From 60297786e68cfdaad8487d79c87a815ec3e92b36 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 29 Jan 2020 10:07:34 +0100 Subject: libarchive: upgrade 3.4.0 -> 3.4.1 (From OE-Core rev: 8b58523919f3a8276d4e35c21a058c6d087a3c7e) Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie --- .../libarchive/libarchive/CVE-2019-19221.patch | 101 --------------------- .../libarchive/libarchive_3.4.0.bb | 68 -------------- .../libarchive/libarchive_3.4.1.bb | 66 ++++++++++++++ 3 files changed, 66 insertions(+), 169 deletions(-) delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch delete mode 100644 meta/recipes-extended/libarchive/libarchive_3.4.0.bb create mode 100644 meta/recipes-extended/libarchive/libarchive_3.4.1.bb (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch deleted file mode 100644 index b57e87874f..0000000000 --- a/meta/recipes-extended/libarchive/libarchive/CVE-2019-19221.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001 -From: Martin Matuska -Date: Thu, 21 Nov 2019 03:08:40 +0100 -Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs() - -The cal to mbrtowc() or mbtowc() should read up to mbs_length -bytes and not wcs_length. This avoids out-of-bounds reads. - -mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when -they encounter an invalid multibyte character and (size_t)-2 when -they they encounter an incomplete multibyte character. As we return -failure and all our callers error out it makes no sense to continue -parsing mbs. - -As we allocate `len` wchars at the beginning and each wchar has -at least one byte, there will never be need to grow the buffer, -so the code can be left out. On the other hand, we are always -allocatng more memory than we need. - -As long as wcs_length == mbs_length == len we can omit wcs_length. -We keep the old code commented if we decide to save memory and -use autoexpanding wcs_length in the future. - -Fixes #1276 - -Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41] -CVE: CVE-2019-19221 -Signed-off-by: Anuj Mittal ---- - libarchive/archive_string.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - -diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c -index 979a418b6..bd39c96f1 100644 ---- a/libarchive/archive_string.c -+++ b/libarchive/archive_string.c -@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, - * No single byte will be more than one wide character, - * so this length estimate will always be big enough. - */ -- size_t wcs_length = len; -+ // size_t wcs_length = len; - size_t mbs_length = len; - const char *mbs = p; - wchar_t *wcs; -@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, - - memset(&shift_state, 0, sizeof(shift_state)); - #endif -- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1)) -+ /* -+ * As we decided to have wcs_length == mbs_length == len -+ * we can use len here instead of wcs_length -+ */ -+ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1)) - return (-1); - wcs = dest->s + dest->length; - /* -@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, - * multi bytes. - */ - while (*mbs && mbs_length > 0) { -+ /* -+ * The buffer we allocated is always big enough. -+ * Keep this code path in a comment if we decide to choose -+ * smaller wcs_length in the future -+ */ -+/* - if (wcs_length == 0) { - dest->length = wcs - dest->s; - dest->s[dest->length] = L'\0'; -@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, - return (-1); - wcs = dest->s + dest->length; - } -+*/ - #if HAVE_MBRTOWC -- r = mbrtowc(wcs, mbs, wcs_length, &shift_state); -+ r = mbrtowc(wcs, mbs, mbs_length, &shift_state); - #else -- r = mbtowc(wcs, mbs, wcs_length); -+ r = mbtowc(wcs, mbs, mbs_length); - #endif - if (r == (size_t)-1 || r == (size_t)-2) { - ret_val = -1; -- if (errno == EILSEQ) { -- ++mbs; -- --mbs_length; -- continue; -- } else -- break; -+ break; - } - if (r == 0 || r > mbs_length) - break; - wcs++; -- wcs_length--; -+ // wcs_length--; - mbs += r; - mbs_length -= r; - } diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb deleted file mode 100644 index 755a9c7fa4..0000000000 --- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb +++ /dev/null @@ -1,68 +0,0 @@ -SUMMARY = "Support for reading various archive formats" -DESCRIPTION = "C library and command-line tools for reading and writing tar, cpio, zip, ISO, and other archive formats" -HOMEPAGE = "http://www.libarchive.org/" -SECTION = "devel" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://COPYING;md5=fe01f5e02b1f0cc934d593a7b0ddceb6" - -DEPENDS = "e2fsprogs-native" - -PACKAGECONFIG ?