2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch
new file mode 100644
index 0000000000..b57e87874f
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch
@@ -0,0 +1,101 @@
+From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.org>
+Date: Thu, 21 Nov 2019 03:08:40 +0100
+Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
+The cal to mbrtowc() or mbtowc() should read up to mbs_length
+bytes and not wcs_length. This avoids out-of-bounds reads.
+mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
+they encounter an invalid multibyte character and (size_t)-2 when
+they they encounter an incomplete multibyte character. As we return
+failure and all our callers error out it makes no sense to continue
+parsing mbs.
+As we allocate `len` wchars at the beginning and each wchar has
+at least one byte, there will never be need to grow the buffer,
+so the code can be left out. On the other hand, we are always
+allocatng more memory than we need.
+As long as wcs_length == mbs_length == len we can omit wcs_length.
+We keep the old code commented if we decide to save memory and
+use autoexpanding wcs_length in the future.
+Fixes #1276
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41]
+CVE: CVE-2019-19221
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libarchive/archive_string.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 979a418b6..bd39c96f1 100644
+--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
+@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+         * No single byte will be more than one wide character,
+         * so this length estimate will always be big enough.
+         */
+-       size_t wcs_length = len;
+       // size_t wcs_length = len;
+        size_t mbs_length = len;
+        const char *mbs = p;
+        wchar_t *wcs;
+@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ 
+        memset(&shift_state, 0, sizeof(shift_state));
+ #endif
+-       if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
+       /*
+        * As we decided to have wcs_length == mbs_length == len
+        * we can use len here instead of wcs_length
+        */
+       if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
+                return (-1);
+        wcs = dest->s + dest->length;
+        /*
+@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+         * multi bytes.
+         */
+        while (*mbs && mbs_length > 0) {
+               /*
+                * The buffer we allocated is always big enough.
+                * Keep this code path in a comment if we decide to choose
+                * smaller wcs_length in the future
+                */
+/*
+                if (wcs_length == 0) {
+                        dest->length = wcs - dest->s;
+                        dest->s[dest->length] = L'\0';
+@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+                                return (-1);
+                        wcs = dest->s + dest->length;
+                }
+*/
+ #if HAVE_MBRTOWC
+-               r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
+               r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
+ #else
+-               r = mbtowc(wcs, mbs, wcs_length);
+               r = mbtowc(wcs, mbs, mbs_length);
+ #endif
+                if (r == (size_t)-1 || r == (size_t)-2) {
+                        ret_val = -1;
+-                       if (errno == EILSEQ) {
+-                               ++mbs;
+-                               --mbs_length;
+-                               continue;
+-                       } else
+-                               break;
+                       break;
+                }
+                if (r == 0 || r > mbs_length)
+                        break;
+                wcs++;
+-               wcs_length--;
+               // wcs_length--;
+                mbs += r;
+                mbs_length -= r;
+        }
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
index af5ca65297..36d5bffe09 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://CVE-2018-1000880.patch \
           file://CVE-2019-1000019.patch \
           file://CVE-2019-1000020.patch \
+           file://CVE-2019-19221.patch \
 "
 SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120"

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch new file mode 100644 index 0000000000..b57e87874f --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch
@@ -0,0 +1,101 @@
		1	From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
		2	From: Martin Matuska <martin@matuska.org>
		3	Date: Thu, 21 Nov 2019 03:08:40 +0100
		4	Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
		5
		6	The cal to mbrtowc() or mbtowc() should read up to mbs_length
		7	bytes and not wcs_length. This avoids out-of-bounds reads.
		8
		9	mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
		10	they encounter an invalid multibyte character and (size_t)-2 when
		11	they they encounter an incomplete multibyte character. As we return
		12	failure and all our callers error out it makes no sense to continue
		13	parsing mbs.
		14
		15	As we allocate `len` wchars at the beginning and each wchar has
		16	at least one byte, there will never be need to grow the buffer,
		17	so the code can be left out. On the other hand, we are always
		18	allocatng more memory than we need.
		19
		20	As long as wcs_length == mbs_length == len we can omit wcs_length.
		21	We keep the old code commented if we decide to save memory and
		22	use autoexpanding wcs_length in the future.
		23
		24	Fixes #1276
		25
		26	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41]
		27	CVE: CVE-2019-19221
		28	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		29	---
		30	libarchive/archive_string.c \| 28 +++++++++++++++++-----------
		31	1 file changed, 17 insertions(+), 11 deletions(-)
		32
		33	diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
		34	index 979a418b6..bd39c96f1 100644
		35	--- a/libarchive/archive_string.c
		36	+++ b/libarchive/archive_string.c
		37	@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
		38	* No single byte will be more than one wide character,
		39	* so this length estimate will always be big enough.
		40	*/
		41	- size_t wcs_length = len;
		42	+ // size_t wcs_length = len;
		43	size_t mbs_length = len;
		44	const char *mbs = p;
		45	wchar_t *wcs;
		46	@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
		47
		48	memset(&shift_state, 0, sizeof(shift_state));
		49	#endif
		50	- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
		51	+ /*
		52	+ * As we decided to have wcs_length == mbs_length == len
		53	+ * we can use len here instead of wcs_length
		54	+ */
		55	+ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
		56	return (-1);
		57	wcs = dest->s + dest->length;
		58	/*
		59	@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
		60	* multi bytes.
		61	*/
		62	while (*mbs && mbs_length > 0) {
		63	+ /*
		64	+ * The buffer we allocated is always big enough.
		65	+ * Keep this code path in a comment if we decide to choose
		66	+ * smaller wcs_length in the future
		67	+ */
		68	+/*
		69	if (wcs_length == 0) {
		70	dest->length = wcs - dest->s;
		71	dest->s[dest->length] = L'\0';
		72	@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
		73	return (-1);
		74	wcs = dest->s + dest->length;
		75	}
		76	+*/
		77	#if HAVE_MBRTOWC
		78	- r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
		79	+ r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
		80	#else
		81	- r = mbtowc(wcs, mbs, wcs_length);
		82	+ r = mbtowc(wcs, mbs, mbs_length);
		83	#endif
		84	if (r == (size_t)-1 \|\| r == (size_t)-2) {
		85	ret_val = -1;
		86	- if (errno == EILSEQ) {
		87	- ++mbs;
		88	- --mbs_length;
		89	- continue;
		90	- } else
		91	- break;
		92	+ break;
		93	}
		94	if (r == 0 \|\| r > mbs_length)
		95	break;
		96	wcs++;
		97	- wcs_length--;
		98	+ // wcs_length--;
		99	mbs += r;
		100	mbs_length -= r;
		101	}


diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb index af5ca65297..36d5bffe09 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
40	file://CVE-2018-1000880.patch \	40	file://CVE-2018-1000880.patch \
41	file://CVE-2019-1000019.patch \	41	file://CVE-2019-1000019.patch \
42	file://CVE-2019-1000020.patch \	42	file://CVE-2019-1000020.patch \
		43	file://CVE-2019-19221.patch \
43	"	44	"
44		45
45	SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120"	46	SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120"