diff options
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch new file mode 100644 index 0000000000..0e1549f229 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Sat, 13 Feb 2021 10:13:22 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: add more checks for invalid extraction | ||
5 | parameters | ||
6 | |||
7 | Some specially crafted files declare invalid extraction parameters that | ||
8 | can confuse the RAR5 reader. | ||
9 | |||
10 | One of the arguments is the declared window size parameter that the | ||
11 | archive file can declare for each file stored in the archive. Some | ||
12 | crafted files declare window size equal to 0, which is clearly wrong. | ||
13 | |||
14 | This commit adds additional safety checks decreasing the tolerance of | ||
15 | the RAR5 format. | ||
16 | |||
17 | This commit also contains OSSFuzz sample #30459. | ||
18 | --- | ||
19 | Makefile.am | 1 + | ||
20 | libarchive/archive_read_support_format_rar5.c | 10 ++++++++++ | ||
21 | libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++ | ||
22 | ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++ | ||
23 | 4 files changed, 37 insertions(+) | ||
24 | create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu | ||
25 | |||
26 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7] | ||
27 | CVE: CVE-2021-36976 | ||
28 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
29 | |||
30 | --- libarchive-3.4.2.orig/Makefile.am | ||
31 | +++ libarchive-3.4.2/Makefile.am | ||
32 | @@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\ | ||
33 | libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
34 | libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ | ||
35 | libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ | ||
36 | + libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \ | ||
37 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
38 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
39 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
40 | --- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c | ||
41 | +++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c | ||
42 | @@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc | ||
43 | rar->cstate.initialized = 1; | ||
44 | } | ||
45 | |||
46 | + /* Don't allow extraction if window_size is invalid. */ | ||
47 | + if(rar->cstate.window_size == 0) { | ||
48 | + archive_set_error(&a->archive, | ||
49 | + ARCHIVE_ERRNO_FILE_FORMAT, | ||
50 | + "Invalid window size declaration in this file"); | ||
51 | + | ||
52 | + /* This should never happen in valid files. */ | ||
53 | + return ARCHIVE_FATAL; | ||
54 | + } | ||
55 | + | ||
56 | if(rar->cstate.all_filters_applied == 1) { | ||
57 | /* We use while(1) here, but standard case allows for just 1 | ||
58 | * iteration. The loop will iterate if process_block() didn't | ||
59 | --- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c | ||
60 | +++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c | ||
61 | @@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode | ||
62 | |||
63 | EPILOGUE(); | ||
64 | } | ||
65 | + | ||
66 | +DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file) | ||
67 | +{ | ||
68 | + /* oss fuzz 30459 */ | ||
69 | + | ||
70 | + char buf[4096]; | ||
71 | + PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar"); | ||
72 | + | ||
73 | + /* This file is damaged, so those functions should return failure. | ||
74 | + * Additionally, SIGSEGV shouldn't be raised during execution | ||
75 | + * of those functions. */ | ||
76 | + | ||
77 | + (void) archive_read_next_header(a, &ae); | ||
78 | + while(0 < archive_read_data(a, buf, sizeof(buf))) {} | ||
79 | + (void) archive_read_next_header(a, &ae); | ||
80 | + while(0 < archive_read_data(a, buf, sizeof(buf))) {} | ||
81 | + | ||
82 | + EPILOGUE(); | ||
83 | +} | ||
84 | --- /dev/null | ||
85 | +++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu | ||
86 | @@ -0,0 +1,7 @@ | ||
87 | +begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar | ||
88 | +M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@ | ||
89 | +M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@ | ||
90 | +M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+ | ||
91 | +5$"`OX2`@[.SL[.S_("`@("`@("`@ | ||
92 | +` | ||
93 | +end | ||