--- a/libarchive/archive_string.c
++++ b/libarchive/archive_string.c
+@@ -590,7 +590,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ * No single byte will be more than one wide character,
+ * so this length estimate will always be big enough.
+ */
+- size_t wcs_length = len;
++ //size_t wcs_length = len;
+ size_t mbs_length = len;
+ const char *mbs = p;
+ wchar_t *wcs;
+@@ -599,7 +599,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+
+ memset(&shift_state, 0, sizeof(shift_state));
+ #endif
+- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
++ /*
++ * As we decided to have wcs_length == mbs_length == len
++ * we can use len here instead of wcs_length
++ */
++ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
+ return (-1);
+ wcs = dest->s + dest->length;
+ /*
+@@ -608,6 +612,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ * multi bytes.
+ */
+ while (*mbs && mbs_length > 0) {
++ /*
++ * The buffer we allocated is always big enough.
++ * Keep this code path in a comment if we decide to choose
++ * smaller wcs_length in the future
++ */
++/*
+ if (wcs_length == 0) {
+ dest->length = wcs - dest->s;
+ dest->s[dest->length] = L'\0';
+@@ -617,24 +627,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ return (-1);
+ wcs = dest->s + dest->length;
+ }
++*/
+ #if HAVE_MBRTOWC
+- r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
++ r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
+ #else
+- r = mbtowc(wcs, mbs, wcs_length);
++ r = mbtowc(wcs, mbs, mbs_length);
+ #endif
+ if (r == (size_t)-1 || r == (size_t)-2) {
+ ret_val = -1;
+- if (errno == EILSEQ) {
+- ++mbs;
+- --mbs_length;
+- continue;
+- } else
+- break;
++ break;
+ }
+ if (r == 0 || r > mbs_length)
+ break;
+ wcs++;
+- wcs_length--;
++ //wcs_length--;
+ mbs += r;
+ mbs_length -= r;
+ }
+--
+2.24.1
+
diff --git a/SPECS/libarchive.spec b/SPECS/libarchive.spec
index 977d6e2..8f58511 100644
--- a/SPECS/libarchive.spec
+++ b/SPECS/libarchive.spec
@@ -2,7 +2,7 @@
Name: libarchive
Version: 3.3.2
-Release: 7%{?dist}
+Release: 9%{?dist}
Summary: A library for handling streaming archive formats
License: BSD
@@ -16,6 +16,8 @@ Patch3: libarchive-3.3.2-CVE-2018-1000878.patch
Patch4: libarchive-3.3.2-CVE-2018-1000877.patch
Patch5: fix-use-after-free-in-delayed-newc.patch
Patch6: fix-few-obvious-resource-leaks-covscan.patch
+Patch7: libarchive-3.3.2-CVE-2019-18408.patch
+Patch8: libarchive-3.3.2-CVE-2019-19221.patch
BuildRequires: gcc
BuildRequires: bison
@@ -219,6 +221,12 @@ run_testsuite
%changelog
+* Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.3.2-9
+- Fix out-of-bounds read (CVE-2019-19221) (#1803967)
+
+* Wed Jan 15 2020 Patrik Novotný <panovotn@redhat.com> - 3.3.2-8
+- Fix CVE-2019-18408: RAR use-after-free
+
* Mon May 27 2019 Ondrej Dubaj <odubaj@redhat.com> - 3.3.2-7
- fix use-after-free in delayed newc link processing (#1602575)
- fix a few obvious resource leaks and strcpy() misuses (#1602575)