added patches from rhel7.7 - about various flaws (#1672900)

2019-03-14 11:34:48 +01:00 · 2019-03-14 11:34:48 +01:00 · c3fc865204
commit c3fc865204
parent 99a79ce04e
3 changed files with 121 additions and 1 deletions
--- a/libarchive-3.1.2-CVE-2019-1000019.patch
+++ b/libarchive-3.1.2-CVE-2019-1000019.patch
@ -0,0 +1,58 @@
 From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001
 From: Daniel Axtens <dja@axtens.net>
 Date: Tue, 1 Jan 2019 16:01:40 +1100
 Subject: [PATCH 2/2] 7zip: fix crash when parsing certain archives
 Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
 would sometimes fail to return at least 'minimum' bytes. This can cause
 the crc32() invocation in header_bytes to read off into invalid memory.
 A specially crafted archive can use this to cause a crash.
 An ASAN trace is below, but ASAN is not required - an uninstrumented
 binary will also crash.
 ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
 ==7719==The signal is caused by a READ memory access.
    #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
    #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
    #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
    #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
    #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
    #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
    #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
    #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
    #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
    #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
    #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
    #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
 This was primarly done with afl and FairFuzz. Some early corpus entries
 may have been generated by qsym.
 ---
 libarchive/archive_read_support_format_7zip.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)
 diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
 index bccbf896..b6d1505d 100644
 --- a/libarchive/archive_read_support_format_7zip.c
 +++ b/libarchive/archive_read_support_format_7zip.c
@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
 	if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
 		/* Copy mode. */
 -		/*
 -		 * Note: '1' here is a performance optimization.
 -		 * Recall that the decompression layer returns a count of
 -		 * available bytes; asking for more than that forces the
 -		 * decompressor to combine reads by copying data.
 -		 */
 -		*buff = __archive_read_ahead(a, 1, &bytes_avail);
 +		*buff = __archive_read_ahead(a, minimum, &bytes_avail);
 		if (bytes_avail <= 0) {
 			archive_set_error(&a->archive,
 			    ARCHIVE_ERRNO_FILE_FORMAT,
 -- 
 2.20.1
--- a/libarchive-3.1.2-CVE-2019-1000020.patch
+++ b/libarchive-3.1.2-CVE-2019-1000020.patch
@ -0,0 +1,59 @@
 From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001
 From: Daniel Axtens <dja@axtens.net>
 Date: Tue, 1 Jan 2019 17:10:49 +1100
 Subject: [PATCH 1/2] iso9660: Fail when expected Rockridge extensions is
 missing
 A corrupted or malicious ISO9660 image can cause read_CE() to loop
 forever.
 read_CE() calls parse_rockridge(), expecting a Rockridge extension
 to be read. However, parse_rockridge() is structured as a while
 loop starting with a sanity check, and if the sanity check fails
 before the loop has run, the function returns ARCHIVE_OK without
 advancing the position in the file. This causes read_CE() to retry
 indefinitely.
 Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
 extension. As someone with no real knowledge of the format, this
 seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
 it to a fatal error immediately anyway.
 Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
 ---
 libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
 index 28acfefb..bad8f1df 100644
 --- a/libarchive/archive_read_support_format_iso9660.c
 +++ b/libarchive/archive_read_support_format_iso9660.c
@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
     const unsigned char *p, const unsigned char *end)
 {
 	struct iso9660 *iso9660;
 +	int entry_seen = 0;
 	iso9660 = (struct iso9660 *)(a->format->data);
@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
 		}
 		p += p[2];
 +		entry_seen = 1;
 +	}
 +
 +	if (entry_seen)
 +		return (ARCHIVE_OK);
 +	else {
 +		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
 +				  "Tried to parse Rockridge extensions, but none found");
 +		return (ARCHIVE_WARN);
 	}
 -	return (ARCHIVE_OK);
 }
 static int
 -- 
 2.20.1
--- a/libarchive.spec
+++ b/libarchive.spec
@ -2,7 +2,7 @@
 Name:           libarchive
 Version:        3.3.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A library for handling streaming archive formats
 License:        BSD
@ -213,6 +213,9 @@ run_testsuite
 %changelog
 * Thu Mar 14 2019 Ondrej Dubaj <odubaj@redhat.com> - 3.3.3-4
 - applied various flaws (#1672900)
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild