On Sat Apr 4, 2026 at 10:16 AM CEST, Vijay Anusuri wrote: > Hi Yoann, > > This CVE fix already included in libarchive version 3.8.6 on the master > branch. > > https://github.com/libarchive/libarchive/releases/tag/v3.8.6 .
That's right, as https://github.com/libarchive/libarchive/commit/ec19fcbd20b18bd3b0fdcf2b3fb97789cd1bf575. So, master is already sorted. > I will cherry-pick libarchive-3.8.6 from master and submit the patch to > Whinlatter branch. Yes, please. Thanks! > Thanks & Regards, > Vijay > > On Sat, Apr 4, 2026 at 3:37 AM Yoann Congal <[email protected]> wrote: > >> On Thu Mar 26, 2026 at 8:58 AM CET, Vijay Anusuri via >> lists.openembedded.org wrote: >> > From: Vijay Anusuri <[email protected]> >> > >> > Pick patch according to [1] >> > >> > [1] https://security-tracker.debian.org/tracker/CVE-2026-4111 >> > [2] https://github.com/libarchive/libarchive/pull/2877 >> > [3] https://access.redhat.com/errata/RHSA-2026:5080 >> > >> > Signed-off-by: Vijay Anusuri <[email protected]> >> > --- >> >> Hello, >> >> As far as I can tell, this CVE applies to whinlatter and master. >> Since this is the end of kirkstone soon, I'll take it into the reviews >> series but can only merge it if there is a patch sent for this CVE in >> those branches. >> >> Regards, >> >> > .../libarchive/CVE-2026-4111-1.patch | 32 ++ >> > .../libarchive/CVE-2026-4111-2.patch | 308 ++++++++++++++++++ >> > .../libarchive/libarchive_3.6.2.bb | 2 + >> > 3 files changed, 342 insertions(+) >> > create mode 100644 >> meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch >> > create mode 100644 >> meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch >> > >> > diff --git >> a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch >> b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch >> > new file mode 100644 >> > index 0000000000..1f065b1364 >> > --- /dev/null >> > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-1.patch >> > @@ -0,0 +1,32 @@ >> > +From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001 >> > +From: Tim Kientzle <[email protected]> >> > +Date: Sun, 1 Mar 2026 20:24:56 -0800 >> > +Subject: [PATCH] Reject filters when the block length is nonsensical >> > + >> > +Credit: Grzegorz Antoniak @antekone >> > + >> > +Upstream-Status: Backport [ >> https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168 >> ] >> > +CVE: CVE-2026-4111 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + libarchive/archive_read_support_format_rar5.c | 4 +++- >> > + 1 file changed, 3 insertions(+), 1 deletion(-) >> > + >> > +diff --git a/libarchive/archive_read_support_format_rar5.c >> b/libarchive/archive_read_support_format_rar5.c >> > +index 38979cb..867f0a8 100644 >> > +--- a/libarchive/archive_read_support_format_rar5.c >> > ++++ b/libarchive/archive_read_support_format_rar5.c >> > +@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, >> const uint8_t* p) { >> > + if(block_length < 4 || >> > + block_length > 0x400000 || >> > + filter_type > FILTER_ARM || >> > +- !is_valid_filter_block_start(rar, block_start)) >> > ++ !is_valid_filter_block_start(rar, block_start) || >> > ++ (rar->cstate.window_size > 0 && >> > ++ (ssize_t)block_length > rar->cstate.window_size >> 1)) >> > + { >> > + archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT, >> > + "Invalid filter encountered"); >> > +-- >> > +2.25.1 >> > + >> > diff --git >> a/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch >> b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch >> > new file mode 100644 >> > index 0000000000..243a03a8e5 >> > --- /dev/null >> > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-4111-2.patch >> > @@ -0,0 +1,308 @@ >> > +From ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 Mon Sep 17 00:00:00 2001 >> > +From: Tim Kientzle <[email protected]> >> > +Date: Sun, 1 Mar 2026 10:04:01 -0800 >> > +Subject: [PATCH] Infinite loop in Rar5 decompression >> > + >> > +Found by: Elhanan Haenel >> > + >> > +Upstream-Status: Backport [ >> https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 >> ] >> > +CVE: CVE-2026-4111 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + Makefile.am | 2 + >> > + libarchive/test/CMakeLists.txt | 1 + >> > + .../test/test_read_format_rar5_loop_bug.c | 53 +++++ >> > + .../test_read_format_rar5_loop_bug.rar.uu | 189 ++++++++++++++++++ >> > + 4 files changed, 245 insertions(+) >> > + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c >> > + create mode 100644 >> libarchive/test/test_read_format_rar5_loop_bug.rar.uu >> > + >> > +diff --git a/Makefile.am b/Makefile.am >> > +index dd1620d..14edb2a 100644 >> > +--- a/Makefile.am >> > ++++ b/Makefile.am >> > +@@ -507,6 +507,7 @@ libarchive_test_SOURCES= \ >> > + libarchive/test/test_read_format_rar_invalid1.c \ >> > + libarchive/test/test_read_format_rar_overflow.c \ >> > + libarchive/test/test_read_format_rar5.c \ >> > ++ libarchive/test/test_read_format_rar5_loop_bug.c \ >> > + libarchive/test/test_read_format_raw.c \ >> > + libarchive/test/test_read_format_tar.c \ >> > + libarchive/test/test_read_format_tar_concatenated.c \ >> > +@@ -869,6 +870,7 @@ libarchive_test_EXTRA_DIST=\ >> > + >> libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \ >> > + libarchive/test/test_read_format_rar5_leftshift1.rar.uu \ >> > + libarchive/test/test_read_format_rar5_leftshift2.rar.uu \ >> > ++ libarchive/test/test_read_format_rar5_loop_bug.rar.uu \ >> > + libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \ >> > + libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \ >> > + libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \ >> > +diff --git a/libarchive/test/CMakeLists.txt >> b/libarchive/test/CMakeLists.txt >> > +index 05c6fd7..c8f2e90 100644 >> > +--- a/libarchive/test/CMakeLists.txt >> > ++++ b/libarchive/test/CMakeLists.txt >> > +@@ -156,6 +156,7 @@ IF(ENABLE_TEST) >> > + test_read_format_rar_filter.c >> > + test_read_format_rar_overflow.c >> > + test_read_format_rar5.c >> > ++ test_read_format_rar5_loop_bug.c >> > + test_read_format_raw.c >> > + test_read_format_tar.c >> > + test_read_format_tar_concatenated.c >> > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c >> b/libarchive/test/test_read_format_rar5_loop_bug.c >> > +new file mode 100644 >> > +index 0000000..77dd78c >> > +--- /dev/null >> > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.c >> > +@@ -0,0 +1,53 @@ >> > ++/*- >> > ++ * Copyright (c) 2026 Tim Kientzle >> > ++ * All rights reserved. >> > ++ * >> > ++ * Redistribution and use in source and binary forms, with or without >> > ++ * modification, are permitted provided that the following conditions >> > ++ * are met: >> > ++ * 1. Redistributions of source code must retain the above copyright >> > ++ * notice, this list of conditions and the following disclaimer. >> > ++ * 2. Redistributions in binary form must reproduce the above copyright >> > ++ * notice, this list of conditions and the following disclaimer in >> the >> > ++ * documentation and/or other materials provided with the >> distribution. >> > ++ * >> > ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY >> EXPRESS OR >> > ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED >> WARRANTIES >> > ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE >> DISCLAIMED. >> > ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, >> > ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES >> (INCLUDING, BUT >> > ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS >> OF USE, >> > ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON >> ANY >> > ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >> > ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE >> USE OF >> > ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> > ++ */ >> > ++#include "test.h" >> > ++ >> > ++DEFINE_TEST(test_read_format_rar5_loop_bug) >> > ++{ >> > ++ const char *reffile = "test_read_format_rar5_loop_bug.rar"; >> > ++ struct archive_entry *ae; >> > ++ struct archive *a; >> > ++ const void *buf; >> > ++ size_t size; >> > ++ la_int64_t offset; >> > ++ >> > ++ extract_reference_file(reffile); >> > ++ assert((a = archive_read_new()) != NULL); >> > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); >> > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); >> > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, >> reffile, 10240)); >> > ++ >> > ++ // This has just one entry >> > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); >> > ++ >> > ++ // Read blocks until the end of the entry >> > ++ while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, >> &offset)) { >> > ++ } >> > ++ >> > ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); >> > ++ >> > ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); >> > ++ assertEqualInt(ARCHIVE_OK, archive_free(a)); >> > ++} >> > +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu >> b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu >> > +new file mode 100644 >> > +index 0000000..3e47004 >> > +--- /dev/null >> > ++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu >> > +@@ -0,0 +1,189 @@ >> > ++begin 644 test_read_format_rar5_loop_bug.rar >> > ++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^ >> > ++M8@!.`B`H```````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++M```````````````````````````````````````````````````````````` >> > ++5```````````````````Y^;*!`@4` >> > ++` >> > ++end >> > +-- >> > +2.25.1 >> > + >> > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb >> b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb >> > index e74326b40f..85fe6e5baa 100644 >> > --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb >> > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb >> > @@ -50,6 +50,8 @@ SRC_URI = " >> http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ >> > >> file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \ >> > file://CVE-2025-60753-01.patch \ >> > file://CVE-2025-60753-02.patch \ >> > + file://CVE-2026-4111-1.patch \ >> > + file://CVE-2026-4111-2.patch \ >> > " >> > UPSTREAM_CHECK_URI = "http://libarchive.org/"; >> > >> >> >> -- >> Yoann Congal >> Smile ECS >> >> -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234636): https://lists.openembedded.org/g/openembedded-core/message/234636 Mute This Topic: https://lists.openembedded.org/mt/118514709/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
