Skip to content

[AutoPR- Security] Patch libarchive for CVE-2026-14164 [HIGH]#17906

Open
azurelinux-security wants to merge 1 commit into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libarchive/3.0/1152352
Open

[AutoPR- Security] Patch libarchive for CVE-2026-14164 [HIGH]#17906
azurelinux-security wants to merge 1 commit into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/libarchive/3.0/1152352

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jul 3, 2026

Copy link
Copy Markdown

Auto Patch libarchive for CVE-2026-14164.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1152352&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2026-14164

PR #17906 — [AutoPR- Security] Patch libarchive for CVE-2026-14164 [HIGH]
Package: libarchive | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 6 → 7
Patch entry Patch entries added: ['CVE-2026-14164.patch'] (covers ['CVE-2026-14164'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

Build log analysis was skipped (no build ID available).


Patch Analysis

  • Match type: significant_differences
  • Risk assessment: high
  • Summary: The PR captures the intent of the upstream fix by nulling window_buf and filtered_buf immediately after free() and removing the else branch, but it is not functionally equivalent to the authoritative patch. Upstream changes init_unpack to return int and adds explicit allocation-failure checks returning ARCHIVE_FATAL after each calloc(). The PR applies only the pointer-nulling portion in an older codebase where init_unpack remains void and no allocation-failure handling is added, leaving a meaningful behavioral difference and potential incompleteness relative to upstream.
  • Missing hunks:
    • Upstream adds if (rar->cstate.window_buf == NULL) return ARCHIVE_FATAL; immediately after allocating window_buf.
    • Upstream adds if (rar->cstate.filtered_buf == NULL) return ARCHIVE_FATAL; immediately after allocating filtered_buf.
    • Upstream patch context shows init_unpack as static int init_unpack(struct rar5* rar), while the PR leaves it as static void init_unpack(struct rar5* rar) and therefore omits the associated error-propagation behavior.
Detailed analysis

Core fix comparison: both patches move rar->cstate.window_buf = NULL; and rar->cstate.filtered_buf = NULL; to immediately after the free() calls, which addresses the dangling-pointer/double-free condition described in the CVE. In that narrow sense, the central security hunk is aligned. However, the upstream patch as provided contains additional logic in the same function: after each calloc(), it checks for allocation failure and returns ARCHIVE_FATAL. The PR does not include those checks and is applied against an older function signature (static void init_unpack) where such returns are not possible without broader refactoring. That makes this more than a cosmetic or pure-context backport difference. The PR is effectively a partial backport of the upstream change to a codebase with different control flow and error handling. What was modified vs upstream: commit metadata differs as expected for a distro patch; file path differs because the PR adds a spec patch file; function location and signature differ due to the older source base; and the fatal-allocation handling hunks are absent. Missing hunks are not obviously justified as test-only or context-only omissions—they represent real behavioral changes omitted from the backport. Context-line differences themselves appear safe as normal backport drift, but the substantive omission means the fix may be incomplete relative to upstream. Regression risk from the applied hunk alone is low, since setting freed pointers to NULL is safe, but the overall security-equivalence risk is high because failed allocations will not be handled the way upstream intended, and downstream behavior after calloc() returning NULL may still be problematic elsewhere in the older code path.


Verdict

CHANGES REQUESTED — Please address the issues flagged above.

@akhila-guruju akhila-guruju force-pushed the azure-autosec/libarchive/3.0/1152352 branch from 44fcb39 to 862ef1a Compare July 7, 2026 11:45
@akhila-guruju

Copy link
Copy Markdown

Patch Analysis:
AI patch matches with the upstream patch.
Slight variation around patched lines (upstream code has extra if cond.) and void is the func return type in azl source, static void init_unpack()

image
  • Buddy Build
  • patch applied during the build (check rpm.log)
  • patch include an upstream reference
  • PR has security tag

⚠️ Yet to trigger Full build

My review: Patch LGTM. Waiting for the full build, since it's a toolchain package.

@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 7, 2026 14:52
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 7, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants