libarchive: fix segfault for broken cpio archives

Resolves: rhbz#1216891, rhbz#1216892
Version: 3.1.2-12
This commit is contained in:
Pavel Raiskup 2015-04-29 10:28:31 +02:00
parent d46b2e13a5
commit e7c1099e9a
2 changed files with 127 additions and 1 deletions

View File

@ -0,0 +1,119 @@
From df29aeb7db98d227aea966b18261e5c1d97d223a Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Wed, 29 Apr 2015 10:23:01 +0200
Subject: [PATCH] Upstream 3865cf2bc e6c9668f 24f5de65 --- From: Tim Kientzle
<kientzle@acm.org> Date: Fri, 30 Jan 2015 23:54:19 -0800 Subject: [PATCH]
Issue 394: Segfault when reading malformed old-style cpio archives
Root cause here was an implicit cast that resulted in
reading very large file sizes as negative numbers.
---
From: Tim Kientzle <kientzle@acm.org>
Date: Fri, 30 Jan 2015 23:57:03 -0800
Subject: [PATCH] Add a check to archive_read_filter_consume to
reject any attempts to move the file pointer by a negative
amount.
Note: Either this or commit 3865cf2 provides a fix for
Issue 394.
---
From: Tim Kientzle <kientzle@acm.org>
Date: Fri, 6 Feb 2015 22:07:16 -0800
Subject: [PATCH] Set a proper error message if we hit end-of-file
when trying to read a cpio header.
Suggested by Issue #395, although the actual problem there
seems to have been the same as Issue #394.
---
libarchive/archive_read.c | 2 ++
libarchive/archive_read_support_format_cpio.c | 22 ++++++++++++++--------
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
index 048c316..7f3edc1 100644
--- a/libarchive/archive_read.c
+++ b/libarchive/archive_read.c
@@ -1394,6 +1394,8 @@ __archive_read_filter_consume(struct archive_read_filter * filter,
{
int64_t skipped;
+ if (request < 0)
+ return ARCHIVE_FATAL;
if (request == 0)
return 0;
diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index 819f4a4..1dabc47 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -198,7 +198,7 @@ static int archive_read_format_cpio_read_data(struct archive_read *,
static int archive_read_format_cpio_read_header(struct archive_read *,
struct archive_entry *);
static int archive_read_format_cpio_skip(struct archive_read *);
-static int be4(const unsigned char *);
+static int64_t be4(const unsigned char *);
static int find_odc_header(struct archive_read *);
static int find_newc_header(struct archive_read *);
static int header_bin_be(struct archive_read *, struct cpio *,
@@ -213,7 +213,7 @@ static int header_afiol(struct archive_read *, struct cpio *,
struct archive_entry *, size_t *, size_t *);
static int is_octal(const char *, size_t);
static int is_hex(const char *, size_t);
-static int le4(const unsigned char *);
+static int64_t le4(const unsigned char *);
static int record_hardlink(struct archive_read *a,
struct cpio *cpio, struct archive_entry *entry);
@@ -864,8 +864,11 @@ header_bin_le(struct archive_read *a, struct cpio *cpio,
/* Read fixed-size portion of header. */
h = __archive_read_ahead(a, bin_header_size, NULL);
- if (h == NULL)
+ if (h == NULL) {
+ archive_set_error(&a->archive, 0,
+ "End of file trying to read next cpio header");
return (ARCHIVE_FATAL);
+ }
/* Parse out binary fields. */
header = (const unsigned char *)h;
@@ -900,8 +903,11 @@ header_bin_be(struct archive_read *a, struct cpio *cpio,
/* Read fixed-size portion of header. */
h = __archive_read_ahead(a, bin_header_size, NULL);
- if (h == NULL)
+ if (h == NULL) {
+ archive_set_error(&a->archive, 0,
+ "End of file trying to read next cpio header");
return (ARCHIVE_FATAL);
+ }
/* Parse out binary fields. */
header = (const unsigned char *)h;
@@ -944,17 +950,17 @@ archive_read_format_cpio_cleanup(struct archive_read *a)
return (ARCHIVE_OK);
}
-static int
+static int64_t
le4(const unsigned char *p)
{
- return ((p[0]<<16) + (p[1]<<24) + (p[2]<<0) + (p[3]<<8));
+ return ((p[0] << 16) + (((int64_t)p[1]) << 24) + (p[2] << 0) + (p[3] << 8));
}
-static int
+static int64_t
be4(const unsigned char *p)
{
- return ((p[0]<<24) + (p[1]<<16) + (p[2]<<8) + (p[3]));
+ return ((((int64_t)p[0]) << 24) + (p[1] << 16) + (p[2] << 8) + (p[3]));
}
/*
--
2.1.0

View File

@ -1,6 +1,6 @@
Name: libarchive Name: libarchive
Version: 3.1.2 Version: 3.1.2
Release: 11%{?dist} Release: 12%{?dist}
Summary: A library for handling streaming archive formats Summary: A library for handling streaming archive formats
Group: System Environment/Libraries Group: System Environment/Libraries
@ -32,6 +32,9 @@ Patch1: libarchive-3.1.2-testsuite.patch
Patch2: libarchive-3.1.2-acl.patch Patch2: libarchive-3.1.2-acl.patch
# ~> upstream patches: 3865cf2b e6c9668f 24f5de65
Patch3: libarchive-3.1.2-security-rhbz-1216891.patch
%description %description
Libarchive is a programming library that can create and read several different Libarchive is a programming library that can create and read several different
streaming archive formats, including most popular tar variants, several cpio streaming archive formats, including most popular tar variants, several cpio
@ -77,6 +80,7 @@ libarchive packages.
# fix not working saving/restoring acl # fix not working saving/restoring acl
# ~> downstream # ~> downstream
%patch2 -p1 -b .fix-acl %patch2 -p1 -b .fix-acl
%patch3 -p1 -b .segfault-cpio
%build %build
@ -175,6 +179,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Wed Apr 29 2015 Pavel Raiskup <praiskup@redhat.com> - 3.1.2-12
- fix libarchive segfault for intentionally broken cpio archives (rhbz#1216892)
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.1.2-11 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.1.2-11
- Rebuilt for Fedora 23 Change - Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code