meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Description: Never follow symlinks when setting file flags on Linux
 Published as CVE-2021-31566
Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b
Bug-Debian: https://bugs.debian.org/1001990
Author: Martin Matuska <martin@matuska.org>
Last-Update: 2021-12-20

CVE: CVE-2021-31566
Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

--- a/libarchive/archive_write_disk_posix.c
+++ b/libarchive/archive_write_disk_posix.c
@@ -3927,7 +3927,8 @@
 
 	/* If we weren't given an fd, open it ourselves. */
 	if (myfd < 0) {
-		myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC);
+		myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY |
+		    O_CLOEXEC | O_NOFOLLOW);
 		__archive_ensure_cloexec_flag(myfd);
 	}
 	if (myfd < 0)