fix CVE-2021-36976 patch

(cherry picked from commit c947a84240d62b9022411f09b329d748eca81bbb)

backport-0001-CVE-2021-36976.patch

@@ -0,0 +1,46 @@
+From 29fd0178a8861af36ab60407cd718b3f262dda15 Mon Sep 17 00:00:00 2001
+From: Emil Velikov <emil.l.velikov@gmail.com>
+Date: Sun, 21 Nov 2021 18:05:19 +0000
+Subject: [PATCH] tar: demote -xa from error to a warning
+
+It's fairly common for people to use caf and xaf on Linux. The former in
+itself being GNU tar specific - libarchive tar does not allow xa.
+
+While it makes little sense to use xaf with libarchive tar, that is
+implementation detail which gets in the way when trying to write trivial
+tooling/scripts.
+
+For the sake of compatibility, reduce the error to a warning and augment
+the message itself. Making it clear that the option makes little sense.
+
+Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+
+Reference:https://github.com/libarchive/libarchive/commit/56c920eab3352f7877ee0cf9e472c1ab376c7e3e
+Conflict:NA
+---
+ tar/bsdtar.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/tar/bsdtar.c b/tar/bsdtar.c
+index af41be5..f4f008b 100644
+--- a/tar/bsdtar.c
++++ b/tar/bsdtar.c
+@@ -796,8 +796,14 @@ main(int argc, char **argv)
+ 		    "Must specify one of -c, -r, -t, -u, -x");
+ 
+ 	/* Check boolean options only permitted in certain modes. */
+-	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS)
+-		only_mode(bsdtar, "-a", "c");
++	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS) {
++		only_mode(bsdtar, "-a", "cx");
++		if (bsdtar->mode == 'x') {
++			bsdtar->flags &= ~OPTFLAG_AUTO_COMPRESS;
++			lafe_warnc(0,
++			    "Ignoring option -a in mode -x");
++		}
++	}
+ 	if (bsdtar->readdisk_flags & ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS)
+ 		only_mode(bsdtar, "--one-file-system", "cru");
+ 	if (bsdtar->flags & OPTFLAG_FAST_READ)
+-- 
+2.27.0

backport-0002-CVE-2021-36976.patch

@@ -0,0 +1,67 @@
+From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Fri, 12 Feb 2021 20:18:31 +0100
+Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
+
+RAR5 reader uses several variables to manage the window buffer during
+extraction: the buffer itself (`window_buf`), the current size of the
+window buffer (`window_size`), and a helper variable (`window_mask`)
+that is used to constrain read and write offsets to the window buffer.
+
+Some specially crafted files can force the unpacker to update the
+`window_mask` variable to a value that is out of sync with current
+buffer size. If the `window_mask` will be bigger than the actual buffer
+size, then an invalid access operation can happen (SIGSEGV).
+
+This commit ensures that if the `window_size` and `window_mask` will be
+changed, the window buffer will be reallocated to the proper size, so no
+invalid memory operation should be possible.
+
+This commit contains a test file from OSSFuzz #30442.
+
+Reference:https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
+Conflict:NA
+---
+ libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
+ 1 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index a91c73f8b..880ba6612 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1772,14 +1772,29 @@ static int process_head_file(struct archive_read* a, struct rar5* rar,
+ 		}
+ 	}
+ 
+-	/* If we're currently switching volumes, ignore the new definition of
+-	 * window_size. */
+-	if(rar->cstate.switch_multivolume == 0) {
+-		/* Values up to 64M should fit into ssize_t on every
+-		 * architecture. */
+-		rar->cstate.window_size = (ssize_t) window_size;
++	if(rar->cstate.window_size < (ssize_t) window_size &&
++	    rar->cstate.window_buf)
++	{
++		/* If window_buf has been allocated before, reallocate it, so
++		 * that its size will match new window_size. */
++
++		uint8_t* new_window_buf =
++			realloc(rar->cstate.window_buf, window_size);
++
++		if(!new_window_buf) {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
++				"Not enough memory when trying to realloc the window "
++				"buffer.");
++			return ARCHIVE_FATAL;
++		}
++
++		rar->cstate.window_buf = new_window_buf;
+ 	}
+ 
++	/* Values up to 64M should fit into ssize_t on every
++	 * architecture. */
++	rar->cstate.window_size = (ssize_t) window_size;
++
+ 	if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
+ 		/* Solid files have to have the same window_size across
+ 		   whole archive. Remember the window_size parameter

