diff options
author | Ross Burton <ross.burton@intel.com> | 2019-07-29 07:20:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | d0e65410f4f0d394614f338899ca19096afbd85a (patch) | |
tree | 06b69c01d700361b90caaa53e53a4ad0ac41148c /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch | |
parent | acd46a34c4642c3aba1ea50700110a3902cdafe6 (diff) | |
download | poky-d0e65410f4f0d394614f338899ca19096afbd85a.tar.gz |
libarchive: integrate security fixes
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)
(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch new file mode 100644 index 0000000000..ce638370bd --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | CVE: CVE-2018-1000877 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001 | ||
6 | From: Daniel Axtens <dja@axtens.net> | ||
7 | Date: Tue, 20 Nov 2018 17:56:29 +1100 | ||
8 | Subject: [PATCH] Avoid a double-free when a window size of 0 is specified | ||
9 | |||
10 | new_size can be 0 with a malicious or corrupted RAR archive. | ||
11 | |||
12 | realloc(area, 0) is equivalent to free(area), so the region would | ||
13 | be free()d here and the free()d again in the cleanup function. | ||
14 | |||
15 | Found with a setup running AFL, afl-rb, and qsym. | ||
16 | --- | ||
17 | libarchive/archive_read_support_format_rar.c | 5 +++++ | ||
18 | 1 file changed, 5 insertions(+) | ||
19 | |||
20 | diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c | ||
21 | index 23452222..6f419c27 100644 | ||
22 | --- a/libarchive/archive_read_support_format_rar.c | ||
23 | +++ b/libarchive/archive_read_support_format_rar.c | ||
24 | @@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a) | ||
25 | new_size = DICTIONARY_MAX_SIZE; | ||
26 | else | ||
27 | new_size = rar_fls((unsigned int)rar->unp_size) << 1; | ||
28 | + if (new_size == 0) { | ||
29 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
30 | + "Zero window size is invalid."); | ||
31 | + return (ARCHIVE_FATAL); | ||
32 | + } | ||
33 | new_window = realloc(rar->lzss.window, new_size); | ||
34 | if (new_window == NULL) { | ||
35 | archive_set_error(&a->archive, ENOMEM, | ||
36 | -- | ||
37 | 2.20.0 | ||
38 | |||