Re: [OE-core][kirkstone][PATCH] libarchive: Fix CVE-2026-4111

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Yoann Congal" <yoann.congal@smile.fr>
To: <vanusuri@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][kirkstone][PATCH] libarchive: Fix CVE-2026-4111
Date: Sat, 04 Apr 2026 00:07:22 +0200	[thread overview]
Message-ID: <DHJV1CGLXDFY.1T23NFX2R5HE8@smile.fr> (raw)
In-Reply-To: <20260326075847.312211-1-vanusuri@mvista.com>

On Thu Mar 26, 2026 at 8:58 AM CET, Vijay Anusuri via lists.openembedded.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Pick patch according to [1]
>
> [1] https://security-tracker.debian.org/tracker/CVE-2026-4111
> [2] https://github.com/libarchive/libarchive/pull/2877
> [3] https://access.redhat.com/errata/RHSA-2026:5080
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---

Hello,

As far as I can tell, this CVE applies to whinlatter and master.
Since this is the end of kirkstone soon, I'll take it into the reviews
series but can only merge it if there is a patch sent for this CVE in
those branches.

Regards,

>  .../libarchive/CVE-2026-4111-1.patch          |  32 ++
>  .../libarchive/CVE-2026-4111-2.patch          | 308 ++++++++++++++++++
>  .../libarchive/libarchive_3.6.2.bb            |   2 +
>  3 files changed, 342 insertions(+)
>  create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
>  create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
>
> diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
> new file mode 100644
> index 0000000000..1f065b1364
> --- /dev/null
> +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch
> @@ -0,0 +1,32 @@
> +From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001
> +From: Tim Kientzle <kientzle@acm.org>
> +Date: Sun, 1 Mar 2026 20:24:56 -0800
> +Subject: [PATCH] Reject filters when the block length is nonsensical
> +
> +Credit: Grzegorz Antoniak @antekone
> +
> +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168]
> +CVE: CVE-2026-4111
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + libarchive/archive_read_support_format_rar5.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
> +index 38979cb..867f0a8 100644
> +--- a/libarchive/archive_read_support_format_rar5.c
> ++++ b/libarchive/archive_read_support_format_rar5.c
> +@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, const uint8_t* p) {
> + 	if(block_length < 4 ||
> + 	    block_length > 0x400000 ||
> + 	    filter_type > FILTER_ARM ||
> +-	    !is_valid_filter_block_start(rar, block_start))
> ++	    !is_valid_filter_block_start(rar, block_start) ||
> ++	    (rar->cstate.window_size > 0 &&
> ++	     (ssize_t)block_length > rar->cstate.window_size >> 1))
> + 	{
> + 		archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT,
> + 		    "Invalid filter encountered");
> +-- 
> +2.25.1
> +
> diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
> new file mode 100644
> index 0000000000..243a03a8e5
> --- /dev/null
> +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch
> @@ -0,0 +1,308 @@
> +From ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 Mon Sep 17 00:00:00 2001
> +From: Tim Kientzle <kientzle@acm.org>
> +Date: Sun, 1 Mar 2026 10:04:01 -0800
> +Subject: [PATCH] Infinite loop in Rar5 decompression
> +
> +Found by: Elhanan Haenel
> +
> +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4]
> +CVE: CVE-2026-4111
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + Makefile.am                                   |   2 +
> + libarchive/test/CMakeLists.txt                |   1 +
> + .../test/test_read_format_rar5_loop_bug.c     |  53 +++++
> + .../test_read_format_rar5_loop_bug.rar.uu     | 189 ++++++++++++++++++
> + 4 files changed, 245 insertions(+)
> + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c
> + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.rar.uu
> +
> +diff --git a/Makefile.am b/Makefile.am
> +index dd1620d..14edb2a 100644
> +--- a/Makefile.am
> ++++ b/Makefile.am
> +@@ -507,6 +507,7 @@ libarchive_test_SOURCES= \
> + 	libarchive/test/test_read_format_rar_invalid1.c \
> + 	libarchive/test/test_read_format_rar_overflow.c \
> + 	libarchive/test/test_read_format_rar5.c \
> ++	libarchive/test/test_read_format_rar5_loop_bug.c \
> + 	libarchive/test/test_read_format_raw.c \
> + 	libarchive/test/test_read_format_tar.c \
> + 	libarchive/test/test_read_format_tar_concatenated.c \
> +@@ -869,6 +870,7 @@ libarchive_test_EXTRA_DIST=\
> + 	libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \
> + 	libarchive/test/test_read_format_rar5_leftshift1.rar.uu \
