From e7c1099e9a592d83774b766c80cf61b1b7801397 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Apr 29 2015 08:30:40 +0000 Subject: libarchive: fix segfault for broken cpio archives Resolves: rhbz#1216891, rhbz#1216892 Version: 3.1.2-12 --- diff --git a/libarchive-3.1.2-security-rhbz-1216891.patch b/libarchive-3.1.2-security-rhbz-1216891.patch new file mode 100644 index 0000000..d2d6f9b --- /dev/null +++ b/libarchive-3.1.2-security-rhbz-1216891.patch @@ -0,0 +1,119 @@ +From df29aeb7db98d227aea966b18261e5c1d97d223a Mon Sep 17 00:00:00 2001 +From: Pavel Raiskup +Date: Wed, 29 Apr 2015 10:23:01 +0200 +Subject: [PATCH] Upstream 3865cf2bc e6c9668f 24f5de65 --- From: Tim Kientzle + Date: Fri, 30 Jan 2015 23:54:19 -0800 Subject: [PATCH] + Issue 394: Segfault when reading malformed old-style cpio archives + +Root cause here was an implicit cast that resulted in +reading very large file sizes as negative numbers. + +--- +From: Tim Kientzle +Date: Fri, 30 Jan 2015 23:57:03 -0800 +Subject: [PATCH] Add a check to archive_read_filter_consume to + reject any attempts to move the file pointer by a negative + amount. + +Note: Either this or commit 3865cf2 provides a fix for +Issue 394. + +--- +From: Tim Kientzle +Date: Fri, 6 Feb 2015 22:07:16 -0800 +Subject: [PATCH] Set a proper error message if we hit end-of-file + when trying to read a cpio header. + +Suggested by Issue #395, although the actual problem there +seems to have been the same as Issue #394. +--- + libarchive/archive_read.c | 2 ++ + libarchive/archive_read_support_format_cpio.c | 22 ++++++++++++++-------- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c +index 048c316..7f3edc1 100644 +--- a/libarchive/archive_read.c ++++ b/libarchive/archive_read.c +@@ -1394,6 +1394,8 @@ __archive_read_filter_consume(struct archive_read_filter * filter, + { + int64_t skipped; + ++ if (request < 0) ++ return ARCHIVE_FATAL; + if (request == 0) + return 0; + +diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c +index 819f4a4..1dabc47 100644 +--- a/libarchive/archive_read_support_format_cpio.c ++++ b/libarchive/archive_read_support_format_cpio.c +@@ -198,7 +198,7 @@ static int archive_read_format_cpio_read_data(struct archive_read *, + static int archive_read_format_cpio_read_header(struct archive_read *, + struct archive_entry *); + static int archive_read_format_cpio_skip(struct archive_read *); +-static int be4(const unsigned char *); ++static int64_t be4(const unsigned char *); + static int find_odc_header(struct archive_read *); + static int find_newc_header(struct archive_read *); + static int header_bin_be(struct archive_read *, struct cpio *, +@@ -213,7 +213,7 @@ static int header_afiol(struct archive_read *, struct cpio *, + struct archive_entry *, size_t *, size_t *); + static int is_octal(const char *, size_t); + static int is_hex(const char *, size_t); +-static int le4(const unsigned char *); ++static int64_t le4(const unsigned char *); + static int record_hardlink(struct archive_read *a, + struct cpio *cpio, struct archive_entry *entry); + +@@ -864,8 +864,11 @@ header_bin_le(struct archive_read *a, struct cpio *cpio, + + /* Read fixed-size portion of header. */ + h = __archive_read_ahead(a, bin_header_size, NULL); +- if (h == NULL) ++ if (h == NULL) { ++ archive_set_error(&a->archive, 0, ++ "End of file trying to read next cpio header"); + return (ARCHIVE_FATAL); ++ } + + /* Parse out binary fields. */ + header = (const unsigned char *)h; +@@ -900,8 +903,11 @@ header_bin_be(struct archive_read *a, struct cpio *cpio, + + /* Read fixed-size portion of header. */ + h = __archive_read_ahead(a, bin_header_size, NULL); +- if (h == NULL) ++ if (h == NULL) { ++ archive_set_error(&a->archive, 0, ++ "End of file trying to read next cpio header"); + return (ARCHIVE_FATAL); ++ } + + /* Parse out binary fields. */ + header = (const unsigned char *)h; +@@ -944,17 +950,17 @@ archive_read_format_cpio_cleanup(struct archive_read *a) + return (ARCHIVE_OK); + } + +-static int ++static int64_t + le4(const unsigned char *p) + { +- return ((p[0]<<16) + (p[1]<<24) + (p[2]<<0) + (p[3]<<8)); ++ return ((p[0] << 16) + (((int64_t)p[1]) << 24) + (p[2] << 0) + (p[3] << 8)); + } + + +-static int ++static int64_t + be4(const unsigned char *p) + { +- return ((p[0]<<24) + (p[1]<<16) + (p[2]<<8) + (p[3])); ++ return ((((int64_t)p[0]) << 24) + (p[1] << 16) + (p[2] << 8) + (p[3])); + } + + /* +-- +2.1.0 + diff --git a/libarchive.spec b/libarchive.spec index 5b90c6d..c7afdf0 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,6 +1,6 @@ Name: libarchive Version: 3.1.2 -Release: 11%{?dist} +Release: 12%{?dist} Summary: A library for handling streaming archive formats Group: System Environment/Libraries @@ -32,6 +32,9 @@ Patch1: libarchive-3.1.2-testsuite.patch Patch2: libarchive-3.1.2-acl.patch +# ~> upstream patches: 3865cf2b e6c9668f 24f5de65 +Patch3: libarchive-3.1.2-security-rhbz-1216891.patch + %description Libarchive is a programming library that can create and read several different streaming archive formats, including most popular tar variants, several cpio @@ -77,6 +80,7 @@ libarchive packages. # fix not working saving/restoring acl # ~> downstream %patch2 -p1 -b .fix-acl +%patch3 -p1 -b .segfault-cpio %build @@ -175,6 +179,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Wed Apr 29 2015 Pavel Raiskup - 3.1.2-12 +- fix libarchive segfault for intentionally broken cpio archives (rhbz#1216892) + * Sat Feb 21 2015 Till Maas - 3.1.2-11 - Rebuilt for Fedora 23 Change https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code