diff options
3 files changed, 197 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch new file mode 100644 index 0000000000..c4a2fb612c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | Description: Never follow symlinks when setting file flags on Linux | ||
2 | Published as CVE-2021-31566 | ||
3 | Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b | ||
4 | Bug-Debian: https://bugs.debian.org/1001990 | ||
5 | Author: Martin Matuska <martin@matuska.org> | ||
6 | Last-Update: 2021-12-20 | ||
7 | |||
8 | CVE: CVE-2021-31566 | ||
9 | Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] | ||
10 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
11 | |||
12 | --- a/libarchive/archive_write_disk_posix.c | ||
13 | +++ b/libarchive/archive_write_disk_posix.c | ||
14 | @@ -3927,7 +3927,8 @@ | ||
15 | |||
16 | /* If we weren't given an fd, open it ourselves. */ | ||
17 | if (myfd < 0) { | ||
18 | - myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC); | ||
19 | + myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | | ||
20 | + O_CLOEXEC | O_NOFOLLOW); | ||
21 | __archive_ensure_cloexec_flag(myfd); | ||
22 | } | ||
23 | if (myfd < 0) | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch new file mode 100644 index 0000000000..0dfcd1ac5c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | Description: Do not follow symlinks when processing the fixup list | ||
2 | Published as CVE-2021-31566 | ||
3 | Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 | ||
4 | Bug-Debian: https://bugs.debian.org/1001990 | ||
5 | Author: Martin Matuska <martin@matuska.org> | ||
6 | Last-Update: 2021-12-20 | ||
7 | |||
8 | CVE: CVE-2021-31566 | ||
9 | Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] | ||
10 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
11 | |||
12 | --- a/Makefile.am | ||
13 | +++ b/Makefile.am | ||
14 | @@ -556,6 +556,7 @@ | ||
15 | libarchive/test/test_write_disk.c \ | ||
16 | libarchive/test/test_write_disk_appledouble.c \ | ||
17 | libarchive/test/test_write_disk_failures.c \ | ||
18 | + libarchive/test/test_write_disk_fixup.c \ | ||
19 | libarchive/test/test_write_disk_hardlink.c \ | ||
20 | libarchive/test/test_write_disk_hfs_compression.c \ | ||
21 | libarchive/test/test_write_disk_lookup.c \ | ||
22 | --- a/libarchive/archive_write_disk_posix.c | ||
23 | +++ b/libarchive/archive_write_disk_posix.c | ||
24 | @@ -2461,6 +2461,7 @@ | ||
25 | { | ||
26 | struct archive_write_disk *a = (struct archive_write_disk *)_a; | ||
27 | struct fixup_entry *next, *p; | ||
28 | + struct stat st; | ||
29 | int fd, ret; | ||
30 | |||
31 | archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, | ||
32 | @@ -2478,6 +2479,20 @@ | ||
33 | (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { | ||
34 | fd = open(p->name, | ||
35 | O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); | ||
36 | + if (fd == -1) { | ||
37 | + /* If we cannot lstat, skip entry */ | ||
38 | + if (lstat(p->name, &st) != 0) | ||
39 | + goto skip_fixup_entry; | ||
40 | + /* | ||
41 | + * If we deal with a symbolic link, mark | ||
42 | + * it in the fixup mode to ensure no | ||
43 | + * modifications are made to its target. | ||
44 | + */ | ||
45 | + if (S_ISLNK(st.st_mode)) { | ||
46 | + p->mode &= ~S_IFMT; | ||
47 | + p->mode |= S_IFLNK; | ||
48 | + } | ||
49 | + } | ||
50 | } | ||
51 | if (p->fixup & TODO_TIMES) { | ||
52 | set_times(a, fd, p->mode, p->name, | ||
53 | @@ -2492,7 +2507,12 @@ | ||
54 | fchmod(fd, p->mode); | ||
55 | else | ||
56 | #endif | ||
57 | - chmod(p->name, p->mode); | ||
58 | +#ifdef HAVE_LCHMOD | ||
59 | + lchmod(p->name, p->mode); | ||
60 | +#else | ||
61 | + if (!S_ISLNK(p->mode)) | ||
62 | + chmod(p->name, p->mode); | ||
63 | +#endif | ||
64 | } | ||
65 | if (p->fixup & TODO_ACLS) | ||
66 | archive_write_disk_set_acls(&a->archive, fd, | ||
67 | @@ -2503,6 +2523,7 @@ | ||
68 | if (p->fixup & TODO_MAC_METADATA) | ||
69 | set_mac_metadata(a, p->name, p->mac_metadata, | ||
70 | p->mac_metadata_size); | ||
71 | +skip_fixup_entry: | ||
72 | next = p->next; | ||
73 | archive_acl_clear(&p->acl); | ||
74 | free(p->mac_metadata); | ||
75 | @@ -2643,6 +2664,7 @@ | ||
76 | fe->next = a->fixup_list; | ||
77 | a->fixup_list = fe; | ||
78 | fe->fixup = 0; | ||
79 | + fe->mode = 0; | ||
80 | fe->name = strdup(pathname); | ||
81 | return (fe); | ||
82 | } | ||
83 | --- a/libarchive/test/CMakeLists.txt | ||
