new file mode 100644

@@ -0,0 +1,31 @@

+From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001

+From: Daniel Axtens <dja@axtens.net>

+Date: Tue, 20 Nov 2018 17:56:29 +1100

+Subject: [PATCH] Avoid a double-free when a window size of 0 is specified

+

+new_size can be 0 with a malicious or corrupted RAR archive.

+

+realloc(area, 0) is equivalent to free(area), so the region would

+be free()d here and the free()d again in the cleanup function.

+

+Found with a setup running AFL, afl-rb, and qsym.

+---

+ libarchive/archive_read_support_format_rar.c | 5 +++++

+ 1 file changed, 5 insertions(+)

+

+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c

+index 234522229..6f419c270 100644

+--- a/libarchive/archive_read_support_format_rar.c

+@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a)

+       new_size = DICTIONARY_MAX_SIZE;

+     else

+       new_size = rar_fls((unsigned int)rar->unp_size) << 1;

++    if (new_size == 0) {

++      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,

++                        "Zero window size is invalid.");

++      return (ARCHIVE_FATAL);

++    }

+     new_window = realloc(rar->lzss.window, new_size);

+     if (new_window == NULL) {

+       archive_set_error(&a->archive, ENOMEM,

new file mode 100644

@@ -0,0 +1,72 @@

+From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001

+From: Daniel Axtens <dja@axtens.net>

+Date: Tue, 4 Dec 2018 00:55:22 +1100

+Subject: [PATCH] rar: file split across multi-part archives must match

+

+Fuzzing uncovered some UAF and memory overrun bugs where a file in a

+single file archive reported that it was split across multiple

+volumes. This was caused by ppmd7 operations calling

+rar_br_fillup. This would invoke rar_read_ahead, which would in some

+situations invoke archive_read_format_rar_read_header.  That would

+check the new file name against the old file name, and if they didn't

+match up it would free the ppmd7 buffer and allocate a new

+one. However, because the ppmd7 decoder wasn't actually done with the

+buffer, it would continue to used the freed buffer. Both reads and

+writes to the freed region can be observed.

+

+This is quite tricky to solve: once the buffer has been freed it is

+too late, as the ppmd7 decoder functions almost universally assume

+success - there's no way for ppmd_read to signal error, nor are there

+good ways for functions like Range_Normalise to propagate them. So we

+can't detect after the fact that we're in an invalid state - e.g. by

+checking rar->cursor, we have to prevent ourselves from ever ending up

+there. So, when we are in the dangerous part or rar_read_ahead that

+assumes a valid split, we set a flag force read_header to either go

+down the path for split files or bail. This means that the ppmd7

+decoder keeps a valid buffer and just runs out of data.

+

+Found with a combination of AFL, afl-rb and qsym.

+---

+ libarchive/archive_read_support_format_rar.c | 9 +++++++++

+ 1 file changed, 9 insertions(+)

+

+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c

+index 6f419c270..a8cc5c94d 100644

+--- a/libarchive/archive_read_support_format_rar.c

+@@ -258,6 +258,7 @@ struct rar

+   struct data_block_offsets *dbo;

+   unsigned int cursor;

+   unsigned int nodes;

++  char filename_must_match;

+ 

+   /* LZSS members */

+   struct huffman_code maincode;

+@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry,

+     }

+     return ret;

+   }

++  else if (rar->filename_must_match)

++  {

++    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,

++      "Mismatch of file parts split across multi-volume archive");

++    return (ARCHIVE_FATAL);

++  }

+ 

+   rar->filename_save = (char*)realloc(rar->filename_save,

+                                       filename_size + 1);

+@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail)

+     else if (*avail == 0 && rar->main_flags & MHD_VOLUME &&

+       rar->file_flags & FHD_SPLIT_AFTER)

+     {

++      rar->filename_must_match = 1;

+       ret = archive_read_format_rar_read_header(a, a->entry);

+       if (ret == (ARCHIVE_EOF))

+       {

+         rar->has_endarc_header = 1;

+         ret = archive_read_format_rar_read_header(a, a->entry);

+       }

++      rar->filename_must_match = 0;

+       if (ret != (ARCHIVE_OK))

+         return NULL;

+       return rar_read_ahead(a, min, avail);

@@ -1,7 +1,7 @@

 Summary:    Multi-format archive and compression library

 Name:       libarchive

 Version:    3.3.1

-Release:    1%{?dist}

+Release:    2%{?dist}

 License:    BSD 2-Clause License

 URL:        http://www.libarchive.org/

 Group:      System Environment/Development

@@ -9,6 +9,8 @@ Vendor:     VMware, Inc.

 Distribution:   Photon

 Source0:    http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz

 %define sha1 libarchive=d5616f81804aba92547629c08a3ccff86c2844ae

+Patch0:     libarchive-CVE-2018-1000877.patch

+Patch1:     libarchive-CVE-2018-1000878.patch

 %description

 Multi-format archive and compression library

@@ -21,6 +23,8 @@ It contains the libraries and header files to create applications

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

 %build

 export CFLAGS="%{optflags}"

@@ -50,6 +54,8 @@ find %{buildroot}%{_libdir} -name '*.la' -delete

 %{_libdir}/pkgconfig/*.pc

 %changelog

+*   Fri Mar 08 2019 Ankit Jain <ankitja@vmware.com> 3.3.1-2

+-   Fix for CVE-2018-1000877 and CVE-2018-1000878

 *   Thu Apr 06 2017 Divya Thaluru <dthaluru@vmware.com> 3.3.1-1

 -   Upgrade version to 3.3.1

 *   Thu Sep 22 2016 Anish Swaminathan <anishs@vmware.com> 3.1.2-7