From 3a83d421c3e919563e45de87e7d9aba226ddd63e3ea0aee7c89caf571d09892f Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 6 May 2016 16:39:34 +0000 Subject: [PATCH 1/5] Accepting request 394051 from home:michel_mno:branches:Archiving - add _constraints memory 4096MB to avoid ppc64le build failure as reported in Ring1 OBS-URL: https://build.opensuse.org/request/show/394051 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=48 --- _constraints | 7 +++++++ libarchive.changes | 5 +++++ libarchive.spec | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 _constraints diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..888ad51 --- /dev/null +++ b/_constraints @@ -0,0 +1,7 @@ + + + + 4096 + + + diff --git a/libarchive.changes b/libarchive.changes index 43fe020..30b8ee7 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri May 6 14:45:14 UTC 2016 - normand@linux.vnet.ibm.com + +- add _constraints memory 4096MB to avoid ppc64le build failure + ------------------------------------------------------------------- Sat Sep 19 20:17:41 UTC 2015 - astieger@suse.com diff --git a/libarchive.spec b/libarchive.spec index fd9a249..57a02ad 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,7 +1,7 @@ # # spec file for package libarchive # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From ca33898948d273f4ce44c5e2cf1601c1e907b72402220a642fe39f9d0b1bc366 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 9 May 2016 08:44:55 +0000 Subject: [PATCH 2/5] update OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=49 --- CVE-2013-0211.patch | 18 ----- _constraints | 16 ++-- directory-traversal-fix.patch | 136 ---------------------------------- libarchive-3.1.2.tar.gz | 3 - libarchive-3.2.0.tar.gz | 3 + libarchive.changes | 11 +++ libarchive.spec | 8 +- 7 files changed, 26 insertions(+), 169 deletions(-) delete mode 100644 CVE-2013-0211.patch delete mode 100644 directory-traversal-fix.patch delete mode 100644 libarchive-3.1.2.tar.gz create mode 100644 libarchive-3.2.0.tar.gz diff --git a/CVE-2013-0211.patch b/CVE-2013-0211.patch deleted file mode 100644 index 875e193..0000000 --- a/CVE-2013-0211.patch +++ /dev/null @@ -1,18 +0,0 @@ -Index: libarchive-3.1.2/libarchive/archive_write.c -=================================================================== ---- libarchive-3.1.2.orig/libarchive/archive_write.c -+++ libarchive-3.1.2/libarchive/archive_write.c -@@ -671,8 +671,13 @@ static ssize_t - _archive_write_data(struct archive *_a, const void *buff, size_t s) - { - struct archive_write *a = (struct archive_write *)_a; -+ size_t max_write = INT_MAX; -+ - archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, - ARCHIVE_STATE_DATA, "archive_write_data"); -+ /* This catches attempts to pass negative values. */ -+ if (s > max_write) -+ s = max_write; - archive_clear_error(&a->archive); - return ((a->format_write_data)(a, buff, s)); - } diff --git a/_constraints b/_constraints index 888ad51..8025de2 100644 --- a/_constraints +++ b/_constraints @@ -1,7 +1,13 @@ - - - 4096 - - + + + ppc64 + ppc64le + + + + 4096 + + + diff --git a/directory-traversal-fix.patch b/directory-traversal-fix.patch deleted file mode 100644 index 2a0b4b9..0000000 --- a/directory-traversal-fix.patch +++ /dev/null @@ -1,136 +0,0 @@ -commit 59357157706d47c365b2227739e17daba3607526 -Author: Alessandro Ghedini -Date: Sun Mar 1 12:07:45 2015 +0100 - - Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option - - This fixes a directory traversal in the cpio tool. - -Index: libarchive-3.1.2/cpio/bsdcpio.1 -=================================================================== ---- libarchive-3.1.2.orig/cpio/bsdcpio.1 -+++ libarchive-3.1.2/cpio/bsdcpio.1 -@@ -156,7 +156,8 @@ See above for description. - .It Fl Fl insecure - (i and p mode only) - Disable security checks during extraction or copying. --This allows extraction via symbolic links and path names containing -+This allows extraction via symbolic links, absolute paths, -+and path names containing - .Sq .. - in the name. - .It Fl J , Fl Fl xz -Index: libarchive-3.1.2/cpio/cpio.c -=================================================================== ---- libarchive-3.1.2.orig/cpio/cpio.c -+++ libarchive-3.1.2/cpio/cpio.c -@@ -179,6 +179,7 @@ main(int argc, char *argv[]) - cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER; - cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS; - cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; -+ cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; - cpio->extract_flags |= ARCHIVE_EXTRACT_PERM; - cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS; - cpio->extract_flags |= ARCHIVE_EXTRACT_ACL; -@@ -264,6 +265,7 @@ main(int argc, char *argv[]) - case OPTION_INSECURE: - cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS; - cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT; -+ cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS; - break; - case 'L': /* GNU cpio */ - cpio->option_follow_links = 1; -Index: libarchive-3.1.2/libarchive/archive.h -=================================================================== ---- libarchive-3.1.2.orig/libarchive/archive.h -+++ libarchive-3.1.2/libarchive/archive.h -@@ -562,6 +562,8 @@ __LA_DECL int archive_read_set_options(s - /* Default: Do not use HFS+ compression if it was not compressed. */ - /* This has no effect except on Mac OS v10.6 or later. */ - #define ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED (0x8000) -+/* Default: Do not reject entries with absolute paths */ -+#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000) - - __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *, - int flags); -Index: libarchive-3.1.2/libarchive/archive_write_disk.3 -=================================================================== ---- libarchive-3.1.2.orig/libarchive/archive_write_disk.3 -+++ libarchive-3.1.2/libarchive/archive_write_disk.3 -@@ -177,6 +177,9 @@ The default is to not refuse such paths. - Note that paths ending in - .Pa .. - always cause an error, regardless of this flag. -+.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS -+Refuse to extract an absolute path. -+The default is to not refuse such paths. - .It Cm ARCHIVE_EXTRACT_SPARSE - Scan data for blocks of NUL bytes and try to recreate them with holes. - This results in sparse files, independent of whether the archive format -Index: libarchive-3.1.2/libarchive/archive_write_disk_posix.c -=================================================================== ---- libarchive-3.1.2.orig/libarchive/archive_write_disk_posix.c -+++ libarchive-3.1.2/libarchive/archive_write_disk_posix.c -@@ -2504,8 +2504,9 @@ cleanup_pathname_win(struct archive_writ - /* - * Canonicalize the pathname. In particular, this strips duplicate - * '/' characters, '.' elements, and trailing '/'. It also raises an -- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is -- * set) any '..' in the path. -+ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is -+ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS -+ * is set) if the path is absolute. - */ - static int - cleanup_pathname(struct archive_write_disk *a) -@@ -2524,8 +2525,15 @@ cleanup_pathname(struct archive_write_di - cleanup_pathname_win(a); - #endif - /* Skip leading '/'. */ -- if (*src == '/') -+ if (*src == '/') { -+ if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { -+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, -+ "Path is absolute"); -+ return (ARCHIVE_FAILED); -+ } -+ - separator = *src++; -+ } - - /* Scan the pathname one element at a time. */ - for (;;) { -Index: libarchive-3.1.2/libarchive/test/test_write_disk_secure.c -=================================================================== ---- libarchive-3.1.2.orig/libarchive/test/test_write_disk_secure.c -+++ libarchive-3.1.2/libarchive/test/test_write_disk_secure.c -@@ -178,6 +178,29 @@ DEFINE_TEST(test_write_disk_secure) - assert(S_ISDIR(st.st_mode)); - archive_entry_free(ae); - -+ /* -+ * Without security checks, we should be able to -+ * extract an absolute path. -+ */ -+ assert((ae = archive_entry_new()) != NULL); -+ archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); -+ archive_entry_set_mode(ae, S_IFREG | 0777); -+ assert(0 == archive_write_header(a, ae)); -+ assert(0 == archive_write_finish_entry(a)); -+ assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); -+ assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp")); -+ -+ /* But with security checks enabled, this should fail. */ -+ assert(archive_entry_clear(ae) != NULL); -+ archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); -+ archive_entry_set_mode(ae, S_IFREG | 0777); -+ archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS); -+ failure("Extracting an absolute path should fail here."); -+ assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae)); -+ archive_entry_free(ae); -+ assert(0 == archive_write_finish_entry(a)); -+ assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"); -+ - assertEqualInt(ARCHIVE_OK, archive_write_free(a)); - - /* Test the entries on disk. */ diff --git a/libarchive-3.1.2.tar.gz b/libarchive-3.1.2.tar.gz deleted file mode 100644 index 08c2307..0000000 --- a/libarchive-3.1.