Just to have it in devel package, misses documentation about security issues in changes file for submission to factory

OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=56
This commit is contained in:
Adrian Schröter 2016-06-21 06:17:54 +00:00 committed by Git OBS Bridge
parent 01c2b1b9c1
commit 378715dd5c
6 changed files with 35 additions and 29 deletions

View File

@ -1,22 +0,0 @@
commit fd7e0c02e272913a0a8b6d492c7260dfca0b1408
Author: Tim Kientzle <kientzle@acm.org>
Date: Sat May 14 12:37:37 2016 -0700
Reject cpio symlinks that exceed 1MB
diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index c2ca85b..b09db0e 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -401,6 +401,11 @@ archive_read_format_cpio_read_header(struct archive_read *a,
/* If this is a symlink, read the link contents. */
if (archive_entry_filetype(entry) == AE_IFLNK) {
+ if (cpio->entry_bytes_remaining > 1024 * 1024) {
+ archive_set_error(&a->archive, ENOMEM,
+ "Rejecting malformed cpio archive: symlink contents exceed 1 megabyte");
+ return (ARCHIVE_FATAL);
+ }
h = __archive_read_ahead(a,
(size_t)cpio->entry_bytes_remaining, NULL);
if (h == NULL)

20
fix-build.patch Normal file
View File

@ -0,0 +1,20 @@
--- libarchive/test/test_write_format_gnutar_filenames.c.orig 2016-06-20 13:03:13.796386223 +0200
+++ libarchive/test/test_write_format_gnutar_filenames.c 2016-06-20 13:04:19.472387624 +0200
@@ -55,7 +55,7 @@
archive_entry_set_mode(template, S_IFREG | 0755);
archive_entry_set_size(template, 8);
- for (int i = 0; i < 2000; ++i) {
+ int i; for (i = 0; i < 2000; ++i) {
filename[i] = 'a';
filename[i + 1] = '\0';
archive_entry_copy_pathname(template, filename);
@@ -110,7 +110,7 @@
archive_entry_set_mode(template, S_IFLNK | 0755);
archive_entry_copy_pathname(template, "link");
- for (int i = 0; i < 2000; ++i) {
+ int i; for (i = 0; i < 2000; ++i) {
filename[i] = 'a';
filename[i + 1] = '\0';
archive_entry_copy_symlink(template, filename);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7bce45fd71ff01dc20d19edd78322d4965583d81b8bed8e26cacb65d6f5baa87
size 5448095

3
libarchive-3.2.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:72ee1a4e3fd534525f13a0ba1aa7b05b203d186e0c6072a8a4738649d0b3cfd2
size 5448888

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Jun 20 10:31:43 UTC 2016 - adrian@suse.de
- update to version 3.2.1
-------------------------------------------------------------------
Thu Jun 16 09:33:17 UTC 2016 - adrian@suse.de

View File

@ -33,7 +33,7 @@
%define libname libarchive%{somajor}
Name: libarchive
Version: 3.2.0
Version: 3.2.1
Release: 0
Summary: Creates and reads several different streaming archive formats
License: BSD-2-Clause
@ -41,6 +41,7 @@ Group: Productivity/Archiving/Compression
Url: http://www.libarchive.org/
Source0: http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz
Source1: baselibs.conf
Patch1: fix-build.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libacl-devel
BuildRequires: libbz2-devel
@ -56,8 +57,6 @@ BuildRequires: pkg-config
BuildRequires: xz-devel
BuildRequires: zlib-devel
Patch0: libarchive-openssl.patch
# PATCH-FIX-UPSTREAM bnc#984990
Patch1: CVE-2016-4809.patch
%description
Libarchive is a programming library that can create and read several
@ -166,7 +165,7 @@ static library for libarchive
%if %{with openssl}
%patch0 -p0
%endif
%patch1 -p1
%patch1 -p0
%build
%if !0%{?skip_autoreconf}
@ -179,6 +178,10 @@ autoreconf -fiv
--disable-static \
%endif
--enable-bsdcpio
# lzma mt detection is broken
sed -i -e "/HAVE_LZMA_STREAM_ENCODER_MT/d" config.h
make %{?_smp_mflags}
%check