From: Amaury Couderc <[email protected]> Backport patch to fix CVE-2026-5121. https://nvd.nist.gov/vuln/detail/CVE-2026-5121
Upstream fix: https://github.com/libarchive/libarchive/commit/071e2e1c5981372d40482995ba83c98c8b595418 Signed-off-by: Amaury Couderc <[email protected]> --- .../libarchive/CVE-2026-5121.patch | 46 ++++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2026-5121.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2026-5121.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2026-5121.patch new file mode 100644 index 0000000000..3f922d7864 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2026-5121.patch @@ -0,0 +1,46 @@ +From 3d8e0f60c5a522ebfe0f967448bae7d1782edcae Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <[email protected]> +Date: Sun, 12 Apr 2026 14:51:56 -0700 +Subject: [PATCH] Merge pull request #2897 from + ElhananHaenel/fix/iso_zisofs_undefined_behavior + +iso9660: validate pz_log2_bs in parse_rockridge_ZF1() + +CVE: CVE-2026-5121 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/071e2e1c5981372d40482995ba83c98c8b595418] + +Reviewed-by: Daniel Turull <[email protected]> +Signed-off-by: Amaury Couderc <[email protected]> +--- + .../archive_read_support_format_iso9660.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 7d3655a9..630efba2 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -2756,11 +2756,19 @@ parse_rockridge_ZF1(struct file_info *file, const unsigned char *data, + { + + if (data[0] == 0x70 && data[1] == 0x7a && data_length == 12) { +- /* paged zlib */ +- file->pz = 1; +- file->pz_log2_bs = data[3]; +- file->pz_uncompressed_size = archive_le32dec(&data[4]); +- } ++ /* paged zlib */ ++ file->pz = 1; ++ file->pz_log2_bs = data[3]; ++ if (file->pz_log2_bs < 15 || file->pz_log2_bs > 17) { ++ /* TODO: Return an error here instead of silently ++ * disabling zisofs. That requires propagating an ++ * error return through parse_rockridge() and its ++ * callers. */ ++ file->pz = 0; ++ return; ++ } ++ file->pz_uncompressed_size = archive_le32dec(&data[4]); ++ } + } + + static void diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 9cc5f3d540..f2ad360a2e 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -47,6 +47,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2026-4424-2.patch \ file://CVE-2026-4424-3.patch \ file://CVE-2026-4424-4.patch \ + file://CVE-2026-5121.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/"; -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236948): https://lists.openembedded.org/g/openembedded-core/message/236948 Mute This Topic: https://lists.openembedded.org/mt/119293989/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
