diff options
author | Ross Burton <ross.burton@intel.com> | 2019-07-29 07:20:56 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | d0e65410f4f0d394614f338899ca19096afbd85a (patch) | |
tree | 06b69c01d700361b90caaa53e53a4ad0ac41148c /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | |
parent | acd46a34c4642c3aba1ea50700110a3902cdafe6 (diff) | |
download | poky-d0e65410f4f0d394614f338899ca19096afbd85a.tar.gz |
libarchive: integrate security fixes
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)
(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 0000000000..9f25932a1a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | CVE: CVE-2018-1000879 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001 | ||
6 | From: Daniel Axtens <dja@axtens.net> | ||
7 | Date: Tue, 4 Dec 2018 14:29:42 +1100 | ||
8 | Subject: [PATCH] Skip 0-length ACL fields | ||
9 | |||
10 | Currently, it is possible to create an archive that crashes bsdtar | ||
11 | with a malformed ACL: | ||
12 | |||
13 | Program received signal SIGSEGV, Segmentation fault. | ||
14 | archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726 | ||
15 | 1726 switch (*s) { | ||
16 | (gdb) p n | ||
17 | $1 = 1 | ||
18 | (gdb) p field[n] | ||
19 | $2 = {start = 0x0, end = 0x0} | ||
20 | |||
21 | Stop this by checking that the length is not zero before beginning | ||
22 | the switch statement. | ||
23 | |||
24 | I am pretty sure this is the bug mentioned in the qsym paper [1], | ||
25 | and I was able to replicate it with a qsym + AFL + afl-rb setup. | ||
26 | |||
27 | [1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun | ||
28 | --- | ||
29 | libarchive/archive_acl.c | 5 +++++ | ||
30 | 1 file changed, 5 insertions(+) | ||
31 | |||
32 | diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c | ||
33 | index 512beee1..7beeee86 100644 | ||
34 | --- a/libarchive/archive_acl.c | ||
35 | +++ b/libarchive/archive_acl.c | ||
36 | @@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, | ||
37 | st = field[n].start + 1; | ||
38 | len = field[n].end - field[n].start; | ||
39 | |||
40 | + if (len == 0) { | ||
41 | + ret = ARCHIVE_WARN; | ||
42 | + continue; | ||
43 | + } | ||
44 | + | ||
45 | switch (*s) { | ||
46 | case 'u': | ||
47 | if (len == 1 || (len == 4 | ||
48 | -- | ||
49 | 2.20.0 | ||
50 | |||