1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
new file mode 100644
index 0000000000..9f25932a1a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
@@ -0,0 +1,50 @@
+CVE: CVE-2018-1000879
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 4 Dec 2018 14:29:42 +1100
+Subject: [PATCH] Skip 0-length ACL fields
+Currently, it is possible to create an archive that crashes bsdtar
+with a malformed ACL:
+Program received signal SIGSEGV, Segmentation fault.
+archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
+1726                            switch (*s) {
+(gdb) p n
+$1 = 1
+(gdb) p field[n]
+$2 = {start = 0x0, end = 0x0}
+Stop this by checking that the length is not zero before beginning
+the switch statement.
+I am pretty sure this is the bug mentioned in the qsym paper [1],
+and I was able to replicate it with a qsym + AFL + afl-rb setup.
+[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
+---
+ libarchive/archive_acl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
+index 512beee1..7beeee86 100644
+--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
+@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
+                        st = field[n].start + 1;
+                        len = field[n].end - field[n].start;
+ 
+                       if (len == 0) {
+                               ret = ARCHIVE_WARN;
+                               continue;
+                       }
+
+                        switch (*s) {
+                        case 'u':
+                                if (len == 1 || (len == 4
+-- 
+2.20.0

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 0000000000..9f25932a1a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch
@@ -0,0 +1,50 @@
	1	CVE: CVE-2018-1000879
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@intel.com>
	4
	5	From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001
	6	From: Daniel Axtens <dja@axtens.net>
	7	Date: Tue, 4 Dec 2018 14:29:42 +1100
	8	Subject: [PATCH] Skip 0-length ACL fields
	9
	10	Currently, it is possible to create an archive that crashes bsdtar
	11	with a malformed ACL:
	12
	13	Program received signal SIGSEGV, Segmentation fault.
	14	archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
	15	1726 switch (*s) {
	16	(gdb) p n
	17	$1 = 1
	18	(gdb) p field[n]
	19	$2 = {start = 0x0, end = 0x0}
	20
	21	Stop this by checking that the length is not zero before beginning
	22	the switch statement.
	23
	24	I am pretty sure this is the bug mentioned in the qsym paper [1],
	25	and I was able to replicate it with a qsym + AFL + afl-rb setup.
	26
	27	[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
	28	---
	29	libarchive/archive_acl.c \| 5 +++++
	30	1 file changed, 5 insertions(+)
	31
	32	diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
	33	index 512beee1..7beeee86 100644
	34	--- a/libarchive/archive_acl.c
	35	+++ b/libarchive/archive_acl.c
	36	@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl acl, const char text,
	37	st = field[n].start + 1;
	38	len = field[n].end - field[n].start;
	39
	40	+ if (len == 0) {
	41	+ ret = ARCHIVE_WARN;
	42	+ continue;
	43	+ }
	44	+
	45	switch (*s) {
	46	case 'u':
	47	if (len == 1 \|\| (len == 4
	48	--
	49	2.20.0
	50