Projects
Mega:24.03:SP1:Everything
libarchive
_service:tar_scm:backport-CVE-2024-26256-CVE-20...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2024-26256-CVE-2024-43495.patch of Package libarchive
From b7b0c7c4379531206a53634a12a02a8d45b28a2f Mon Sep 17 00:00:00 2001 From: terrynini <terrynini38514@gmail.com> Date: Wed, 14 Aug 2024 16:01:21 +0800 Subject: [PATCH] Fix CVE-2024-26256 (#2269) Opening a manipulated RAR archive could lead to remote code execution Security: CVE-2024-26256 Co-authored-by: Timothy Lyanguzov <theta682@gmail.com> --- libarchive/archive_read_support_format_rar.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c index fb7cfde7..f4dcb752 100644 --- a/libarchive/archive_read_support_format_rar.c +++ b/libarchive/archive_read_support_format_rar.c @@ -3428,6 +3428,12 @@ run_filters(struct archive_read *a) return 0; } + if (filter->blocklength > VM_MEMORY_SIZE) + { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, "Bad RAR file data"); + return 0; + } + ret = copy_from_lzss_window(a, filters->vm->memory, start, filter->blocklength); if (ret != ARCHIVE_OK) return 0; -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2