1 files changed, 172 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
new file mode 100644
index 0000000000..0dfcd1ac5c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
@@ -0,0 +1,172 @@
+Description: Do not follow symlinks when processing the fixup list
+ Published as CVE-2021-31566
+Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
+Bug-Debian: https://bugs.debian.org/1001990
+Author: Martin Matuska <martin@matuska.org>
+Last-Update: 2021-12-20
+CVE: CVE-2021-31566
+Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -556,6 +556,7 @@
+        libarchive/test/test_write_disk.c \
+        libarchive/test/test_write_disk_appledouble.c \
+        libarchive/test/test_write_disk_failures.c \
+       libarchive/test/test_write_disk_fixup.c \
+        libarchive/test/test_write_disk_hardlink.c \
+        libarchive/test/test_write_disk_hfs_compression.c \
+        libarchive/test/test_write_disk_lookup.c \
+--- a/libarchive/archive_write_disk_posix.c
+++ b/libarchive/archive_write_disk_posix.c
+@@ -2461,6 +2461,7 @@
+ {
+        struct archive_write_disk *a = (struct archive_write_disk *)_a;
+        struct fixup_entry *next, *p;
+       struct stat st;
+        int fd, ret;
+ 
+        archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC,
+@@ -2478,6 +2479,20 @@
+                    (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) {
+                        fd = open(p->name,
+                            O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC);
+                       if (fd == -1) {
+                               /* If we cannot lstat, skip entry */
+                               if (lstat(p->name, &st) != 0)
+                                       goto skip_fixup_entry;
+                               /*
+                                * If we deal with a symbolic link, mark
+                                * it in the fixup mode to ensure no
+                                * modifications are made to its target.
+                                */
+                               if (S_ISLNK(st.st_mode)) {
+                                       p->mode &= ~S_IFMT;
+                                       p->mode |= S_IFLNK;
+                               }
+                       }
+                }
+                if (p->fixup & TODO_TIMES) {
+                        set_times(a, fd, p->mode, p->name,
+@@ -2492,7 +2507,12 @@
+                                fchmod(fd, p->mode);
+                        else
+ #endif
+-                       chmod(p->name, p->mode);
+#ifdef HAVE_LCHMOD
+                       lchmod(p->name, p->mode);
+#else
+                       if (!S_ISLNK(p->mode))
+                               chmod(p->name, p->mode);
+#endif
+                }
+                if (p->fixup & TODO_ACLS)
+                        archive_write_disk_set_acls(&a->archive, fd,
+@@ -2503,6 +2523,7 @@
+                if (p->fixup & TODO_MAC_METADATA)
+                        set_mac_metadata(a, p->name, p->mac_metadata,
+                                         p->mac_metadata_size);
+skip_fixup_entry:
+                next = p->next;
+                archive_acl_clear(&p->acl);
+                free(p->mac_metadata);
+@@ -2643,6 +2664,7 @@
+        fe->next = a->fixup_list;
+        a->fixup_list = fe;
+        fe->fixup = 0;
+       fe->mode = 0;
+        fe->name = strdup(pathname);
+        return (fe);
+ }
+--- a/libarchive/test/CMakeLists.txt
+++ b/libarchive/test/CMakeLists.txt
+@@ -208,6 +208,7 @@
+     test_write_disk.c
+     test_write_disk_appledouble.c
+     test_write_disk_failures.c
+    test_write_disk_fixup.c
+     test_write_disk_hardlink.c
