rpms/libarchive
7
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase: mostly for security issues

Browse Source 
Version: 3.2.2-1
This commit is contained in:
Pavel Raiskup 2016-10-25 16:08:13 +02:00
parent 625e9e301e
commit 51dd9a41d6
6 changed files with 14 additions and 255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
/libarchive-3.2.1.tar.gz
/libarchive-3.2.2.tar.gz

38
RHBZ#1378666.patch
View File

@ -1,38 +0,0 @@
From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 21 Aug 2016 10:51:43 -0700
Subject: [PATCH] Issue #767: Buffer overflow printing a filename
The safe_fprintf function attempts to ensure clean output for an
arbitrary sequence of bytes by doing a trial conversion of the
multibyte characters to wide characters -- if the resulting wide
character is printable then we pass through the corresponding bytes
unaltered, otherwise, we convert them to C-style ASCII escapes.
The stack trace in Issue #767 suggest that the 20-byte buffer
was getting overflowed trying to format a non-printable multibyte
character. This should only happen if there is a valid multibyte
character of more than 5 bytes that was unprintable. (Each byte
would get expanded to a four-charcter octal-style escape of the form
"\123" resulting in >20 characters for the >5 byte multibyte character.)
I've not been able to reproduce this, but have expanded the conversion
buffer to 128 bytes on the belief that no multibyte character set
has a single character of more than 32 bytes.
---
tar/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tar/util.c b/tar/util.c
index 9ff22f2..2b4aebe 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
}
/* If our output buffer is full, dump it and keep going. */
- if (i > (sizeof(outbuff) - 20)) {
+ if (i > (sizeof(outbuff) - 128)) {
outbuff[i] = '\0';
fprintf(f, "%s", outbuff);
i = 0;

66
RHBZ#1378668.patch
View File

@ -1,66 +0,0 @@
From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 18 Sep 2016 18:14:58 -0700
Subject: [PATCH] Issue 761: Heap overflow reading corrupted 7Zip files
The sample file that demonstrated this had multiple 'EmptyStream'
attributes. The first one ended up being used to calculate
certain statistics, then was overwritten by the second which
was incompatible with those statistics.
The fix here is to reject any header with multiple EmptyStream
attributes. While here, also reject headers with multiple
EmptyFile, AntiFile, Name, or Attributes markers.
---
libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index 1dfe52b..c0a536c 100644
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
switch (type) {
case kEmptyStream:
+ if (h->emptyStreamBools != NULL)
+ return (-1);
h->emptyStreamBools = calloc((size_t)zip->numFiles,
sizeof(*h->emptyStreamBools));
if (h->emptyStreamBools == NULL)
@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
return (-1);
break;
}
+ if (h->emptyFileBools != NULL)
+ return (-1);
h->emptyFileBools = calloc(empty_streams,
sizeof(*h->emptyFileBools));
if (h->emptyFileBools == NULL)
@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
return (-1);
break;
}
+ if (h->antiBools != NULL)
+ return (-1);
h->antiBools = calloc(empty_streams,
sizeof(*h->antiBools));
if (h->antiBools == NULL)
@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
if ((ll & 1) || ll < zip->numFiles * 4)
return (-1);
+ if (zip->entry_names != NULL)
+ return (-1);
zip->entry_names = malloc(ll);
if (zip->entry_names == NULL)
return (-1);
@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
if ((p = header_bytes(a, 2)) == NULL)
return (-1);
allAreDefined = *p;
+ if (h->attrBools != NULL)
+ return (-1);
h->attrBools = calloc((size_t)zip->numFiles,
sizeof(*h->attrBools));
if (h->attrBools == NULL)

