From ea8d25748caea42f87f12068148647f66b7c1656 Mon Sep 17 00:00:00 2001
From: zhangpan <zp1224248514@163.com>
Date: Fri, 3 Mar 2023 06:59:55 +0000
Subject: [PATCH] fix CVE-2021-36976 patch

(cherry picked from commit 8c20b91ab38536f5e806ae2b7d17e1f497db66b2)
---
 backport-0001-CVE-2021-36976.patch | 46 ++++++++++++++++++++
 backport-0002-CVE-2021-36976.patch | 67 ++++++++++++++++++++++++++++++
 backport-CVE-2021-36976.patch      | 57 -------------------------
 libarchive.spec                    | 22 ++++++----
 4 files changed, 126 insertions(+), 66 deletions(-)
 create mode 100644 backport-0001-CVE-2021-36976.patch
 create mode 100644 backport-0002-CVE-2021-36976.patch
 delete mode 100644 backport-CVE-2021-36976.patch

diff --git a/backport-0001-CVE-2021-36976.patch b/backport-0001-CVE-2021-36976.patch
new file mode 100644
index 0000000..efddc6a
--- /dev/null
+++ b/backport-0001-CVE-2021-36976.patch
@@ -0,0 +1,46 @@
+From 29fd0178a8861af36ab60407cd718b3f262dda15 Mon Sep 17 00:00:00 2001
+From: Emil Velikov <emil.l.velikov@gmail.com>
+Date: Sun, 21 Nov 2021 18:05:19 +0000
+Subject: [PATCH] tar: demote -xa from error to a warning
+
+It's fairly common for people to use caf and xaf on Linux. The former in
+itself being GNU tar specific - libarchive tar does not allow xa.
+
+While it makes little sense to use xaf with libarchive tar, that is
+implementation detail which gets in the way when trying to write trivial
+tooling/scripts.
+
+For the sake of compatibility, reduce the error to a warning and augment
+the message itself. Making it clear that the option makes little sense.
+
+Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+
+Reference:https://github.com/libarchive/libarchive/commit/56c920eab3352f7877ee0cf9e472c1ab376c7e3e
+Conflict:NA
+---
+ tar/bsdtar.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/tar/bsdtar.c b/tar/bsdtar.c
+index af41be5..f4f008b 100644
+--- a/tar/bsdtar.c
++++ b/tar/bsdtar.c
+@@ -796,8 +796,14 @@ main(int argc, char **argv)
+ 		    "Must specify one of -c, -r, -t, -u, -x");
+ 
+ 	/* Check boolean options only permitted in certain modes. */
+-	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS)
+-		only_mode(bsdtar, "-a", "c");
++	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS) {
++		only_mode(bsdtar, "-a", "cx");
++		if (bsdtar->mode == 'x') {
++			bsdtar->flags &= ~OPTFLAG_AUTO_COMPRESS;
++			lafe_warnc(0,
++			    "Ignoring option -a in mode -x");
++		}
++	}
+ 	if (bsdtar->readdisk_flags & ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS)
+ 		only_mode(bsdtar, "--one-file-system", "cru");
+ 	if (bsdtar->flags & OPTFLAG_FAST_READ)
+-- 
+2.27.0
diff --git a/backport-0002-CVE-2021-36976.patch b/backport-0002-CVE-2021-36976.patch
new file mode 100644
index 0000000..f018de2
--- /dev/null
+++ b/backport-0002-CVE-2021-36976.patch
@@ -0,0 +1,67 @@
+From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Fri, 12 Feb 2021 20:18:31 +0100
+Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
+
+RAR5 reader uses several variables to manage the window buffer during
+extraction: the buffer itself (`window_buf`), the current size of the
+window buffer (`window_size`), and a helper variable (`window_mask`)
+that is used to constrain read and write offsets to the window buffer.
+
+Some specially crafted files can force the unpacker to update the
+`window_mask` variable to a value that is out of sync with current
+buffer size. If the `window_mask` will be bigger than the actual buffer
+size, then an invalid access operation can happen (SIGSEGV).
+
+This commit ensures that if the `window_size` and `window_mask` will be
+changed, the window buffer will be reallocated to the proper size, so no
+invalid memory operation should be possible.
+
+This commit contains a test file from OSSFuzz #30442.
+
+Reference:https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
+Conflict:NA
+---
+ libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
+ 1 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index a91c73f8b..880ba6612 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1772,14 +1772,29 @@ static int process_head_file(struct archive_read* a, struct rar5* rar,
+ 		}
+ 	}
+ 
+-	/* If we're currently switching volumes, ignore the new definition of
+-	 * window_size. */
+-	if(rar->cstate.switch_multivolume == 0) {
+-		/* Values up to 64M should fit into ssize_t on every
+-		 * architecture. */
+-		rar->cstate.window_size = (ssize_t) window_size;
++	if(rar->cstate.window_size < (ssize_t) window_size &&
++	    rar->cstate.window_buf)
++	{
++		/* If window_buf has been allocated before, reallocate it, so
++		 * that its size will match new window_size. */
++
++		uint8_t* new_window_buf =
++			realloc(rar->cstate.window_buf, window_size);
++
++		if(!new_window_buf) {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
++				"Not enough memory when trying to realloc the window "
++				"buffer.");
++			return ARCHIVE_FATAL;
++		}
++
++		rar->cstate.window_buf = new_window_buf;
+ 	}
+ 
++	/* Values up to 64M should fit into ssize_t on every
++	 * architecture. */
++	rar->cstate.window_size = (ssize_t) window_size;
++
+ 	if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
+ 		/* Solid files have to have the same window_size across
+ 		   whole archive. Remember the window_size parameter
diff --git a/backport-CVE-2021-36976.patch b/backport-CVE-2021-36976.patch
deleted file mode 100644
index d5ee964..0000000
--- a/backport-CVE-2021-36976.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001
-From: Samanta Navarro <ferivoz@riseup.net>
-Date: Sat, 28 Aug 2021 11:58:00 +0000
-Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob
-
-The size_t data type on 32 bit systems is smaller than int64_t. Check
-the int64_t value before casting to size_t. If the value is too large
-then stop operation instead of continuing operation with truncated
-value.
----
- libarchive/archive_read_support_format_tar.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
-index 96d8101..7290df0 100644
---- a/libarchive/archive_read_support_format_tar.c
-+++ b/libarchive/archive_read_support_format_tar.c
-@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
-     struct archive_entry *entry, const void *h, size_t *unconsumed)
- {
- 	int64_t size;
-+	size_t msize;
- 	const void *data;
- 	const char *p, *name;
- 	const wchar_t *wp, *wname;
-@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 
-  	/* Read the body as a Mac OS metadata blob. */
- 	size = archive_entry_size(entry);
-+	msize = (size_t)size;
-+	if (size < 0 || (uintmax_t)msize != (uintmax_t)size) {
-+		*unconsumed = 0;
-+		return (ARCHIVE_FATAL);
-+	}
- 
- 	/*
- 	 * TODO: Look beyond the body here to peek at the next header.
-@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 	 * Q: Is the above idea really possible?  Even
- 	 * when there are GNU or pax extension entries?
- 	 */
--	data = __archive_read_ahead(a, (size_t)size, NULL);
-+	data = __archive_read_ahead(a, msize, NULL);
- 	if (data == NULL) {
- 		*unconsumed = 0;
- 		return (ARCHIVE_FATAL);
- 	}
--	archive_entry_copy_mac_metadata(entry, data, (size_t)size);
--	*unconsumed = (size_t)((size + 511) & ~ 511);
-+	archive_entry_copy_mac_metadata(entry, data, msize);
-+	*unconsumed = (msize + 511) & ~ 511;
- 	tar_flush_unconsumed(a, unconsumed);
- 	return (tar_read_header(a, tar, entry, unconsumed));
- }
--- 
-2.27.0
-
diff --git a/libarchive.spec b/libarchive.spec
index f3f8c06..a81a816 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.4.3
-Release:        6
+Release:        7
 Summary:        Multi-format archive and compression library
 
 License:        BSD
@@ -20,14 +20,15 @@ Obsoletes:      bsdtar bsdcpio bsdcat
 Patch6001:      libarchive-uninitialized-value.patch
 Patch6002:      libarchive-3.4.3-lchmod-support-check.patch
 Patch6003:      libarchive-3.4.3-avoid-stack-overflow.patch
-Patch6004:      backport-CVE-2021-36976.patch
-Patch6005:      backport-CVE-2021-23177.patch
-Patch6006:      backport-0001-CVE-2021-31566.patch
-Patch6007:      backport-0002-CVE-2021-31566.patch
-Patch6008:      backport-0003-CVE-2021-31566.patch
-Patch6009:      backport-0004-CVE-2021-31566.patch
-Patch6010:      backport-CVE-2022-26280.patch
-Patch6011:      backport-CVE-2022-36227.patch
+Patch6004:      backport-0001-CVE-2021-36976.patch
+Patch6005:      backport-0002-CVE-2021-36976.patch
+Patch6006:      backport-CVE-2021-23177.patch
+Patch6007:      backport-0001-CVE-2021-31566.patch
+Patch6008:      backport-0002-CVE-2021-31566.patch
+Patch6009:      backport-0003-CVE-2021-31566.patch
+Patch6010:      backport-0004-CVE-2021-31566.patch
+Patch6011:      backport-CVE-2022-26280.patch
+Patch6012:      backport-CVE-2022-36227.patch
 
 %description
 %{name} is an open-source BSD-licensed C programming library that 
@@ -159,6 +160,9 @@ run_testsuite
 %{_mandir}/man5/*
 
 %changelog
+* Thu Mar 02 2023 zhangpan <zhangpan103@partners.com> - 3.4.3-7
+- fix CVE-2021-36976 patch
+
 * Fri Nov 25 2022 wangkeorng <wangkerong@partners.com> - 3.4.3-6
 - fix CVE-2022-36227
 
-- 
Gitee