On Thu Mar 26, 2026 at 8:58 AM CET, Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri <[email protected]> > > Pick patch according to [1] > > [1] https://security-tracker.debian.org/tracker/CVE-2026-4111 > [2] https://github.com/libarchive/libarchive/pull/2877 > [3] https://access.redhat.com/errata/RHSA-2026:5080 > > Signed-off-by: Vijay Anusuri <[email protected]> > ---
Hello, As far as I can tell, this CVE applies to whinlatter and master. Since this is the end of kirkstone soon, I'll take it into the reviews series but can only merge it if there is a patch sent for this CVE in those branches. Regards, > .../libarchive/CVE-2026-4111-1.patch | 32 ++ > .../libarchive/CVE-2026-4111-2.patch | 308 ++++++++++++++++++ > .../libarchive/libarchive_3.6.2.bb | 2 + > 3 files changed, 342 insertions(+) > create mode 100644 > meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > create mode 100644 > meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > > diff --git > a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > new file mode 100644 > index 0000000000..1f065b1364 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch > @@ -0,0 +1,32 @@ > +From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001 > +From: Tim Kientzle <[email protected]> > +Date: Sun, 1 Mar 2026 20:24:56 -0800 > +Subject: [PATCH] Reject filters when the block length is nonsensical > + > +Credit: Grzegorz Antoniak @antekone > + > +Upstream-Status: Backport > [https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168] > +CVE: CVE-2026-4111 > +Signed-off-by: Vijay Anusuri <[email protected]> > +--- > + libarchive/archive_read_support_format_rar5.c | 4 +++- > + 1 file changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/libarchive/archive_read_support_format_rar5.c > b/libarchive/archive_read_support_format_rar5.c > +index 38979cb..867f0a8 100644 > +--- a/libarchive/archive_read_support_format_rar5.c > ++++ b/libarchive/archive_read_support_format_rar5.c > +@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, const > uint8_t* p) { > + if(block_length < 4 || > + block_length > 0x400000 || > + filter_type > FILTER_ARM || > +- !is_valid_filter_block_start(rar, block_start)) > ++ !is_valid_filter_block_start(rar, block_start) || > ++ (rar->cstate.window_size > 0 && > ++ (ssize_t)block_length > rar->cstate.window_size >> 1)) > + { > + archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT, > + "Invalid filter encountered"); > +-- > +2.25.1 > + > diff --git > a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > new file mode 100644 > index 0000000000..243a03a8e5 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch > @@ -0,0 +1,308 @@ > +From ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 Mon Sep 17 00:00:00 2001 > +From: Tim Kientzle <[email protected]> > +Date: Sun, 1 Mar 2026 10:04:01 -0800 > +Subject: [PATCH] Infinite loop in Rar5 decompression > + > +Found by: Elhanan Haenel > + > +Upstream-Status: Backport > [https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4] > +CVE: CVE-2026-4111 > +Signed-off-by: Vijay Anusuri <[email protected]> > +--- > + Makefile.am | 2 + > + libarchive/test/CMakeLists.txt | 1 + > + .../test/test_read_format_rar5_loop_bug.c | 53 +++++ > + .../test_read_format_rar5_loop_bug.rar.uu | 189 ++++++++++++++++++ > + 4 files changed, 245 insertions(+) > + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c > + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.rar.uu > + > +diff --git a/Makefile.am b/Makefile.am > +index dd1620d..14edb2a 100644 > +--- a/Makefile.am > ++++ b/Makefile.am > +@@ -507,6 +507,7 @@ libarchive_test_SOURCES= \ > + libarchive/test/test_read_format_rar_invalid1.c \ > + libarchive/test/test_read_format_rar_overflow.c \ > + libarchive/test/test_read_format_rar5.c \ > ++ libarchive/test/test_read_format_rar5_loop_bug.c \ > + libarchive/test/test_read_format_raw.c \ > + libarchive/test/test_read_format_tar.c \ > + libarchive/test/test_read_format_tar_concatenated.c \ > +@@ -869,6 +870,7 @@ libarchive_test_EXTRA_DIST=\ > + libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \ > + libarchive/test/test_read_format_rar5_leftshift1.rar.uu \ > + libarchive/test/test_read_format_rar5_leftshift2.rar.uu \ > ++ libarchive/test/test_read_format_rar5_loop_bug.rar.uu \ > + libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \ > + libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \ > + libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \ > +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt > +index 05c6fd7..c8f2e90 100644 > +--- a/libarchive/test/CMakeLists.txt > ++++ b/libarchive/test/CMakeLists.txt > +@@ -156,6 +156,7 @@ IF(ENABLE_TEST) > + test_read_format_rar_filter.c > + test_read_format_rar_overflow.c > + test_read_format_rar5.c > ++ test_read_format_rar5_loop_bug.c > + test_read_format_raw.c > + test_read_format_tar.c > + test_read_format_tar_concatenated.c > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c > b/libarchive/test/test_read_format_rar5_loop_bug.c > +new file mode 100644 > +index 0000000..77dd78c > +--- /dev/null > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.c > +@@ -0,0 +1,53 @@ > ++/*- > ++ * Copyright (c) 2026 Tim Kientzle > ++ * All rights reserved. > ++ * > ++ * Redistribution and use in source and binary forms, with or without > ++ * modification, are permitted provided that the following conditions > ++ * are met: > ++ * 1. Redistributions of source code must retain the above copyright > ++ * notice, this list of conditions and the following disclaimer. > ++ * 2. Redistributions in binary form must reproduce the above copyright > ++ * notice, this list of conditions and the following disclaimer in the > ++ * documentation and/or other materials provided with the distribution. > ++ * > ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR > ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES > ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, > ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT > ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF > ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > ++ */ > ++#include "test.h" > ++ > ++DEFINE_TEST(test_read_format_rar5_loop_bug) > ++{ > ++ const char *reffile = "test_read_format_rar5_loop_bug.rar"; > ++ struct archive_entry *ae; > ++ struct archive *a; > ++ const void *buf; > ++ size_t size; > ++ la_int64_t offset; > ++ > ++ extract_reference_file(reffile); > ++ assert((a = archive_read_new()) != NULL); > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, > 10240)); > ++ > ++ // This has just one entry > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); > ++ > ++ // Read blocks until the end of the entry > ++ while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, &offset)) { > ++ } > ++ > ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); > ++ > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); > ++ assertEqualInt(ARCHIVE_OK, archive_free(a)); > ++} > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > +new file mode 100644 > +index 0000000..3e47004 > +--- /dev/null > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu > +@@ -0,0 +1,189 @@ > ++begin 644 test_read_format_rar5_loop_bug.rar > ++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^ > ++M8@!.`B`H```````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++M```````````````````````````````````````````````````````````` > ++5```````````````````Y^;*!`@4` > ++` > ++end > +-- > +2.25.1 > + > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > index e74326b40f..85fe6e5baa 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb > @@ -50,6 +50,8 @@ SRC_URI = > "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \ > file://CVE-2025-60753-01.patch \ > file://CVE-2025-60753-02.patch \ > + file://CVE-2026-4111-1.patch \ > + file://CVE-2026-4111-2.patch \ > " > UPSTREAM_CHECK_URI = "http://libarchive.org/"; > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234603): https://lists.openembedded.org/g/openembedded-core/message/234603 Mute This Topic: https://lists.openembedded.org/mt/118514709/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
