diff options
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch new file mode 100644 index 0000000000..f6f1add5e0 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | CVE: CVE-2018-1000019 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001 | ||
6 | From: Daniel Axtens <dja@axtens.net> | ||
7 | Date: Tue, 1 Jan 2019 16:01:40 +1100 | ||
8 | Subject: [PATCH 2/2] 7zip: fix crash when parsing certain archives | ||
9 | |||
10 | Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data() | ||
11 | would sometimes fail to return at least 'minimum' bytes. This can cause | ||
12 | the crc32() invocation in header_bytes to read off into invalid memory. | ||
13 | |||
14 | A specially crafted archive can use this to cause a crash. | ||
15 | |||
16 | An ASAN trace is below, but ASAN is not required - an uninstrumented | ||
17 | binary will also crash. | ||
18 | |||
19 | ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0) | ||
20 | ==7719==The signal is caused by a READ memory access. | ||
21 | #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c) | ||
22 | #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb) | ||
23 | #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156) | ||
24 | #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134) | ||
25 | #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690) | ||
26 | #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7) | ||
27 | #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63) | ||
28 | #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd) | ||
29 | #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f) | ||
30 | #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be) | ||
31 | #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb) | ||
32 | #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 | ||
33 | #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09) | ||
34 | |||
35 | This was primarly done with afl and FairFuzz. Some early corpus entries | ||
36 | may have been generated by qsym. | ||
37 | --- | ||
38 | libarchive/archive_read_support_format_7zip.c | 8 +------- | ||
39 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
40 | |||
41 | diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c | ||
42 | index bccbf8966..b6d1505d3 100644 | ||
43 | --- a/libarchive/archive_read_support_format_7zip.c | ||
44 | +++ b/libarchive/archive_read_support_format_7zip.c | ||
45 | @@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size, | ||
46 | if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) { | ||
47 | /* Copy mode. */ | ||
48 | |||
49 | - /* | ||
50 | - * Note: '1' here is a performance optimization. | ||
51 | - * Recall that the decompression layer returns a count of | ||
52 | - * available bytes; asking for more than that forces the | ||
53 | - * decompressor to combine reads by copying data. | ||
54 | - */ | ||
55 | - *buff = __archive_read_ahead(a, 1, &bytes_avail); | ||
56 | + *buff = __archive_read_ahead(a, minimum, &bytes_avail); | ||
57 | if (bytes_avail <= 0) { | ||
58 | archive_set_error(&a->archive, | ||
59 | ARCHIVE_ERRNO_FILE_FORMAT, | ||