summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrej Valek <andrej.valek@siemens.com>2017-09-11 16:20:37 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-12 23:55:29 +0100
commitfed25846aca85cc83db0a1cb9f05f4736b8b9287 (patch)
tree96932dd6c23dcd75298d0a53bc7ceabfc783ff71
parentf44dfe63a49675e51a72ba271771c1c26650cb43 (diff)
downloadpoky-fed25846aca85cc83db0a1cb9f05f4736b8b9287.tar.gz
libarchive: fix bug929 and CVE-2017-14166
(From OE-Core rev: 9b248a17d60b70cb715f15c0401dc5ddc38eee98) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch37
-rw-r--r--meta/recipes-extended/libarchive/libarchive/bug929.patch38
-rw-r--r--meta/recipes-extended/libarchive/libarchive_3.3.2.bb2
3 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
new file mode 100644
index 0000000000..e85fec40aa
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,37 @@
1libarchive-3.3.2: Fix CVE-2017-14166
2
3[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935
4
5archive_read_support_format_xar: heap-based buffer overflow in xml_data
6
7Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71]
8CVE: CVE-2017-14166
9Bug: 935
10Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
11
12diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
13index 7a22beb..93eeacc 100644
14--- a/libarchive/archive_read_support_format_xar.c
15+++ b/libarchive/archive_read_support_format_xar.c
16@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
17 uint64_t l;
18 int digit;
19
20+ if (char_cnt == 0)
21+ return (0);
22+
23 l = 0;
24 digit = *p - '0';
25 while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
26@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
27 {
28 int64_t l;
29 int digit;
30-
31+
32+ if (char_cnt == 0)
33+ return (0);
34+
35 l = 0;
36 while (char_cnt-- > 0) {
37 if (*p >= '0' && *p <= '7')
diff --git a/meta/recipes-extended/libarchive/libarchive/bug929.patch b/meta/recipes-extended/libarchive/libarchive/bug929.patch
new file mode 100644
index 0000000000..2f3254c8dc
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/bug929.patch
@@ -0,0 +1,38 @@
1libarchive-3.3.2: Fix bug929
2
3[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929
4
5archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt
6cpio archive
7
8A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a
9system with a 32-bit size_t, would result in namelength + name_pad
10overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes
11from a 2-byte buffer, with appropriately hilarious results.
12
13Check for this overflow and fail; there's no legitimate reason for a
14cpio archive to contain a file with a name over 4 billion characters
15in length.
16
17Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630]
18Bug: 929
19Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
20
21diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
22index ad9f782..1faa64d 100644
23--- a/libarchive/archive_read_support_format_cpio.c
24+++ b/libarchive/archive_read_support_format_cpio.c
25@@ -633,6 +633,13 @@ header_newc(struct archive_read *a, struct cpio *cpio,
26 /* Pad name to 2 more than a multiple of 4. */
27 *name_pad = (2 - *namelength) & 3;
28
29+ /* Make sure that the padded name length fits into size_t. */
30+ if ((size_t)(*namelength + *name_pad) < *namelength) {
31+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
32+ "cpio archive has invalid namelength");
33+ return (ARCHIVE_FATAL);
34+ }
35+
36 /*
37 * Note: entry_bytes_remaining is at least 64 bits and
38 * therefore guaranteed to be big enough for a 33-bit file
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 5c3895e547..9e4588fe77 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -32,6 +32,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
32EXTRA_OECONF += "--enable-largefile" 32EXTRA_OECONF += "--enable-largefile"
33 33
34SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ 34SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
35 file://bug929.patch \
36 file://CVE-2017-14166.patch \
35 " 37 "
36 38
37SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27" 39SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"