diff options
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 0000000000..9f25932a1a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | CVE: CVE-2018-1000879 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001 | ||
6 | From: Daniel Axtens <dja@axtens.net> | ||
7 | Date: Tue, 4 Dec 2018 14:29:42 +1100 | ||
8 | Subject: [PATCH] Skip 0-length ACL fields | ||
9 | |||
10 | Currently, it is possible to create an archive that crashes bsdtar | ||
11 | with a malformed ACL: | ||
12 | |||
13 | Program received signal SIGSEGV, Segmentation fault. | ||
14 | archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726 | ||
15 | 1726 switch (*s) { | ||
16 | (gdb) p n | ||
17 | $1 = 1 | ||
18 | (gdb) p field[n] | ||
19 | $2 = {start = 0x0, end = 0x0} | ||
20 | |||
21 | Stop this by checking that the length is not zero before beginning | ||
22 | the switch statement. | ||
23 | |||
24 | I am pretty sure this is the bug mentioned in the qsym paper [1], | ||
25 | and I was able to replicate it with a qsym + AFL + afl-rb setup. | ||
26 | |||
27 | [1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun | ||
28 | --- | ||
29 | libarchive/archive_acl.c | 5 +++++ | ||
30 | 1 file changed, 5 insertions(+) | ||
31 | |||
32 | diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c | ||
33 | index 512beee1..7beeee86 100644 | ||
34 | --- a/libarchive/archive_acl.c | ||
35 | +++ b/libarchive/archive_acl.c | ||
36 | @@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, | ||
37 | st = field[n].start + 1; | ||
38 | len = field[n].end - field[n].start; | ||
39 | |||
40 | + if (len == 0) { | ||
41 | + ret = ARCHIVE_WARN; | ||
42 | + continue; | ||
43 | + } | ||
44 | + | ||
45 | switch (*s) { | ||
46 | case 'u': | ||
47 | if (len == 1 || (len == 4 | ||
48 | -- | ||
49 | 2.20.0 | ||
50 | |||