+     test_write_disk_hfs_compression.c
+     test_write_disk_lookup.c
+--- /dev/null
+++ b/libarchive/test/test_write_disk_fixup.c
+@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2021 Martin Matuska
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "test.h"
+
+/*
+ * Test fixup entries don't follow symlinks
+ */
+DEFINE_TEST(test_write_disk_fixup)
+{
+       struct archive *ad;
+       struct archive_entry *ae;
+       int r;
+
+       if (!canSymlink()) {
+               skipping("Symlinks not supported");
+               return;
+       }
+
+       /* Write entries to disk. */
+       assert((ad = archive_write_disk_new()) != NULL);
+
+       /*
+        * Create a file
+        */
+       assertMakeFile("victim", 0600, "a");
+
+       /*
+        * Create a directory and a symlink with the same name
+        */
+
+       /* Directory: dir */
+        assert((ae = archive_entry_new()) != NULL);
+        archive_entry_copy_pathname(ae, "dir");
+        archive_entry_set_mode(ae, AE_IFDIR | 0606);
+       assertEqualIntA(ad, 0, archive_write_header(ad, ae));
+       assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
+        archive_entry_free(ae);
+
+       /* Symbolic Link: dir -> foo */
+       assert((ae = archive_entry_new()) != NULL);
+       archive_entry_copy_pathname(ae, "dir");
+       archive_entry_set_mode(ae, AE_IFLNK | 0777);
+       archive_entry_set_size(ae, 0);
+       archive_entry_copy_symlink(ae, "victim");
+       assertEqualIntA(ad, 0, r = archive_write_header(ad, ae));
+       if (r >= ARCHIVE_WARN)
+               assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
+       archive_entry_free(ae);
+
+       assertEqualInt(ARCHIVE_OK, archive_write_free(ad));
+
+       /* Test the entries on disk. */
+       assertIsSymlink("dir", "victim", 0);
+       assertFileMode("victim", 0600);
+}

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch new file mode 100644 index 0000000000..0dfcd1ac5c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
@@ -0,0 +1,172 @@
	1	Description: Do not follow symlinks when processing the fixup list
	2	Published as CVE-2021-31566
	3	Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
	4	Bug-Debian: https://bugs.debian.org/1001990
	5	Author: Martin Matuska <martin@matuska.org>
	6	Last-Update: 2021-12-20
	7
	8	CVE: CVE-2021-31566
	9	Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
	10	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
	11
	12	--- a/Makefile.am
	13	+++ b/Makefile.am
	14	@@ -556,6 +556,7 @@
	15	libarchive/test/test_write_disk.c \
	16	libarchive/test/test_write_disk_appledouble.c \
	17	libarchive/test/test_write_disk_failures.c \
	18	+ libarchive/test/test_write_disk_fixup.c \
	19	libarchive/test/test_write_disk_hardlink.c \
	20	libarchive/test/test_write_disk_hfs_compression.c \
	21	libarchive/test/test_write_disk_lookup.c \
	22	--- a/libarchive/archive_write_disk_posix.c
	23	+++ b/libarchive/archive_write_disk_posix.c
	24	@@ -2461,6 +2461,7 @@
	25	{
	26	struct archive_write_disk a = (struct archive_write_disk )_a;
	27	struct fixup_entry next, p;
	28	+ struct stat st;
	29	int fd, ret;
	30
	31	archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC,
	32	@@ -2478,6 +2479,20 @@
	33	(TODO_TIMES \| TODO_MODE_BASE \| TODO_ACLS \| TODO_FFLAGS)) {
	34	fd = open(p->name,
	35	O_WRONLY \| O_BINARY \| O_NOFOLLOW \| O_CLOEXEC);
	36	+ if (fd == -1) {
	37	+ /* If we cannot lstat, skip entry */
	38	+ if (lstat(p->name, &st) != 0)
	39	+ goto skip_fixup_entry;
	40	+ /*
	41	+ * If we deal with a symbolic link, mark
	42	+ * it in the fixup mode to ensure no
	43	+ * modifications are made to its target.
