import libarchive-3.3.2-9.el8

2020-07-28 03:32:08 -04:00 · 2020-07-28 03:32:08 -04:00 · 0b7d74278e
commit 0b7d74278e
parent 3fe1224883
3 changed files with 138 additions and 1 deletions
--- a/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
+++ b/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
@ -0,0 +1,31 @@
+From 1abcbf1af5209631ccf4fca4ddcab3c863294c85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Patrik=20Novotn=C3=BD?= <panovotn@redhat.com>
+Date: Wed, 15 Jan 2020 16:10:04 +0100
+Subject: [PATCH] RAR reader: fix use after free
+
+If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed
+to continue with next archive headers. We need to set rar->start_new_table
+after the ppmd7_context got freed, otherwise it won't be allocated again.
+---
+ libarchive/archive_read_support_format_rar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32..9c26ef97 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -1037,8 +1037,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
+   case COMPRESS_METHOD_GOOD:
+   case COMPRESS_METHOD_BEST:
+     ret = read_data_compressed(a, buff, size, offset);
+-    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
+    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
+       __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context, &g_szalloc);
+      rar->start_new_table = 1;
+    }
+     break;
+ 
+   default:
+-- 
+2.24.1
+
--- a/SOURCES/libarchive-3.3.2-CVE-2019-19221.patch
+++ b/SOURCES/libarchive-3.3.2-CVE-2019-19221.patch
@ -0,0 +1,98 @@
+From 72085b30bf30867360c4aa77bd43de5e1788d875 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 24 Mar 2020 09:22:47 +0100
+Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
+
+The cal to mbrtowc() or mbtowc() should read up to mbs_length
+bytes and not wcs_length. This avoids out-of-bounds reads.
+
+mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
+they encounter an invalid multibyte character and (size_t)-2 when
+they they encounter an incomplete multibyte character. As we return
+failure and all our callers error out it makes no sense to continue
+parsing mbs.
+
+As we allocate `len` wchars at the beginning and each wchar has
+at least one byte, there will never be need to grow the buffer,
+so the code can be left out. On the other hand, we are always
+allocatng more memory than we need.
+
+As long as wcs_length == mbs_length == len we can omit wcs_length.
+We keep the old code commented if we decide to save memory and
+use autoexpanding wcs_length in the future.
+---
+ libarchive/archive_string.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 5ae09b6..d7541dc 100644
+--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
+@@ -590,7 +590,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ 	 * No single byte will be more than one wide character,
+ 	 * so this length estimate will always be big enough.
+ 	 */
+-	size_t wcs_length = len;
+	//size_t wcs_length = len;
+ 	size_t mbs_length = len;
+ 	const char *mbs = p;
+ 	wchar_t *wcs;
+@@ -599,7 +599,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ 
+ 	memset(&shift_state, 0, sizeof(shift_state));
+ #endif
+-	if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
+	/*
+	 * As we decided to have wcs_length == mbs_length == len
+	 * we can use len here instead of wcs_length
+	 */
+	if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
+ 		return (-1);
+ 	wcs = dest->s + dest->length;
+ 	/*
+@@ -608,6 +612,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ 	 * multi bytes.
+ 	 */
+ 	while (*mbs && mbs_length > 0) {
+		/*
+		 * The buffer we allocated is always big enough.
+		 * Keep this code path in a comment if we decide to choose
+		 * smaller wcs_length in the future
+		 */
+/*
+ 		if (wcs_length == 0) {
+ 			dest->length = wcs - dest->s;
+ 			dest->s[dest->length] = L'\0';
+@@ -617,24 +627,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
+ 				return (-1);
+ 			wcs = dest->s + dest->length;
+ 		}
+*/
+ #if HAVE_MBRTOWC
+-		r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
+		r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
+ #else
+-		r = mbtowc(wcs, mbs, wcs_length);
+		r = mbtowc(wcs, mbs, mbs_length);
+ #endif
+ 		if (r == (size_t)-1 || r == (size_t)-2) {
+ 			ret_val = -1;
+-			if (errno == EILSEQ) {
+-				++mbs;
+-				--mbs_length;
+-				continue;
+-			} else
+-				break;
+			break;
+ 		}
+ 		if (r == 0 || r > mbs_length)
+ 			break;
+ 		wcs++;
+-		wcs_length--;
+		//wcs_length--;
+ 		mbs += r;
+ 		mbs_length -= r;
+ 	}
+-- 
+2.24.1
+
--- a/SPECS/libarchive.spec
+++ b/SPECS/libarchive.spec
@ -2,7 +2,7 @@

 Name:           libarchive
 Version:        3.3.2
-Release:        7%{?dist}
+Release:        9%{?dist}
 Summary:        A library for handling streaming archive formats

 License:        BSD
@ -16,6 +16,8 @@ Patch3:        libarchive-3.3.2-CVE-2018-1000878.patch
 Patch4:        libarchive-3.3.2-CVE-2018-1000877.patch
 Patch5:        fix-use-after-free-in-delayed-newc.patch
 Patch6:        fix-few-obvious-resource-leaks-covscan.patch
+Patch7:        libarchive-3.3.2-CVE-2019-18408.patch
+Patch8:        libarchive-3.3.2-CVE-2019-19221.patch

 BuildRequires:  gcc
 BuildRequires:  bison
@ -219,6 +221,12 @@ run_testsuite


 %changelog
+* Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.3.2-9
+- Fix out-of-bounds read (CVE-2019-19221) (#1803967)
+
+* Wed Jan 15 2020 Patrik Novotný <panovotn@redhat.com> - 3.3.2-8
+- Fix CVE-2019-18408: RAR use-after-free
+
 * Mon May 27 2019 Ondrej Dubaj <odubaj@redhat.com> - 3.3.2-7
 - fix use-after-free in delayed newc link processing (#1602575)
 - fix a few obvious resource leaks and strcpy() misuses (#1602575)