= "zlib bz2 xz lzo" - -PACKAGECONFIG_append_class-target = "\ - libxml2 \ - ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)} \ -" - -DEPENDS_BZIP2 = "bzip2-replacement-native" -DEPENDS_BZIP2_class-target = "bzip2" - -PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl," -PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr," -PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib," -PACKAGECONFIG[bz2] = "--with-bz2lib,--without-bz2lib,${DEPENDS_BZIP2}," -PACKAGECONFIG[xz] = "--with-lzma,--without-lzma,xz," -PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," -PACKAGECONFIG[libxml2] = "--with-xml2,--without-xml2,libxml2," -PACKAGECONFIG[expat] = "--with-expat,--without-expat,expat," -PACKAGECONFIG[lzo] = "--with-lzo2,--without-lzo2,lzo," -PACKAGECONFIG[nettle] = "--with-nettle,--without-nettle,nettle," -PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4," - -EXTRA_OECONF += "--enable-largefile" - -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ - file://CVE-2019-19221.patch \ -" - -SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac" -SRC_URI[sha256sum] = "8643d50ed40c759f5412a3af4e353cffbce4fdf3b5cf321cb72cacf06b2d825e" - -inherit autotools update-alternatives pkgconfig - -CPPFLAGS += "-I${WORKDIR}/extra-includes" - -do_configure[cleandirs] += "${WORKDIR}/extra-includes" -do_configure_prepend() { - # We just need the headers for some type constants, so no need to - # build all of e2fsprogs for the target - cp -R ${STAGING_INCDIR_NATIVE}/ext2fs ${WORKDIR}/extra-includes/ -} - -ALTERNATIVE_PRIORITY = "80" - -PACKAGES =+ "bsdtar" -FILES_bsdtar = "${bindir}/bsdtar" - -ALTERNATIVE_bsdtar = "tar" -ALTERNATIVE_LINK_NAME[tar] = "${base_bindir}/tar" -ALTERNATIVE_TARGET[tar] = "${bindir}/bsdtar" - -PACKAGES =+ "bsdcpio" -FILES_bsdcpio = "${bindir}/bsdcpio" - -ALTERNATIVE_bsdcpio = "cpio" -ALTERNATIVE_LINK_NAME[cpio] = "${base_bindir}/cpio" -ALTERNATIVE_TARGET[cpio] = "${bindir}/bsdcpio" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.1.bb b/meta/recipes-extended/libarchive/libarchive_3.4.1.bb new file mode 100644 index 0000000000..2d33dd80ab --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive_3.4.1.bb @@ -0,0 +1,66 @@ +SUMMARY = "Support for reading various archive formats" +DESCRIPTION = "C library and command-line tools for reading and writing tar, cpio, zip, ISO, and other archive formats" +HOMEPAGE = "http://www.libarchive.org/" +SECTION = "devel" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=fe01f5e02b1f0cc934d593a7b0ddceb6" + +DEPENDS = "e2fsprogs-native" + +PACKAGECONFIG ?= "zlib bz2 xz lzo" + +PACKAGECONFIG_append_class-target = "\ + libxml2 \ + ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)} \ +" + +DEPENDS_BZIP2 = "bzip2-replacement-native" +DEPENDS_BZIP2_class-target = "bzip2" + +PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl," +PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr," +PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib," +PACKAGECONFIG[bz2] = "--with-bz2lib,--without-bz2lib,${DEPENDS_BZIP2}," +PACKAGECONFIG[xz] = "--with-lzma,--without-lzma,xz," +PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl," +PACKAGECONFIG[libxml2] = "--with-xml2,--without-xml2,libxml2," +PACKAGECONFIG[expat] = "--with-expat,--without-expat,expat," +PACKAGECONFIG[lzo] = "--with-lzo2,--without-lzo2,lzo," +PACKAGECONFIG[nettle] = "--with-nettle,--without-nettle,nettle," +PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4," + +EXTRA_OECONF += "--enable-largefile" + +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" + +SRC_URI[md5sum] = "59bff5ee6216cbb76c8354f6dd6f5a5a" +SRC_URI[sha256sum] = "fcf87f3ad8db2e4f74f32526dee62dd1fb9894782b0a503a89c9d7a70a235191" + +inherit autotools update-alternatives pkgconfig + +CPPFLAGS += "-I${WORKDIR}/extra-includes" + +do_configure[cleandirs] += "${WORKDIR}/extra-includes" +do_configure_prepend() { + # We just need the headers for some type constants, so no need to + # build all of e2fsprogs for the target + cp -R ${STAGING_INCDIR_NATIVE}/ext2fs ${WORKDIR}/extra-includes/ +} + +ALTERNATIVE_PRIORITY = "80" + +PACKAGES =+ "bsdtar" +FILES_bsdtar = "${bindir}/bsdtar" + +ALTERNATIVE_bsdtar = "tar" +ALTERNATIVE_LINK_NAME[tar] = "${base_bindir}/tar" +ALTERNATIVE_TARGET[tar] = "${bindir}/bsdtar" + +PACKAGES =+ "bsdcpio" +FILES_bsdcpio = "${bindir}/bsdcpio" + +ALTERNATIVE_bsdcpio = "cpio" +ALTERNATIVE_LINK_NAME[cpio] = "${base_bindir}/cpio" +ALTERNATIVE_TARGET[cpio] = "${bindir}/bsdcpio" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf