libarchive: integrate security fixes

Fix the following CVEs by backporting patches from upstream: - CVE-2019-1000019 - CVE-2019-1000020 - CVE-2018-1000877 - CVE-2018-1000878 - CVE-2018-1000879 - CVE-2018-1000880 (From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c) (From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-07-29 07:20:56 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-29 23:50:43 +0100
commit: d0e65410f4f0d394614f338899ca19096afbd85a (patch)
tree: 06b69c01d700361b90caaa53e53a4ad0ac41148c /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
parent: acd46a34c4642c3aba1ea50700110a3902cdafe6 (diff)
download: poky-d0e65410f4f0d394614f338899ca19096afbd85a.tar.gz
1 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
new file mode 100644
index 0000000000..ce638370bd
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
@@ -0,0 +1,38 @@
+CVE: CVE-2018-1000877
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 20 Nov 2018 17:56:29 +1100
+Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
+new_size can be 0 with a malicious or corrupted RAR archive.
+realloc(area, 0) is equivalent to free(area), so the region would
+be free()d here and the free()d again in the cleanup function.
+Found with a setup running AFL, afl-rb, and qsym.
+---
+ libarchive/archive_read_support_format_rar.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 23452222..6f419c27 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a)
+       new_size = DICTIONARY_MAX_SIZE;
+     else
+       new_size = rar_fls((unsigned int)rar->unp_size) << 1;
+    if (new_size == 0) {
+      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                        "Zero window size is invalid.");
+      return (ARCHIVE_FATAL);
+    }
+     new_window = realloc(rar->lzss.window, new_size);
+     if (new_window == NULL) {
+       archive_set_error(&a->archive, ENOMEM,
+-- 
+2.20.0
author	Ross Burton <ross.burton@intel.com>	2019-07-29 07:20:56 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:43 +0100
commit	d0e65410f4f0d394614f338899ca19096afbd85a (patch)
tree	06b69c01d700361b90caaa53e53a4ad0ac41148c /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
parent	acd46a34c4642c3aba1ea50700110a3902cdafe6 (diff)
download	poky-d0e65410f4f0d394614f338899ca19096afbd85a.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch new file mode 100644 index 0000000000..ce638370bd --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch
@@ -0,0 +1,38 @@
	1	CVE: CVE-2018-1000877
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@intel.com>
	4
	5	From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001
	6	From: Daniel Axtens <dja@axtens.net>
	7	Date: Tue, 20 Nov 2018 17:56:29 +1100
	8	Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
	9
	10	new_size can be 0 with a malicious or corrupted RAR archive.
	11
	12	realloc(area, 0) is equivalent to free(area), so the region would
	13	be free()d here and the free()d again in the cleanup function.
	14
	15	Found with a setup running AFL, afl-rb, and qsym.
	16	---
	17	libarchive/archive_read_support_format_rar.c \| 5 +++++
	18	1 file changed, 5 insertions(+)
	19
	20	diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
	21	index 23452222..6f419c27 100644
	22	--- a/libarchive/archive_read_support_format_rar.c
	23	+++ b/libarchive/archive_read_support_format_rar.c
	24	@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a)
	25	new_size = DICTIONARY_MAX_SIZE;
	26	else
	27	new_size = rar_fls((unsigned int)rar->unp_size) << 1;
	28	+ if (new_size == 0) {
	29	+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
	30	+ "Zero window size is invalid.");
	31	+ return (ARCHIVE_FATAL);
	32	+ }
	33	new_window = realloc(rar->lzss.window, new_size);
	34	if (new_window == NULL) {
	35	archive_set_error(&a->archive, ENOMEM,
	36	--
	37	2.20.0
	38