diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2017-09-11 16:20:37 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-12 23:55:29 +0100 |
commit | fed25846aca85cc83db0a1cb9f05f4736b8b9287 (patch) | |
tree | 96932dd6c23dcd75298d0a53bc7ceabfc783ff71 /meta/recipes-extended | |
parent | f44dfe63a49675e51a72ba271771c1c26650cb43 (diff) | |
download | poky-fed25846aca85cc83db0a1cb9f05f4736b8b9287.tar.gz |
libarchive: fix bug929 and CVE-2017-14166
(From OE-Core rev: 9b248a17d60b70cb715f15c0401dc5ddc38eee98)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
3 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch new file mode 100644 index 0000000000..e85fec40aa --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14166.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | libarchive-3.3.2: Fix CVE-2017-14166 | ||
2 | |||
3 | [No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935 | ||
4 | |||
5 | archive_read_support_format_xar: heap-based buffer overflow in xml_data | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71] | ||
8 | CVE: CVE-2017-14166 | ||
9 | Bug: 935 | ||
10 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
11 | |||
12 | diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c | ||
13 | index 7a22beb..93eeacc 100644 | ||
14 | --- a/libarchive/archive_read_support_format_xar.c | ||
15 | +++ b/libarchive/archive_read_support_format_xar.c | ||
16 | @@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) | ||
17 | uint64_t l; | ||
18 | int digit; | ||
19 | |||
20 | + if (char_cnt == 0) | ||
21 | + return (0); | ||
22 | + | ||
23 | l = 0; | ||
24 | digit = *p - '0'; | ||
25 | while (digit >= 0 && digit < 10 && char_cnt-- > 0) { | ||
26 | @@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) | ||
27 | { | ||
28 | int64_t l; | ||
29 | int digit; | ||
30 | - | ||
31 | + | ||
32 | + if (char_cnt == 0) | ||
33 | + return (0); | ||
34 | + | ||
35 | l = 0; | ||
36 | while (char_cnt-- > 0) { | ||
37 | if (*p >= '0' && *p <= '7') | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/bug929.patch b/meta/recipes-extended/libarchive/libarchive/bug929.patch new file mode 100644 index 0000000000..2f3254c8dc --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/bug929.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | libarchive-3.3.2: Fix bug929 | ||
2 | |||
3 | [No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929 | ||
4 | |||
5 | archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt | ||
6 | cpio archive | ||
7 | |||
8 | A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a | ||
9 | system with a 32-bit size_t, would result in namelength + name_pad | ||
10 | overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes | ||
11 | from a 2-byte buffer, with appropriately hilarious results. | ||
12 | |||
13 | Check for this overflow and fail; there's no legitimate reason for a | ||
14 | cpio archive to contain a file with a name over 4 billion characters | ||
15 | in length. | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630] | ||
18 | Bug: 929 | ||
19 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
20 | |||
21 | diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c | ||
22 | index ad9f782..1faa64d 100644 | ||
23 | --- a/libarchive/archive_read_support_format_cpio.c | ||
24 | +++ b/libarchive/archive_read_support_format_cpio.c | ||
25 | @@ -633,6 +633,13 @@ header_newc(struct archive_read *a, struct cpio *cpio, | ||
26 | /* Pad name to 2 more than a multiple of 4. */ | ||
27 | *name_pad = (2 - *namelength) & 3; | ||
28 | |||
29 | + /* Make sure that the padded name length fits into size_t. */ | ||
30 | + if ((size_t)(*namelength + *name_pad) < *namelength) { | ||
31 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
32 | + "cpio archive has invalid namelength"); | ||
33 | + return (ARCHIVE_FATAL); | ||
34 | + } | ||
35 | + | ||
36 | /* | ||
37 | * Note: entry_bytes_remaining is at least 64 bits and | ||
38 | * therefore guaranteed to be big enough for a 33-bit file | ||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb index 5c3895e547..9e4588fe77 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb | |||
@@ -32,6 +32,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4," | |||
32 | EXTRA_OECONF += "--enable-largefile" | 32 | EXTRA_OECONF += "--enable-largefile" |
33 | 33 | ||
34 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ | 34 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ |
35 | file://bug929.patch \ | ||
36 | file://CVE-2017-14166.patch \ | ||
35 | " | 37 | " |
36 | 38 | ||
37 | SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27" | 39 | SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27" |