libarchive: fix bug929 and CVE-2017-14166

(From OE-Core rev: 9b248a17d60b70cb715f15c0401dc5ddc38eee98) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2017-09-11 16:20:37 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-12 23:55:29 +0100
commit: fed25846aca85cc83db0a1cb9f05f4736b8b9287 (patch)
tree: 96932dd6c23dcd75298d0a53bc7ceabfc783ff71
parent: f44dfe63a49675e51a72ba271771c1c26650cb43 (diff)
download: poky-fed25846aca85cc83db0a1cb9f05f4736b8b9287.tar.gz
3 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
new file mode 100644
index 0000000000..e85fec40aa
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,37 @@
+libarchive-3.3.2: Fix CVE-2017-14166
+[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935
+archive_read_support_format_xar: heap-based buffer overflow in xml_data
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71]
+CVE: CVE-2017-14166
+Bug: 935
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb..93eeacc 100644
+--- a/libarchive/archive_read_support_format_xar.c
+++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+        uint64_t l;
+        int digit;
+ 
+       if (char_cnt == 0)
+               return (0);
+
+        l = 0;
+        digit = *p - '0';
+        while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+        int64_t l;
+        int digit;
+-        
+
+       if (char_cnt == 0)
+               return (0);
+
+        l = 0;
+        while (char_cnt-- > 0) {
+                if (*p >= '0' && *p <= '7')
diff --git a/meta/recipes-extended/libarchive/libarchive/bug929.patch b/meta/recipes-extended/libarchive/libarchive/bug929.patch
new file mode 100644
index 0000000000..2f3254c8dc
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/bug929.patch
@@ -0,0 +1,38 @@
+libarchive-3.3.2: Fix bug929
+[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929
+archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt
+cpio archive
+A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a
+system with a 32-bit size_t, would result in namelength + name_pad
+overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes
+from a 2-byte buffer, with appropriately hilarious results.
+Check for this overflow and fail; there's no legitimate reason for a
+cpio archive to contain a file with a name over 4 billion characters
+in length.
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630]
+Bug: 929
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
+index ad9f782..1faa64d 100644
+--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
+@@ -633,6 +633,13 @@ header_newc(struct archive_read *a, struct cpio *cpio,
+        /* Pad name to 2 more than a multiple of 4. */
+        *name_pad = (2 - *namelength) & 3;
+ 
+       /* Make sure that the padded name length fits into size_t. */
+       if ((size_t)(*namelength + *name_pad) < *namelength) {
+               archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                   "cpio archive has invalid namelength");
+               return (ARCHIVE_FATAL);
+       }
+
+        /*
+         * Note: entry_bytes_remaining is at least 64 bits and
+         * therefore guaranteed to be big enough for a 33-bit file
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 5c3895e547..9e4588fe77 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -32,6 +32,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
 EXTRA_OECONF += "--enable-largefile"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+           file://bug929.patch \
+           file://CVE-2017-14166.patch \
          "
 SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
author	Andrej Valek <andrej.valek@siemens.com>	2017-09-11 16:20:37 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-12 23:55:29 +0100
commit	fed25846aca85cc83db0a1cb9f05f4736b8b9287 (patch)
tree	96932dd6c23dcd75298d0a53bc7ceabfc783ff71
parent	f44dfe63a49675e51a72ba271771c1c26650cb43 (diff)
download	poky-fed25846aca85cc83db0a1cb9f05f4736b8b9287.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch new file mode 100644 index 0000000000..e85fec40aa --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,37 @@
		1	libarchive-3.3.2: Fix CVE-2017-14166
		2
		3	[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935
		4
		5	archive_read_support_format_xar: heap-based buffer overflow in xml_data
		6
		7	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71]
		8	CVE: CVE-2017-14166
		9	Bug: 935
		10	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		11
		12	diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
		13	index 7a22beb..93eeacc 100644
		14	--- a/libarchive/archive_read_support_format_xar.c
		15	+++ b/libarchive/archive_read_support_format_xar.c
		16	@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
		17	uint64_t l;
		18	int digit;
		19
		20	+ if (char_cnt == 0)
		21	+ return (0);
		22	+
		23	l = 0;
		24	digit = *p - '0';
		25	while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
		26	@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
		27	{
		28	int64_t l;
		29	int digit;
		30	-
		31	+
		32	+ if (char_cnt == 0)
		33	+ return (0);
		34	+
		35	l = 0;
		36	while (char_cnt-- > 0) {
		37	if (p >= '0' && p <= '7')


diff --git a/meta/recipes-extended/libarchive/libarchive/bug929.patch b/meta/recipes-extended/libarchive/libarchive/bug929.patch new file mode 100644 index 0000000000..2f3254c8dc --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/bug929.patch
@@ -0,0 +1,38 @@
		1	libarchive-3.3.2: Fix bug929
		2
		3	[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929
		4
		5	archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt
		6	cpio archive
		7
		8	A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a
		9	system with a 32-bit size_t, would result in namelength + name_pad
		10	overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes
		11	from a 2-byte buffer, with appropriately hilarious results.
		12
		13	Check for this overflow and fail; there's no legitimate reason for a
		14	cpio archive to contain a file with a name over 4 billion characters
		15	in length.
		16
		17	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630]
		18	Bug: 929
		19	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		20
		21	diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
		22	index ad9f782..1faa64d 100644
		23	--- a/libarchive/archive_read_support_format_cpio.c
		24	+++ b/libarchive/archive_read_support_format_cpio.c
		25	@@ -633,6 +633,13 @@ header_newc(struct archive_read a, struct cpio cpio,
		26	/* Pad name to 2 more than a multiple of 4. */
		27	name_pad = (2 - namelength) & 3;
		28
		29	+ /* Make sure that the padded name length fits into size_t. */
		30	+ if ((size_t)(namelength + name_pad) < *namelength) {
		31	+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
		32	+ "cpio archive has invalid namelength");
		33	+ return (ARCHIVE_FATAL);
		34	+ }
		35	+
		36	/*
		37	* Note: entry_bytes_remaining is at least 64 bits and
		38	* therefore guaranteed to be big enough for a 33-bit file


diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb index 5c3895e547..9e4588fe77 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -32,6 +32,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
32	EXTRA_OECONF += "--enable-largefile"	32	EXTRA_OECONF += "--enable-largefile"
33		33
34	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \	34	SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
		35	file://bug929.patch \
		36	file://CVE-2017-14166.patch \
35	"	37	"
36		38
37	SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"	39	SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"