84 | +++ b/libarchive/test/CMakeLists.txt | ||
85 | @@ -208,6 +208,7 @@ | ||
86 | test_write_disk.c | ||
87 | test_write_disk_appledouble.c | ||
88 | test_write_disk_failures.c | ||
89 | + test_write_disk_fixup.c | ||
90 | test_write_disk_hardlink.c | ||
91 | test_write_disk_hfs_compression.c | ||
92 | test_write_disk_lookup.c | ||
93 | --- /dev/null | ||
94 | +++ b/libarchive/test/test_write_disk_fixup.c | ||
95 | @@ -0,0 +1,77 @@ | ||
96 | +/*- | ||
97 | + * Copyright (c) 2021 Martin Matuska | ||
98 | + * All rights reserved. | ||
99 | + * | ||
100 | + * Redistribution and use in source and binary forms, with or without | ||
101 | + * modification, are permitted provided that the following conditions | ||
102 | + * are met: | ||
103 | + * 1. Redistributions of source code must retain the above copyright | ||
104 | + * notice, this list of conditions and the following disclaimer. | ||
105 | + * 2. Redistributions in binary form must reproduce the above copyright | ||
106 | + * notice, this list of conditions and the following disclaimer in the | ||
107 | + * documentation and/or other materials provided with the distribution. | ||
108 | + * | ||
109 | + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR | ||
110 | + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
111 | + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
112 | + * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
113 | + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
114 | + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
115 | + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
116 | + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
117 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
118 | + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
119 | + */ | ||
120 | +#include "test.h" | ||
121 | + | ||
122 | +/* | ||
123 | + * Test fixup entries don't follow symlinks | ||
124 | + */ | ||
125 | +DEFINE_TEST(test_write_disk_fixup) | ||
126 | +{ | ||
127 | + struct archive *ad; | ||
128 | + struct archive_entry *ae; | ||
129 | + int r; | ||
130 | + | ||
131 | + if (!canSymlink()) { | ||
132 | + skipping("Symlinks not supported"); | ||
133 | + return; | ||
134 | + } | ||
135 | + | ||
136 | + /* Write entries to disk. */ | ||
137 | + assert((ad = archive_write_disk_new()) != NULL); | ||
138 | + | ||
139 | + /* | ||
140 | + * Create a file | ||
141 | + */ | ||
142 | + assertMakeFile("victim", 0600, "a"); | ||
143 | + | ||
144 | + /* | ||
145 | + * Create a directory and a symlink with the same name | ||
146 | + */ | ||
147 | + | ||
148 | + /* Directory: dir */ | ||
149 | + assert((ae = archive_entry_new()) != NULL); | ||
150 | + archive_entry_copy_pathname(ae, "dir"); | ||
151 | + archive_entry_set_mode(ae, AE_IFDIR | 0606); | ||
152 | + assertEqualIntA(ad, 0, archive_write_header(ad, ae)); | ||
153 | + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); | ||
154 | + archive_entry_free(ae); | ||
155 | + | ||
156 | + /* Symbolic Link: dir -> foo */ | ||
157 | + assert((ae = archive_entry_new()) != NULL); | ||
158 | + archive_entry_copy_pathname(ae, "dir"); | ||
159 | + archive_entry_set_mode(ae, AE_IFLNK | 0777); | ||
160 | + archive_entry_set_size(ae, 0); | ||
161 | + archive_entry_copy_symlink(ae, "victim"); | ||
162 | + assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); | ||
163 | + if (r >= ARCHIVE_WARN) | ||
164 | + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); | ||
165 | + archive_entry_free(ae); | ||
166 | + | ||
167 | + assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); | ||
168 | + | ||
169 | + /* Test the entries on disk. */ | ||
170 | + assertIsSymlink("dir", "victim", 0); | ||
171 | + assertFileMode("victim", 0600); | ||
172 | +} | ||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index d8ed80686b..7d2e7b711b 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb | |||
@@ -37,6 +37,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ | |||
37 | file://CVE-2021-36976-2.patch \ | 37 | file://CVE-2021-36976-2.patch \ |
38 | file://CVE-2021-36976-3.patch \ | 38 | file://CVE-2021-36976-3.patch \ |
39 | file://CVE-2021-23177.patch \ | 39 | file://CVE-2021-23177.patch \ |
40 | file://CVE-2021-31566-01.patch \ | ||
41 | file://CVE-2021-31566-02.patch \ | ||
40 | " | 42 | " |
41 | 43 | ||
42 | SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" | 44 | SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" |