pool/libarchive
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1248746 from Archiving

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1248746
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=55
This commit is contained in:
Dominique Leuenberger 2025-02-27 13:50:05 +00:00 committed by Git OBS Bridge
commit 46304d1730
3 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CVE-2024-57970.patch Normal file
View File

@ -0,0 +1,31 @@
From ca233156bfecef7fe713fe7bb86decfda728e364 Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Wed, 4 Dec 2024 10:41:12 -0800
Subject: [PATCH] Handle truncation in the middle of a GNU long linkname
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Thanks to gbdngb12 김동건 for reporting this.
Resolves Issue #2415
---
libarchive/archive_read_support_format_tar.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index 4aaf1b90ce..b1344ae57d 100644
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -1146,7 +1146,9 @@ header_gnu_longlink(struct archive_read *a, struct tar *tar,
struct archive_string linkpath;
archive_string_init(&linkpath);
err = read_body_to_string(a, tar, &linkpath, h, unconsumed);
- archive_entry_set_link(entry, linkpath.s);
+ if (err == ARCHIVE_OK) {
+ archive_entry_set_link(entry, linkpath.s);
+ }
archive_string_free(&linkpath);
return (err);
}

7
libarchive.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Feb 25 15:14:11 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
- Fix CVE-2024-57970, heap-based buffer over-read in header_gnu_longlink
because it mishandles truncation (CVE-2024-57970, bsc#1237233)
* CVE-2024-57970.patch
-------------------------------------------------------------------
Thu Oct 17 08:41:56 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>

4
libarchive.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package libarchive
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -41,6 +41,8 @@ Source1: https://github.com/libarchive/libarchive/releases/download/v%{ve
Source2: libarchive.keyring
Source1000: baselibs.conf
Patch1: lib-suffix.patch
# PATCH-FIX-UPSTREAM CVE-2024-57970.patch bsc#1237233 antonio.teixeira@suse.com
Patch2: CVE-2024-57970.patch
BuildRequires: cmake
BuildRequires: libacl-devel
BuildRequires: libbz2-devel