> + 	libarchive/test/test_read_format_rar5_leftshift2.rar.uu \
> ++	libarchive/test/test_read_format_rar5_loop_bug.rar.uu \
> + 	libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \
> + 	libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \
> + 	libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \
> +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
> +index 05c6fd7..c8f2e90 100644
> +--- a/libarchive/test/CMakeLists.txt
> ++++ b/libarchive/test/CMakeLists.txt
> +@@ -156,6 +156,7 @@ IF(ENABLE_TEST)
> +     test_read_format_rar_filter.c
> +     test_read_format_rar_overflow.c
> +     test_read_format_rar5.c
> ++    test_read_format_rar5_loop_bug.c
> +     test_read_format_raw.c
> +     test_read_format_tar.c
> +     test_read_format_tar_concatenated.c
> +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c b/libarchive/test/test_read_format_rar5_loop_bug.c
> +new file mode 100644
> +index 0000000..77dd78c
> +--- /dev/null
> ++++ b/libarchive/test/test_read_format_rar5_loop_bug.c
> +@@ -0,0 +1,53 @@
> ++/*-
> ++ * Copyright (c) 2026 Tim Kientzle
> ++ * All rights reserved.
> ++ *
> ++ * Redistribution and use in source and binary forms, with or without
> ++ * modification, are permitted provided that the following conditions
> ++ * are met:
> ++ * 1. Redistributions of source code must retain the above copyright
> ++ *    notice, this list of conditions and the following disclaimer.
> ++ * 2. Redistributions in binary form must reproduce the above copyright
> ++ *    notice, this list of conditions and the following disclaimer in the
> ++ *    documentation and/or other materials provided with the distribution.
> ++ *
> ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
> ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
> ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> ++ */
> ++#include "test.h"
> ++
> ++DEFINE_TEST(test_read_format_rar5_loop_bug)
> ++{
> ++  const char *reffile = "test_read_format_rar5_loop_bug.rar";
> ++  struct archive_entry *ae;
> ++  struct archive *a;
> ++  const void *buf;
> ++  size_t size;
> ++  la_int64_t offset;
> ++
> ++  extract_reference_file(reffile);
> ++  assert((a = archive_read_new()) != NULL);
> ++  assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
> ++  assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
> ++  assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 10240));
> ++
> ++  // This has just one entry
> ++  assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
> ++
> ++  // Read blocks until the end of the entry
> ++  while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, &offset)) {
> ++  }
> ++
> ++  assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae));
> ++
> ++  assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
> ++  assertEqualInt(ARCHIVE_OK, archive_free(a));
> ++}
> +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu
> +new file mode 100644
> +index 0000000..3e47004
> +--- /dev/null
> ++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu
> +@@ -0,0 +1,189 @@
> ++begin 644 test_read_format_rar5_loop_bug.rar
> ++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^
> ++M8@!.`B`H````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++M````````````````````````````````````````````````````````````
> ++5```````````````````Y^;*!`@4`
> ++`
> ++end
> +-- 
> +2.25.1
> +
> diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
> index e74326b40f..85fe6e5baa 100644
> --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
> +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
> @@ -50,6 +50,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
>             file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \
>             file://CVE-2025-60753-01.patch \
>             file://CVE-2025-60753-02.patch \
> +           file://CVE-2026-4111-1.patch \
> +           file://CVE-2026-4111-2.patch \
>             "
>  UPSTREAM_CHECK_URI = "http://libarchive.org/"
>  


-- 
Yoann Congal
Smile ECS

next prev parent reply	other threads:[~2026-04-03 22:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-26  7:58 [OE-core][kirkstone][PATCH] libarchive: Fix CVE-2026-4111 vanusuri
2026-04-03 22:07 ` Yoann Congal [this message]
2026-04-04  8:16   ` Vijay Anusuri
2026-04-05 21:54     ` Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DHJV1CGLXDFY.1T23NFX2R5HE8@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=vanusuri@mvista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox