update to release 4

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/libarchive-3.5.3-Fix-CVE-2022-26280.patch

@@ -0,0 +1,14 @@
+# Patch sources from libarchive upstream
+# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
+
+--- libarchive-3.5.3/libarchive/archive_read_support_format_zip.c.old	2022-05-18 08:55:50.861574517 +0000
++++ libarchive-3.5.3/libarchive/archive_read_support_format_zip.c	2022-05-18 08:57:03.049574517 +0000
+@@ -1657,7 +1657,7 @@ zipx_lzma_alone_init(struct archive_read
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);

SOURCES/libarchive-3.5.3-Fix-CVE-2022-36227.patch

@@ -0,0 +1,38 @@
+From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
+From: obiwac <obiwac@gmail.com>
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
+
+---
+ libarchive/archive_write.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 66592e82..27626b54 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ 	struct archive_write_filter *f;
+ 
+ 	f = calloc(1, sizeof(*f));
++
++	if (f == NULL)
++		return (NULL);
++
+ 	f->archive = _a;
+ 	f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ 	if (a->filter_first == NULL)
+@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data,
+ 	a->client_data = client_data;
+ 
+ 	client_filter = __archive_write_allocate_filter(_a);
++
++	if (client_filter == NULL)
++		return (ARCHIVE_FATAL);
++
+ 	client_filter->open = archive_write_client_open;
+ 	client_filter->write = archive_write_client_write;
+ 	client_filter->close = archive_write_client_close;
+-- 
+2.37.3
+

SOURCES/libarchive-3.5.3-Fix-size-filed-in-pax-header.patch

@@ -0,0 +1,41 @@
+From afef3d7fc131df0dac09a46b8673898860a193db Mon Sep 17 00:00:00 2001
+From: Zdenek Zambersky <zzambers@redhat.com>
+Date: Tue, 11 Jan 2022 14:43:27 +0100
+Subject: [PATCH] Fixed size filed in pax header
+
+---
+ libarchive/archive_write_set_format_pax.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
+index a2b27107..52911491 100644
+--- a/libarchive/archive_write_set_format_pax.c
++++ b/libarchive/archive_write_set_format_pax.c
+@@ -1028,10 +1028,8 @@ archive_write_pax_header(struct archive_write *a,
+ 	archive_string_init(&entry_name);
+ 	archive_strcpy(&entry_name, archive_entry_pathname(entry_main));
+ 
+-	/* If file size is too large, add 'size' to pax extended attrs. */
++	/* If file size is too large, we need pax extended attrs. */
+ 	if (archive_entry_size(entry_main) >= (((int64_t)1) << 33)) {
+-		add_pax_attr_int(&(pax->pax_header), "size",
+-		    archive_entry_size(entry_main));
+ 		need_extension = 1;
+ 	}
+ 
+@@ -1347,6 +1345,12 @@ archive_write_pax_header(struct archive_write *a,
+ 		    mapsize + pax->sparse_map_padding + sparse_total);
+ 	}
+ 
++	/* If file size is too large, add 'size' to pax extended attrs. */
++	if (archive_entry_size(entry_main) >= (((int64_t)1) << 33)) {
++		add_pax_attr_int(&(pax->pax_header), "size",
++		    archive_entry_size(entry_main));
++	}
++
+ 	/* Format 'ustar' header for main entry.
+ 	 *
+ 	 * The trouble with file size: If the reader can't understand
+-- 
+2.34.3
+

SPECS/libarchive.spec

@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.5.3
-Release:        1%{?dist}
+Release:        4%{?dist}
 Summary:        A library for handling streaming archive formats
 
 License:        BSD
@@ -10,6 +10,12 @@ URL:            https://www.libarchive.org/
 Source0:        https://libarchive.org/downloads/%{name}-%{version}.tar.gz
 
 Patch1:         openssl3-rmd160failure.patch
+# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
+Patch2: 	%{name}-3.5.3-Fix-CVE-2022-26280.patch
+# Source: https://github.com/libarchive/libarchive/commit/b1b501161013296d19dfe9acb84a341c8a1755b9
+Patch3: 	%{name}-3.5.3-Fix-size-filed-in-pax-header.patch
+# Source: https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
+Patch4:		%{name}-3.5.3-Fix-CVE-2022-36227.patch
 
 BuildRequires:  automake
 BuildRequires:  bison
@@ -213,6 +219,15 @@ run_testsuite
 
 
 %changelog
+* Wed Nov 23 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-4
+- Resolves: CVE-2022-36227
+
+* Tue Jul 12 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-3
+- Resolves: #2106651
+
+* Wed May 18 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-2
+- Resolves: CVE-2022-26280
+
 * Mon Feb 14 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-1
 - Rebase to version 3.5.3