azurelinux/SPECS/libarchive/CVE-2026-4426.patch at 96ca01312d60f4e4448b855c3d70355ac068fd33 · azurelinux-security/azurelinux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
From b02edc81ab3947b0b9fc18fd5a6b127a6e0f447c Mon Sep 17 00:00:00 2001
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
Date: Sat, 7 Mar 2026 22:14:23 +0200
Subject: [PATCH 1/2] iso9660: validate pz_log2_bs in parse_rockridge_ZF1()

The zisofs block size exponent (pz_log2_bs) read from the Rock Ridge ZF
extension entry is used directly in shift expressions without validation.
The zisofs specification only permits values 15, 16, or 17 (corresponding
to 32K, 64K, and 128K block sizes).

When pz_log2_bs >= 64 on 64-bit systems (or >= 32 on 32-bit), the
expression (size_t)1UL << pz_log2_bs is undefined behavior per C11
6.5.7. On 32-bit systems, a large exponent also causes the block pointer
allocation size computation (ceil + 1) * 4 to overflow to zero, leading
to a heap buffer overflow write after malloc(0).

Fix: reject any pz_log2_bs outside the range [15, 17] by disabling
zisofs for the entry (file->pz = 0), which prevents the zisofs
decompression path from executing.

Found by fuzzing with ASAN/UBSAN.
---
 libarchive/archive_read_support_format_iso9660.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
index baf265f..8dfeb88 100644
--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
@@ -2756,11 +2756,16 @@ parse_rockridge_ZF1(struct file_info *file, const unsigned char *data,
 {

 	if (data[0] == 0x70 && data[1] == 0x7a && data_length == 12) {
-		/* paged zlib */
-		file->pz = 1;
-		file->pz_log2_bs = data[3];
-		file->pz_uncompressed_size = archive_le32dec(&data[4]);
-	}
+        /* paged zlib */
+        file->pz = 1;
+        file->pz_log2_bs = data[3];
+        if (file->pz_log2_bs < 15 || file->pz_log2_bs > 17) {
+            /* Invalid block size exponent; disable zisofs. */
+            file->pz = 0;
+            return;
+        }
+        file->pz_uncompressed_size = archive_le32dec(&data[4]);
+    }
 }

 static void
--
2.45.4


From f3299fa94765152bdc40ddfee4ec0052921ea0f9 Mon Sep 17 00:00:00 2001
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
Date: Sun, 8 Mar 2026 15:33:50 +0200
Subject: [PATCH 2/2] Add TODO comment for future error propagation

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/libarchive/libarchive/commit/071e2e1c5981372d40482995ba83c98c8b595418.patch
---
 libarchive/archive_read_support_format_iso9660.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
index 8dfeb88..28d868b 100644
--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
@@ -2760,7 +2760,10 @@ parse_rockridge_ZF1(struct file_info *file, const unsigned char *data,
         file->pz = 1;
         file->pz_log2_bs = data[3];
         if (file->pz_log2_bs < 15 || file->pz_log2_bs > 17) {
-            /* Invalid block size exponent; disable zisofs. */
+            /* TODO: Return an error here instead of silently
+             * disabling zisofs. That requires propagating an
+             * error return through parse_rockridge() and its
+             * callers. */
             file->pz = 0;
             return;
         }
--
2.45.4