diff --git a/.gitignore b/.gitignore index 7a86785..2664f10 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/libarchive-3.2.1.tar.gz +/libarchive-3.2.2.tar.gz diff --git a/RHBZ#1378666.patch b/RHBZ#1378666.patch deleted file mode 100644 index 881d09f..0000000 --- a/RHBZ#1378666.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001 -From: Tim Kientzle -Date: Sun, 21 Aug 2016 10:51:43 -0700 -Subject: [PATCH] Issue #767: Buffer overflow printing a filename - -The safe_fprintf function attempts to ensure clean output for an -arbitrary sequence of bytes by doing a trial conversion of the -multibyte characters to wide characters -- if the resulting wide -character is printable then we pass through the corresponding bytes -unaltered, otherwise, we convert them to C-style ASCII escapes. - -The stack trace in Issue #767 suggest that the 20-byte buffer -was getting overflowed trying to format a non-printable multibyte -character. This should only happen if there is a valid multibyte -character of more than 5 bytes that was unprintable. (Each byte -would get expanded to a four-charcter octal-style escape of the form -"\123" resulting in >20 characters for the >5 byte multibyte character.) - -I've not been able to reproduce this, but have expanded the conversion -buffer to 128 bytes on the belief that no multibyte character set -has a single character of more than 32 bytes. ---- - tar/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tar/util.c b/tar/util.c -index 9ff22f2..2b4aebe 100644 ---- a/tar/util.c -+++ b/tar/util.c -@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...) - } - - /* If our output buffer is full, dump it and keep going. */ -- if (i > (sizeof(outbuff) - 20)) { -+ if (i > (sizeof(outbuff) - 128)) { - outbuff[i] = '\0'; - fprintf(f, "%s", outbuff); - i = 0; diff --git a/RHBZ#1378668.patch b/RHBZ#1378668.patch deleted file mode 100644 index a6a0036..0000000 --- a/RHBZ#1378668.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001 -From: Tim Kientzle -Date: Sun, 18 Sep 2016 18:14:58 -0700 -Subject: [PATCH] Issue 761: Heap overflow reading corrupted 7Zip files - -The sample file that demonstrated this had multiple 'EmptyStream' -attributes. The first one ended up being used to calculate -certain statistics, then was overwritten by the second which -was incompatible with those statistics. - -The fix here is to reject any header with multiple EmptyStream -attributes. While here, also reject headers with multiple -EmptyFile, AntiFile, Name, or Attributes markers. ---- - libarchive/archive_read_support_format_7zip.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c -index 1dfe52b..c0a536c 100644 ---- a/libarchive/archive_read_support_format_7zip.c -+++ b/libarchive/archive_read_support_format_7zip.c -@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - - switch (type) { - case kEmptyStream: -+ if (h->emptyStreamBools != NULL) -+ return (-1); - h->emptyStreamBools = calloc((size_t)zip->numFiles, - sizeof(*h->emptyStreamBools)); - if (h->emptyStreamBools == NULL) -@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->emptyFileBools != NULL) -+ return (-1); - h->emptyFileBools = calloc(empty_streams, - sizeof(*h->emptyFileBools)); - if (h->emptyFileBools == NULL) -@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->antiBools != NULL) -+ return (-1); - h->antiBools = calloc(empty_streams, - sizeof(*h->antiBools)); - if (h->antiBools == NULL) -@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((ll & 1) || ll < zip->numFiles * 4) - return (-1); - -+ if (zip->entry_names != NULL) -+ return (-1); - zip->entry_names = malloc(ll); - if (zip->entry_names == NULL) - return (-1); -@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((p = header_bytes(a, 2)) == NULL) - return (-1); - allAreDefined = *p; -+ if (h->attrBools != NULL) -+ return (-1); - h->attrBools = calloc((size_t)zip->numFiles, - sizeof(*h->attrBools)); - if (h->attrBools == NULL) diff --git a/RHBZ#1378669.patch b/RHBZ#1378669.patch deleted file mode 100644 index f0ce0fa..0000000 --- a/RHBZ#1378669.patch +++ /dev/null @@ -1,137 +0,0 @@ -From eec077f52bfa2d3f7103b4b74d52572ba8a15aca Mon Sep 17 00:00:00 2001 -From: Tim Kientzle -Date: Sun, 18 Sep 2016 17:27:47 -0700 -Subject: [PATCH] Issue 747 (and others?): Avoid OOB read when parsing - multiple long lines - -The mtree bidder needs to look several lines ahead -in the input. It does this by extending the read-ahead -and parsing subsequent lines from the same growing buffer. -A bookkeeping error when extending the read-ahead would -sometimes lead it to significantly over-count the -size of the line being read. ---- - Makefile.am | 1 + - libarchive/archive_read_support_format_mtree.c | 11 +++++- - libarchive/test/CMakeLists.txt | 1 + - libarchive/test/test_read_format_mtree_crash747.c | 44 ++++++++++++++++++++++ - .../test_read_format_mtree_crash747.mtree.bz2.uu | 6 +++ - 5 files changed, 62 insertions(+), 1 deletion(-) - create mode 100644 libarchive/test/test_read_format_mtree_crash747.c - create mode 100644 libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu - -diff --git a/Makefile.am b/Makefile.am -index e161c5d..90c9ae1 