summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/libarchive
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-11-27 11:29:50 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-29 17:43:40 +0000
commitc534b4640a026a6036e17e7543f3b1d8fe2ffc5e (patch)
treee77332f5a65c323073402a9446be91c30dd3dedb /meta/recipes-extended/libarchive
parent591856a8909279961c6c3db6f69e9144e42eccec (diff)
downloadpoky-c534b4640a026a6036e17e7543f3b1d8fe2ffc5e.tar.gz
libarchive: fix CVE-2019-19221
Also see: https://github.com/libarchive/libarchive/issues/1276 (From OE-Core rev: 422bef7a205b9b5d48d5b0e0b2b14ac65484607a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/libarchive')
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch101
-rw-r--r--meta/recipes-extended/libarchive/libarchive_3.4.0.bb1
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch
new file mode 100644
index 0000000000..b57e87874f
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch
@@ -0,0 +1,101 @@
1From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
2From: Martin Matuska <martin@matuska.org>
3Date: Thu, 21 Nov 2019 03:08:40 +0100
4Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
5
6The cal to mbrtowc() or mbtowc() should read up to mbs_length
7bytes and not wcs_length. This avoids out-of-bounds reads.
8
9mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
10they encounter an invalid multibyte character and (size_t)-2 when
11they they encounter an incomplete multibyte character. As we return
12failure and all our callers error out it makes no sense to continue
13parsing mbs.
14
15As we allocate `len` wchars at the beginning and each wchar has
16at least one byte, there will never be need to grow the buffer,
17so the code can be left out. On the other hand, we are always
18allocatng more memory than we need.
19
20As long as wcs_length == mbs_length == len we can omit wcs_length.
21We keep the old code commented if we decide to save memory and
22use autoexpanding wcs_length in the future.
23
24Fixes #1276
25
26Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41]
27CVE: CVE-2019-19221
28Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
29---
30 libarchive/archive_string.c | 28 +++++++++++++++++-----------
31 1 file changed, 17 insertions(+), 11 deletions(-)
32
33diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
34index 979a418b6..bd39c96f1 100644
35--- a/libarchive/archive_string.c
36+++ b/libarchive/archive_string.c
37@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
38 * No single byte will be more than one wide character,
39 * so this length estimate will always be big enough.
40 */
41- size_t wcs_length = len;
42+ // size_t wcs_length = len;
43 size_t mbs_length = len;
44 const char *mbs = p;
45 wchar_t *wcs;
46@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
47
48 memset(&shift_state, 0, sizeof(shift_state));
49 #endif
50- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
51+ /*
52+ * As we decided to have wcs_length == mbs_length == len
53+ * we can use len here instead of wcs_length
54+ */
55+ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
56 return (-1);
57 wcs = dest->s + dest->length;
58 /*
59@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
60 * multi bytes.
61 */
62 while (*mbs && mbs_length > 0) {
63+ /*
64+ * The buffer we allocated is always big enough.
65+ * Keep this code path in a comment if we decide to choose
66+ * smaller wcs_length in the future
67+ */
68+/*
69 if (wcs_length == 0) {
70 dest->length = wcs - dest->s;
71 dest->s[dest->length] = L'\0';
72@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
73 return (-1);
74 wcs = dest->s + dest->length;
75 }
76+*/
77 #if HAVE_MBRTOWC
78- r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
79+ r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
80 #else
81- r = mbtowc(wcs, mbs, wcs_length);
82+ r = mbtowc(wcs, mbs, mbs_length);
83 #endif
84 if (r == (size_t)-1 || r == (size_t)-2) {
85 ret_val = -1;
86- if (errno == EILSEQ) {
87- ++mbs;
88- --mbs_length;
89- continue;
90- } else
91- break;
92+ break;
93 }
94 if (r == 0 || r > mbs_length)
95 break;
96 wcs++;
97- wcs_length--;
98+ // wcs_length--;
99 mbs += r;
100 mbs_length -= r;
101 }
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
index 9c0d5e26ec..755a9c7fa4 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -32,6 +32,7 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
32EXTRA_OECONF += "--enable-largefile" 32EXTRA_OECONF += "--enable-largefile"
33 33
34SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ 34SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
35 file://CVE-2019-19221.patch \
35" 36"
36 37
37SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac" 38SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"