[gnome-continuous-yocto/gnomeostree-3.28-rocko: 7661/8267] libarchive: fix bug929 and CVE-2017-14166

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 7661/8267] libarchive: fix bug929 and CVE-2017-14166
Date: Sun, 17 Dec 2017 06:33:41 +0000 (UTC)
commit fed25846aca85cc83db0a1cb9f05f4736b8b9287
Author: Andrej Valek <andrej valek siemens com>
Date:   Mon Sep 11 16:20:37 2017 +0200

    libarchive: fix bug929 and CVE-2017-14166
    
    (From OE-Core rev: 9b248a17d60b70cb715f15c0401dc5ddc38eee98)
    
    Signed-off-by: Andrej Valek <andrej valek siemens com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../libarchive/libarchive/CVE-2017-14166.patch     |   37 +++++++++++++++++++
 .../libarchive/libarchive/bug929.patch             |   38 ++++++++++++++++++++
 .../libarchive/libarchive_3.3.2.bb                 |    2 +
 3 files changed, 77 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch 
b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
new file mode 100644
index 0000000..e85fec4
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,37 @@
+libarchive-3.3.2: Fix CVE-2017-14166
+
+[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935
+
+archive_read_support_format_xar: heap-based buffer overflow in xml_data
+
+Upstream-Status: Backport 
[https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71]
+CVE: CVE-2017-14166
+Bug: 935
+Signed-off-by: Andrej Valek <andrej valek siemens com>
+
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb..93eeacc 100644
+--- a/libarchive/archive_read_support_format_xar.c
++++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+       uint64_t l;
+       int digit;
+ 
++      if (char_cnt == 0)
++              return (0);
++
+       l = 0;
+       digit = *p - '0';
+       while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+       int64_t l;
+       int digit;
+-        
++
++      if (char_cnt == 0)
++              return (0);
++
+       l = 0;
+       while (char_cnt-- > 0) {
+               if (*p >= '0' && *p <= '7')
diff --git a/meta/recipes-extended/libarchive/libarchive/bug929.patch 
b/meta/recipes-extended/libarchive/libarchive/bug929.patch
new file mode 100644
index 0000000..2f3254c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/bug929.patch
@@ -0,0 +1,38 @@
+libarchive-3.3.2: Fix bug929
+
+[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929
+
+archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt
+cpio archive
+
+A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a
+system with a 32-bit size_t, would result in namelength + name_pad
+overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes
+from a 2-byte buffer, with appropriately hilarious results.
+
+Check for this overflow and fail; there's no legitimate reason for a
+cpio archive to contain a file with a name over 4 billion characters
+in length.
+
+Upstream-Status: Backport 
[https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630]
+Bug: 929
+Signed-off-by: Andrej Valek <andrej valek siemens com>
+
+diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
+index ad9f782..1faa64d 100644
+--- a/libarchive/archive_read_support_format_cpio.c
++++ b/libarchive/archive_read_support_format_cpio.c
+@@ -633,6 +633,13 @@ header_newc(struct archive_read *a, struct cpio *cpio,
+       /* Pad name to 2 more than a multiple of 4. */
+       *name_pad = (2 - *namelength) & 3;
+ 
++      /* Make sure that the padded name length fits into size_t. */
++      if ((size_t)(*namelength + *name_pad) < *namelength) {
++              archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                  "cpio archive has invalid namelength");
++              return (ARCHIVE_FATAL);
++      }
++
+       /*
+        * Note: entry_bytes_remaining is at least 64 bits and
+        * therefore guaranteed to be big enough for a 33-bit file
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb 
b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 5c3895e..9e4588f 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -32,6 +32,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
 EXTRA_OECONF += "--enable-largefile"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+           file://bug929.patch \
+           file://CVE-2017-14166.patch \
           "
 
 SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]