backport-CVE-2021-36976.patch

@@ -1,58 +0,0 @@
-From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001
-From: Samanta Navarro <ferivoz@riseup.net>
-Date: Sat, 28 Aug 2021 11:58:00 +0000
-Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob
-
-The size_t data type on 32 bit systems is smaller than int64_t. Check
-the int64_t value before casting to size_t. If the value is too large
-then stop operation instead of continuing operation with truncated
-value.
-
-Conflict:NA
-Reference:https://github.com/libarchive/libarchive/commit/a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537
----
- libarchive/archive_read_support_format_tar.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
-index 7e8febacf..773796a5d 100644
---- a/libarchive/archive_read_support_format_tar.c
-+++ b/libarchive/archive_read_support_format_tar.c
-@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
-     struct archive_entry *entry, const void *h, size_t *unconsumed)
- {
- 	int64_t size;
-+	size_t msize;
- 	const void *data;
- 	const char *p, *name;
- 	const wchar_t *wp, *wname;
-@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 
-  	/* Read the body as a Mac OS metadata blob. */
- 	size = archive_entry_size(entry);
-+	msize = (size_t)size;
-+	if (size < 0 || (uintmax_t)msize != (uintmax_t)size) {
-+		*unconsumed = 0;
-+		return (ARCHIVE_FATAL);
-+	}
- 
- 	/*
- 	 * TODO: Look beyond the body here to peek at the next header.
-@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 	 * Q: Is the above idea really possible?  Even
- 	 * when there are GNU or pax extension entries?
- 	 */
--	data = __archive_read_ahead(a, (size_t)size, NULL);
-+	data = __archive_read_ahead(a, msize, NULL);
- 	if (data == NULL) {
- 		*unconsumed = 0;
- 		return (ARCHIVE_FATAL);
- 	}
--	archive_entry_copy_mac_metadata(entry, data, (size_t)size);
--	*unconsumed = (size_t)((size + 511) & ~ 511);
-+	archive_entry_copy_mac_metadata(entry, data, msize);
-+	*unconsumed = (msize + 511) & ~ 511;
- 	tar_flush_unconsumed(a, unconsumed);
- 	return (tar_read_header(a, tar, entry, unconsumed));
- }
-

libarchive.spec

@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.5.2
-Release:        5
+Release:        6
 Summary:        Multi-format archive and compression library
 
 License:        BSD
@@ -14,10 +14,11 @@ BuildRequires:  lzo-devel e2fsprogs-devel libacl-devel libattr-devel
 BuildRequires:  openssl-devel libxml2-devel lz4-devel automake libzstd-devel
 
 Patch6000:      backport-libarchive-3.5.2-symlink-fix.patch
-Patch6001:	backport-CVE-2021-36976.patch
-Patch6002:	backport-CVE-2021-31566.patch
-Patch6003:	backport-CVE-2022-26280.patch
-Patch6004:	backport-CVE-2022-36227.patch
+Patch6001:	backport-0001-CVE-2021-36976.patch
+Patch6002:	backport-0002-CVE-2021-36976.patch
+Patch6003:	backport-CVE-2021-31566.patch
+Patch6004:	backport-CVE-2022-26280.patch
+Patch6005:	backport-CVE-2022-36227.patch
 
 Patch9000:	libarchive-uninitialized-value.patch
 
@@ -192,6 +193,9 @@ run_testsuite
 %{_bindir}/bsdcat
 
 %changelog
+* Thu Mar 02 2023 zhangpan <zhangpan103@h-paetners.com> - 3.5.2-6
+- fix CVE-2021-36976 patch
+
 * Fri Nov 25 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-5
 - fix CVE-2022-36227