libarchive: fix segfault for broken cpio archives
Resolves: rhbz#1216891, rhbz#1216892 Version: 3.1.2-12
This commit is contained in:
parent
d46b2e13a5
commit
e7c1099e9a
119
libarchive-3.1.2-security-rhbz-1216891.patch
Normal file
119
libarchive-3.1.2-security-rhbz-1216891.patch
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
From df29aeb7db98d227aea966b18261e5c1d97d223a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Raiskup <praiskup@redhat.com>
|
||||||
|
Date: Wed, 29 Apr 2015 10:23:01 +0200
|
||||||
|
Subject: [PATCH] Upstream 3865cf2bc e6c9668f 24f5de65 --- From: Tim Kientzle
|
||||||
|
<kientzle@acm.org> Date: Fri, 30 Jan 2015 23:54:19 -0800 Subject: [PATCH]
|
||||||
|
Issue 394: Segfault when reading malformed old-style cpio archives
|
||||||
|
|
||||||
|
Root cause here was an implicit cast that resulted in
|
||||||
|
reading very large file sizes as negative numbers.
|
||||||
|
|
||||||
|
---
|
||||||
|
From: Tim Kientzle <kientzle@acm.org>
|
||||||
|
Date: Fri, 30 Jan 2015 23:57:03 -0800
|
||||||
|
Subject: [PATCH] Add a check to archive_read_filter_consume to
|
||||||
|
reject any attempts to move the file pointer by a negative
|
||||||
|
amount.
|
||||||
|
|
||||||
|
Note: Either this or commit 3865cf2 provides a fix for
|
||||||
|
Issue 394.
|
||||||
|
|
||||||
|
---
|
||||||
|
From: Tim Kientzle <kientzle@acm.org>
|
||||||
|
Date: Fri, 6 Feb 2015 22:07:16 -0800
|
||||||
|
Subject: [PATCH] Set a proper error message if we hit end-of-file
|
||||||
|
when trying to read a cpio header.
|
||||||
|
|
||||||
|
Suggested by Issue #395, although the actual problem there
|
||||||
|
seems to have been the same as Issue #394.
|
||||||
|
---
|
||||||
|
libarchive/archive_read.c | 2 ++
|
||||||
|
libarchive/archive_read_support_format_cpio.c | 22 ++++++++++++++--------
|
||||||
|
2 files changed, 16 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
|
||||||
|
index 048c316..7f3edc1 100644
|
||||||
|
--- a/libarchive/archive_read.c
|
||||||
|
+++ b/libarchive/archive_read.c
|
||||||
|
@@ -1394,6 +1394,8 @@ __archive_read_filter_consume(struct archive_read_filter * filter,
|
||||||
|
{
|
||||||
|
int64_t skipped;
|
||||||
|
|
||||||
|
+ if (request < 0)
|
||||||
|
+ return ARCHIVE_FATAL;
|
||||||
|
if (request == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
|
||||||
|
index 819f4a4..1dabc47 100644
|
||||||
|
--- a/libarchive/archive_read_support_format_cpio.c
|
||||||
|
+++ b/libarchive/archive_read_support_format_cpio.c
|
||||||
|
@@ -198,7 +198,7 @@ static int archive_read_format_cpio_read_data(struct archive_read *,
|
||||||
|
static int archive_read_format_cpio_read_header(struct archive_read *,
|
||||||
|
struct archive_entry *);
|
||||||
|
static int archive_read_format_cpio_skip(struct archive_read *);
|
||||||
|
-static int be4(const unsigned char *);
|
||||||
|
+static int64_t be4(const unsigned char *);
|
||||||
|
static int find_odc_header(struct archive_read *);
|
||||||
|
static int find_newc_header(struct archive_read *);
|
||||||
|
static int header_bin_be(struct archive_read *, struct cpio *,
|
||||||
|
@@ -213,7 +213,7 @@ static int header_afiol(struct archive_read *, struct cpio *,
|
||||||
|
struct archive_entry *, size_t *, size_t *);
|
||||||
|
static int is_octal(const char *, size_t);
|
||||||
|
static int is_hex(const char *, size_t);
|
||||||
|
-static int le4(const unsigned char *);
|
||||||
|
+static int64_t le4(const unsigned char *);
|
||||||
|
static int record_hardlink(struct archive_read *a,
|
||||||
|
struct cpio *cpio, struct archive_entry *entry);
|
||||||
|
|
||||||
|
@@ -864,8 +864,11 @@ header_bin_le(struct archive_read *a, struct cpio *cpio,