	44	+ */
	45	+ if (S_ISLNK(st.st_mode)) {
	46	+ p->mode &= ~S_IFMT;
	47	+ p->mode \|= S_IFLNK;
	48	+ }
	49	+ }
	50	}
	51	if (p->fixup & TODO_TIMES) {
	52	set_times(a, fd, p->mode, p->name,
	53	@@ -2492,7 +2507,12 @@
	54	fchmod(fd, p->mode);
	55	else
	56	#endif
	57	- chmod(p->name, p->mode);
	58	+#ifdef HAVE_LCHMOD
	59	+ lchmod(p->name, p->mode);
	60	+#else
	61	+ if (!S_ISLNK(p->mode))
	62	+ chmod(p->name, p->mode);
	63	+#endif
	64	}
	65	if (p->fixup & TODO_ACLS)
	66	archive_write_disk_set_acls(&a->archive, fd,
	67	@@ -2503,6 +2523,7 @@
	68	if (p->fixup & TODO_MAC_METADATA)
	69	set_mac_metadata(a, p->name, p->mac_metadata,
	70	p->mac_metadata_size);
	71	+skip_fixup_entry:
	72	next = p->next;
	73	archive_acl_clear(&p->acl);
	74	free(p->mac_metadata);
	75	@@ -2643,6 +2664,7 @@
	76	fe->next = a->fixup_list;
	77	a->fixup_list = fe;
	78	fe->fixup = 0;
	79	+ fe->mode = 0;
	80	fe->name = strdup(pathname);
	81	return (fe);
	82	}
	83	--- a/libarchive/test/CMakeLists.txt
	84	+++ b/libarchive/test/CMakeLists.txt
	85	@@ -208,6 +208,7 @@
	86	test_write_disk.c
	87	test_write_disk_appledouble.c
	88	test_write_disk_failures.c
	89	+ test_write_disk_fixup.c
	90	test_write_disk_hardlink.c
	91	test_write_disk_hfs_compression.c
	92	test_write_disk_lookup.c
	93	--- /dev/null
	94	+++ b/libarchive/test/test_write_disk_fixup.c
	95	@@ -0,0 +1,77 @@
	96	+/*-
	97	+ * Copyright (c) 2021 Martin Matuska
	98	+ * All rights reserved.
	99	+ *
	100	+ * Redistribution and use in source and binary forms, with or without
	101	+ * modification, are permitted provided that the following conditions
	102	+ * are met:
	103	+ * 1. Redistributions of source code must retain the above copyright
	104	+ * notice, this list of conditions and the following disclaimer.
	105	+ * 2. Redistributions in binary form must reproduce the above copyright
	106	+ * notice, this list of conditions and the following disclaimer in the
	107	+ * documentation and/or other materials provided with the distribution.
	108	+ *
	109	+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
	110	+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	111	+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	112	+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
	113	+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	114	+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	115	+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	116	+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	117	+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	118	+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	119	+ */
	120	+#include "test.h"
	121	+
	122	+/*
	123	+ * Test fixup entries don't follow symlinks
	124	+ */
	125	+DEFINE_TEST(test_write_disk_fixup)
	126	+{
	127	+ struct archive *ad;
	128	+ struct archive_entry *ae;
	129	+ int r;
	130	+
	131	+ if (!canSymlink()) {
	132	+ skipping("Symlinks not supported");
	133	+ return;
	134	+ }
	135	+
	136	+ /* Write entries to disk. */
	137	+ assert((ad = archive_write_disk_new()) != NULL);
	138	+
	139	+ /*
	140	+ * Create a file
	141	+ */
	142	+ assertMakeFile("victim", 0600, "a");
	143	+
	144	+ /*
	145	+ * Create a directory and a symlink with the same name
	146	+ */
	147	+
	148	+ /* Directory: dir */
	149	+ assert((ae = archive_entry_new()) != NULL);
	150	+ archive_entry_copy_pathname(ae, "dir");
	151	+ archive_entry_set_mode(ae, AE_IFDIR \| 0606);
	152	+ assertEqualIntA(ad, 0, archive_write_header(ad, ae));
	153	+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
	154	+ archive_entry_free(ae);
	155	+
	156	+ /* Symbolic Link: dir -> foo */
	157	+ assert((ae = archive_entry_new()) != NULL);
	158	+ archive_entry_copy_pathname(ae, "dir");
	159	+ archive_entry_set_mode(ae, AE_IFLNK \| 0777);
	160	+ archive_entry_set_size(ae, 0);
	161	+ archive_entry_copy_symlink(ae, "victim");
	162	+ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae));
	163	+ if (r >= ARCHIVE_WARN)
	164	+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
	165	+ archive_entry_free(ae);
	166	+
	167	+ assertEqualInt(ARCHIVE_OK, archive_write_free(ad));
	168	+
	169	+ /* Test the entries on disk. */
	170	+ assertIsSymlink("dir", "victim", 0);
	171	+ assertFileMode("victim", 0600);
	172	+}