diff options
| author | Ross Burton <ross.burton@intel.com> | 2019-07-29 07:20:56 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
| commit | d0e65410f4f0d394614f338899ca19096afbd85a (patch) | |
| tree | 06b69c01d700361b90caaa53e53a4ad0ac41148c /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | |
| parent | acd46a34c4642c3aba1ea50700110a3902cdafe6 (diff) | |
| download | poky-d0e65410f4f0d394614f338899ca19096afbd85a.tar.gz | |
libarchive: integrate security fixes
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)
(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch')
| -rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 0000000000..9f25932a1a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | CVE: CVE-2018-1000879 | ||
| 2 | Upstream-Status: Backport | ||
| 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
| 4 | |||
| 5 | From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001 | ||
| 6 | From: Daniel Axtens <dja@axtens.net> | ||
| 7 | Date: Tue, 4 Dec 2018 14:29:42 +1100 | ||
| 8 | Subject: [PATCH] Skip 0-length ACL fields | ||
| 9 | |||
| 10 | Currently, it is possible to create an archive that crashes bsdtar | ||
| 11 | with a malformed ACL: | ||
| 12 | |||
| 13 | Program received signal SIGSEGV, Segmentation fault. | ||
| 14 | archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726 | ||
| 15 | 1726 switch (*s) { | ||
| 16 | (gdb) p n | ||
| 17 | $1 = 1 | ||
| 18 | (gdb) p field[n] | ||
| 19 | $2 = {start = 0x0, end = 0x0} | ||
| 20 | |||
| 21 | Stop this by checking that the length is not zero before beginning | ||
| 22 | the switch statement. | ||
| 23 | |||
| 24 | I am pretty sure this is the bug mentioned in the qsym paper [1], | ||
| 25 | and I was able to replicate it with a qsym + AFL + afl-rb setup. | ||
| 26 | |||
| 27 | [1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun | ||
| 28 | --- | ||
| 29 | libarchive/archive_acl.c | 5 +++++ | ||
| 30 | 1 file changed, 5 insertions(+) | ||
| 31 | |||
| 32 | diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c | ||
| 33 | index 512beee1..7beeee86 100644 | ||
| 34 | --- a/libarchive/archive_acl.c | ||
| 35 | +++ b/libarchive/archive_acl.c | ||
| 36 | @@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, | ||
| 37 | st = field[n].start + 1; | ||
| 38 | len = field[n].end - field[n].start; | ||
| 39 | |||
| 40 | + if (len == 0) { | ||
| 41 | + ret = ARCHIVE_WARN; | ||
| 42 | + continue; | ||
| 43 | + } | ||
| 44 | + | ||
| 45 | switch (*s) { | ||
| 46 | case 'u': | ||
| 47 | if (len == 1 || (len == 4 | ||
| 48 | -- | ||
| 49 | 2.20.0 | ||
| 50 | |||