|
||||||
|
|
||||||
|
/* Read fixed-size portion of header. */
|
||||||
|
h = __archive_read_ahead(a, bin_header_size, NULL);
|
||||||
|
- if (h == NULL)
|
||||||
|
+ if (h == NULL) {
|
||||||
|
+ archive_set_error(&a->archive, 0,
|
||||||
|
+ "End of file trying to read next cpio header");
|
||||||
|
return (ARCHIVE_FATAL);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Parse out binary fields. */
|
||||||
|
header = (const unsigned char *)h;
|
||||||
|
@@ -900,8 +903,11 @@ header_bin_be(struct archive_read *a, struct cpio *cpio,
|
||||||
|
|
||||||
|
/* Read fixed-size portion of header. */
|
||||||
|
h = __archive_read_ahead(a, bin_header_size, NULL);
|
||||||
|
- if (h == NULL)
|
||||||
|
+ if (h == NULL) {
|
||||||
|
+ archive_set_error(&a->archive, 0,
|
||||||
|
+ "End of file trying to read next cpio header");
|
||||||
|
return (ARCHIVE_FATAL);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Parse out binary fields. */
|
||||||
|
header = (const unsigned char *)h;
|
||||||
|
@@ -944,17 +950,17 @@ archive_read_format_cpio_cleanup(struct archive_read *a)
|
||||||
|
return (ARCHIVE_OK);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
+static int64_t
|
||||||
|
le4(const unsigned char *p)
|
||||||
|
{
|
||||||
|
- return ((p[0]<<16) + (p[1]<<24) + (p[2]<<0) + (p[3]<<8));
|
||||||
|
+ return ((p[0] << 16) + (((int64_t)p[1]) << 24) + (p[2] << 0) + (p[3] << 8));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
-static int
|
||||||
|
+static int64_t
|
||||||
|
be4(const unsigned char *p)
|
||||||
|
{
|
||||||
|
- return ((p[0]<<24) + (p[1]<<16) + (p[2]<<8) + (p[3]));
|
||||||
|
+ return ((((int64_t)p[0]) << 24) + (p[1] << 16) + (p[2] << 8) + (p[3]));
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: libarchive
|
Name: libarchive
|
||||||
Version: 3.1.2
|
Version: 3.1.2
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Summary: A library for handling streaming archive formats
|
Summary: A library for handling streaming archive formats
|
||||||
|
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -32,6 +32,9 @@ Patch1: libarchive-3.1.2-testsuite.patch
|
|||||||
|
|
||||||
Patch2: libarchive-3.1.2-acl.patch
|
Patch2: libarchive-3.1.2-acl.patch
|
||||||
|
|
||||||
|
# ~> upstream patches: 3865cf2b e6c9668f 24f5de65
|
||||||
|
Patch3: libarchive-3.1.2-security-rhbz-1216891.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Libarchive is a programming library that can create and read several different
|
Libarchive is a programming library that can create and read several different
|
||||||
streaming archive formats, including most popular tar variants, several cpio
|
streaming archive formats, including most popular tar variants, several cpio
|
||||||
@ -77,6 +80,7 @@ libarchive packages.
|
|||||||
# fix not working saving/restoring acl
|
# fix not working saving/restoring acl
|
||||||
# ~> downstream
|
# ~> downstream
|
||||||
%patch2 -p1 -b .fix-acl
|
%patch2 -p1 -b .fix-acl
|
||||||
|
%patch3 -p1 -b .segfault-cpio
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -175,6 +179,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 29 2015 Pavel Raiskup <praiskup@redhat.com> - 3.1.2-12
|
||||||
|
- fix libarchive segfault for intentionally broken cpio archives (rhbz#1216892)
|
||||||
|
|
||||||
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.1.2-11
|
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.1.2-11
|
||||||
- Rebuilt for Fedora 23 Change
|
- Rebuilt for Fedora 23 Change
|
||||||
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
|
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
|
||||||
|
Loading…
Reference in New Issue
Block a user