137
RHBZ#1378669.patch
View File

@ -1,137 +0,0 @@
From eec077f52bfa2d3f7103b4b74d52572ba8a15aca Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 18 Sep 2016 17:27:47 -0700
Subject: [PATCH] Issue 747 (and others?): Avoid OOB read when parsing
multiple long lines
The mtree bidder needs to look several lines ahead
in the input. It does this by extending the read-ahead
and parsing subsequent lines from the same growing buffer.
A bookkeeping error when extending the read-ahead would
sometimes lead it to significantly over-count the
size of the line being read.
---
Makefile.am | 1 +
libarchive/archive_read_support_format_mtree.c | 11 +++++-
libarchive/test/CMakeLists.txt | 1 +
libarchive/test/test_read_format_mtree_crash747.c | 44 ++++++++++++++++++++++
.../test_read_format_mtree_crash747.mtree.bz2.uu | 6 +++
5 files changed, 62 insertions(+), 1 deletion(-)
create mode 100644 libarchive/test/test_read_format_mtree_crash747.c
create mode 100644 libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu
diff --git a/Makefile.am b/Makefile.am
index e161c5d..90c9ae1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -449,6 +449,7 @@ libarchive_test_SOURCES= \
libarchive/test/test_read_format_lha_bugfix_0.c \
libarchive/test/test_read_format_lha_filename.c \
libarchive/test/test_read_format_mtree.c \
+ libarchive/test/test_read_format_mtree_crash747.c \
libarchive/test/test_read_format_pax_bz2.c \
libarchive/test/test_read_format_rar.c \
libarchive/test/test_read_format_rar_encryption_data.c \
diff --git a/libarchive/archive_read_support_format_mtree.c b/libarchive/archive_read_support_format_mtree.c
index 8c3be9a..ae58e87 100644
--- a/libarchive/archive_read_support_format_mtree.c
+++ b/libarchive/archive_read_support_format_mtree.c
@@ -301,6 +301,15 @@ get_line_size(const char *b, ssize_t avail, ssize_t *nlsize)
return (avail);
}
+/*
+ * <---------------- ravail --------------------->
+ * <-- diff ------> <--- avail ----------------->
+ * <---- len ----------->
+ * | Previous lines | line being parsed nl extra |
+ * ^
+ * b
+ *
+ */
static ssize_t
next_line(struct archive_read *a,
const char **b, ssize_t *avail, ssize_t *ravail, ssize_t *nl)
@@ -339,7 +348,7 @@ next_line(struct archive_read *a,
*b += diff;
*avail -= diff;
tested = len;/* Skip some bytes we already determinated. */
- len = get_line_size(*b, *avail, nl);
+ len = get_line_size(*b + len, *avail - len, nl);
if (len >= 0)
len += tested;
}
diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
index 345e42a..0cb5966 100644
--- a/libarchive/test/CMakeLists.txt
+++ b/libarchive/test/CMakeLists.txt
@@ -138,6 +138,7 @@ IF(ENABLE_TEST)
test_read_format_lha_bugfix_0.c
test_read_format_lha_filename.c
test_read_format_mtree.c
+ test_read_format_mtree_crash747.c
test_read_format_pax_bz2.c
test_read_format_rar.c
test_read_format_rar_encryption_data.c
diff --git a/libarchive/test/test_read_format_mtree_crash747.c b/libarchive/test/test_read_format_mtree_crash747.c
new file mode 100644
index 0000000..c082845
--- /dev/null
+++ b/libarchive/test/test_read_format_mtree_crash747.c
@@ -0,0 +1,44 @@
+/*-
+ * Copyright (c) 2003-2016 Tim Kientzle
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "test.h"
+
+
+/*
+ * Reproduce the crash reported in Github Issue #747.
+ */
+DEFINE_TEST(test_read_format_mtree_crash747)
+{
+ const char *reffile = "test_read_format_mtree_crash747.mtree.bz2";
+ struct archive *a;
+
+ extract_reference_file(reffile);
+
+ assert((a = archive_read_new()) != NULL);
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_bzip2(a));
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_mtree(a));
+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_open_filename(a, reffile, 10240));
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+}
+
diff --git a/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu b/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu
new file mode 100644
index 0000000..84f3895
--- /dev/null
+++ b/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu
@@ -0,0 +1,6 @@
+begin 600 test_read_format_mtree_crash747.mtree.bz2
+M0EIH.3%!62936:OH@(@``'/[@,`0`@!``'^```)A@9\`$`@@`'4)049!IIH!
+MM021-0,F@&@6````9%>$(K!GIC*XFR0`$```J0+:$XP```!D-F)H[#SE9+2'
+4+E"L=ASXUI%R(I"HD'ZA(5?1`Q``
+`
+end

24
libarchive.spec
View File

@ -1,18 +1,15 @@
%{warn:TODO: package README after https://github.com/libarchive/libarchive/pull/809
}
Name: libarchive
Version: 3.2.1
Release: 5%{?dist}
Version: 3.2.2
Release: 1%{?dist}
Summary: A library for handling streaming archive formats
License: BSD
URL: http://www.libarchive.org/
Source0: http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz
# heap based buffer overflow in detect_form (archive_read_support_format_mtree.c)
Patch0: RHBZ#1378669.patch
# heap based buffer overflow in read_header (archive_read_support_format_7zip.c)
Patch1: RHBZ#1378668.patch
# stack based buffer overflow in bsdtar_expand_char (util.c)
Patch2: RHBZ#1378666.patch
# Make it build with OpenSSL 1.1.0
Patch3: libarchive-3.2.1-openssl-1.1.patch
@ -183,7 +180,7 @@ run_testsuite
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README NEWS
%doc NEWS
%{_libdir}/libarchive.so.13*
%{_mandir}/*/cpio.*
%{_mandir}/*/mtree.*
@ -199,27 +196,30 @@ run_testsuite
%files -n bsdtar
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README NEWS
%doc NEWS
%{_bindir}/bsdtar
%{_mandir}/*/bsdtar*
%files -n bsdcpio
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README NEWS
%doc NEWS
%{_bindir}/bsdcpio
%{_mandir}/*/bsdcpio*
%files -n bsdcat
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README NEWS
%doc NEWS
%{_bindir}/bsdcat
%{_mandir}/*/bsdcat*
%changelog
* Tue Oct 25 2016 Pavel Raiskup <praiskup@redhat.com> - 3.2.2-1
- minor rebase to 3.2.2
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 3.2.1-5
- rebuild with OpenSSL 1.1.0

2
sources
View File

@ -1 +1 @@
afa257047d1941a565216edbf0171e72 libarchive-3.2.1.tar.gz
1ec00b7dcaf969dd2a5712f85f23c764 libarchive-3.2.2.tar.gz