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -449,6 +449,7 @@ libarchive_test_SOURCES= \ - libarchive/test/test_read_format_lha_bugfix_0.c \ - libarchive/test/test_read_format_lha_filename.c \ - libarchive/test/test_read_format_mtree.c \ -+ libarchive/test/test_read_format_mtree_crash747.c \ - libarchive/test/test_read_format_pax_bz2.c \ - libarchive/test/test_read_format_rar.c \ - libarchive/test/test_read_format_rar_encryption_data.c \ -diff --git a/libarchive/archive_read_support_format_mtree.c b/libarchive/archive_read_support_format_mtree.c -index 8c3be9a..ae58e87 100644 ---- a/libarchive/archive_read_support_format_mtree.c -+++ b/libarchive/archive_read_support_format_mtree.c -@@ -301,6 +301,15 @@ get_line_size(const char *b, ssize_t avail, ssize_t *nlsize) - return (avail); - } - -+/* -+ * <---------------- ravail ---------------------> -+ * <-- diff ------> <--- avail -----------------> -+ * <---- len -----------> -+ * | Previous lines | line being parsed nl extra | -+ * ^ -+ * b -+ * -+ */ - static ssize_t - next_line(struct archive_read *a, - const char **b, ssize_t *avail, ssize_t *ravail, ssize_t *nl) -@@ -339,7 +348,7 @@ next_line(struct archive_read *a, - *b += diff; - *avail -= diff; - tested = len;/* Skip some bytes we already determinated. */ -- len = get_line_size(*b, *avail, nl); -+ len = get_line_size(*b + len, *avail - len, nl); - if (len >= 0) - len += tested; - } -diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt -index 345e42a..0cb5966 100644 ---- a/libarchive/test/CMakeLists.txt -+++ b/libarchive/test/CMakeLists.txt -@@ -138,6 +138,7 @@ IF(ENABLE_TEST) - test_read_format_lha_bugfix_0.c - test_read_format_lha_filename.c - test_read_format_mtree.c -+ test_read_format_mtree_crash747.c - test_read_format_pax_bz2.c - test_read_format_rar.c - test_read_format_rar_encryption_data.c -diff --git a/libarchive/test/test_read_format_mtree_crash747.c b/libarchive/test/test_read_format_mtree_crash747.c -new file mode 100644 -index 0000000..c082845 ---- /dev/null -+++ b/libarchive/test/test_read_format_mtree_crash747.c -@@ -0,0 +1,44 @@ -+/*- -+ * Copyright (c) 2003-2016 Tim Kientzle -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+#include "test.h" -+ -+ -+/* -+ * Reproduce the crash reported in Github Issue #747. -+ */ -+DEFINE_TEST(test_read_format_mtree_crash747) -+{ -+ const char *reffile = "test_read_format_mtree_crash747.mtree.bz2"; -+ struct archive *a; -+ -+ extract_reference_file(reffile); -+ -+ assert((a = archive_read_new()) != NULL); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_bzip2(a)); -+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_mtree(a)); -+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_open_filename(a, reffile, 10240)); -+ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); -+} -+ -diff --git a/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu b/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu -new file mode 100644 -index 0000000..84f3895 ---- /dev/null -+++ b/libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu -@@ -0,0 +1,6 @@ -+begin 600 test_read_format_mtree_crash747.mtree.bz2 -+M0EIH.3%!62936:OH@(@``'/[@,`0`@!``'^```)A@9\`$`@@`'4)049!IIH! -+MM021-0,F@&@6````9%>$(K!GIC*XFR0`$```J0+:$XP```!D-F)H[#SE9+2' -+4+E"L=ASXUI%R(I"HD'ZA(5?1`Q`` -+` -+end diff --git a/libarchive.spec b/libarchive.spec index 5a3b774..15a9f85 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,18 +1,15 @@ +%{warn:TODO: package README after https://github.com/libarchive/libarchive/pull/809 +} + Name: libarchive -Version: 3.2.1 -Release: 5%{?dist} +Version: 3.2.2 +Release: 1%{?dist} Summary: A library for handling streaming archive formats License: BSD URL: http://www.libarchive.org/ Source0: http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz -# heap based buffer overflow in detect_form (archive_read_support_format_mtree.c) -Patch0: RHBZ#1378669.patch -# heap based buffer overflow in read_header (archive_read_support_format_7zip.c) -Patch1: RHBZ#1378668.patch -# stack based buffer overflow in bsdtar_expand_char (util.c) -Patch2: RHBZ#1378666.patch # Make it build with OpenSSL 1.1.0 Patch3: libarchive-3.2.1-openssl-1.1.patch @@ -183,7 +180,7 @@ run_testsuite %files %{!?_licensedir:%global license %%doc} %license COPYING -%doc README NEWS +%doc NEWS %{_libdir}/libarchive.so.13* %{_mandir}/*/cpio.* %{_mandir}/*/mtree.* @@ -199,27 +196,30 @@ run_testsuite %files -n bsdtar %{!?_licensedir:%global license %%doc} %license COPYING -%doc README NEWS +%doc NEWS %{_bindir}/bsdtar %{_mandir}/*/bsdtar* %files -n bsdcpio %{!?_licensedir:%global license %%doc} %license COPYING -%doc README NEWS +%doc NEWS %{_bindir}/bsdcpio %{_mandir}/*/bsdcpio* %files -n bsdcat %{!?_licensedir:%global license %%doc} %license COPYING -%doc README NEWS +%doc NEWS %{_bindir}/bsdcat %{_mandir}/*/bsdcat* %changelog +* Tue Oct 25 2016 Pavel Raiskup - 3.2.2-1 +- minor rebase to 3.2.2 + * Tue Oct 11 2016 Tomáš Mráz - 3.2.1-5 - rebuild with OpenSSL 1.1.0 diff --git a/sources b/sources index 1f213f5..b1d3c84 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -afa257047d1941a565216edbf0171e72 libarchive-3.2.1.tar.gz +1ec00b7dcaf969dd2a5712f85f23c764 libarchive-3.2.2.tar.gz