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e -size 4527540 diff --git a/libarchive-3.2.0.tar.gz b/libarchive-3.2.0.tar.gz new file mode 100644 index 0000000..6435e2f --- /dev/null +++ b/libarchive-3.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7bce45fd71ff01dc20d19edd78322d4965583d81b8bed8e26cacb65d6f5baa87 +size 5448095 diff --git a/libarchive.changes b/libarchive.changes index 30b8ee7..ba351c9 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon May 9 08:42:19 UTC 2016 - adrian@suse.de + +- update to version 3.2.0 + * Fixes CVE-2016-1541 + * changes are only documented in git history + +- removed obsolete patches for: + * CVE-2013-0211.patch + * directory-traversal-fix.patch + ------------------------------------------------------------------- Fri May 6 14:45:14 UTC 2016 - normand@linux.vnet.ibm.com diff --git a/libarchive.spec b/libarchive.spec index 57a02ad..c293062 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -33,7 +33,7 @@ %define libname libarchive%{somajor} Name: libarchive -Version: 3.1.2 +Version: 3.2.0 Release: 0 Summary: Creates and reads several different streaming archive formats License: BSD-2-Clause @@ -57,10 +57,6 @@ BuildRequires: xz-devel BuildRequires: zlib-devel Patch0: libarchive-openssl.patch Patch1: libarchive-xattr.patch -# PATCH-FIX-UPSTREAM bnc#800024 -Patch2: CVE-2013-0211.patch -# PATCH-FIX-UPSTREAM bnc#920870 -Patch3: directory-traversal-fix.patch %description Libarchive is a programming library that can create and read several @@ -172,8 +168,6 @@ static library for libarchive %if !0%{?skip_autoreconf} %patch1 -p1 %endif -%patch2 -p1 -%patch3 -p1 %build %if !0%{?skip_autoreconf} From 41e954710006a848b739142bcc35a5cefa80fe1f4bcdc39ed0aa7534b1be64b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 9 May 2016 08:53:58 +0000 Subject: [PATCH 3/5] try again OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=50 --- libarchive-openssl.patch | 22 +++++++++++++--------- libarchive-xattr.patch | 11 ----------- libarchive.changes | 2 ++ libarchive.spec | 6 +----- 4 files changed, 16 insertions(+), 25 deletions(-) delete mode 100644 libarchive-xattr.patch diff --git a/libarchive-openssl.patch b/libarchive-openssl.patch index 9277cd6..d50b3be 100644 --- a/libarchive-openssl.patch +++ b/libarchive-openssl.patch @@ -1,5 +1,7 @@ ---- libarchive/archive_crypto.c.orig -+++ libarchive/archive_crypto.c +Index: libarchive/archive_digest.c +=================================================================== +--- libarchive/archive_digest.c.orig ++++ libarchive/archive_digest.c @@ -207,6 +207,7 @@ __archive_nettle_md5final(archive_md5_ct static int __archive_openssl_md5init(archive_md5_ctx *ctx) @@ -48,13 +50,15 @@ EVP_DigestInit(ctx, EVP_sha512()); return (ARCHIVE_OK); } ---- libarchive/archive_crypto_private.h.orig -+++ libarchive/archive_crypto_private.h -@@ -135,6 +135,7 @@ - defined(ARCHIVE_CRYPTO_SHA512_OPENSSL) - #define ARCHIVE_CRYPTO_OPENSSL 1 +Index: libarchive/archive_cryptor_private.h +=================================================================== +--- libarchive/archive_cryptor_private.h.orig ++++ libarchive/archive_cryptor_private.h +@@ -100,6 +100,7 @@ typedef struct { + + #elif defined(HAVE_LIBCRYPTO) #include +#include - #endif + #define AES_BLOCK_SIZE 16 + #define AES_MAX_KEY_SIZE 32 - /* Windows crypto headers */ diff --git a/libarchive-xattr.patch b/libarchive-xattr.patch deleted file mode 100644 index 6b6517b..0000000 --- a/libarchive-xattr.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- libarchive-3.1.2.orig/configure.ac -+++ libarchive-3.1.2/configure.ac -@@ -568,7 +568,7 @@ AC_ARG_ENABLE([xattr], - if test "x$enable_xattr" != "xno"; then - AC_CHECK_HEADERS([attr/xattr.h]) - AC_CHECK_HEADERS([sys/xattr.h sys/ea.h]) -- AC_CHECK_LIB(attr,setxattr) -+ AC_SEARCH_LIBS([setxattr], [attr]) - AC_CHECK_FUNCS([extattr_get_file extattr_list_file]) - AC_CHECK_FUNCS([extattr_set_fd extattr_set_file]) - AC_CHECK_FUNCS([fgetxattr flistxattr fsetxattr getxattr]) diff --git a/libarchive.changes b/libarchive.changes index ba351c9..68762f8 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -4,10 +4,12 @@ Mon May 9 08:42:19 UTC 2016 - adrian@suse.de - update to version 3.2.0 * Fixes CVE-2016-1541 * changes are only documented in git history + * updated openssl patch - removed obsolete patches for: * CVE-2013-0211.patch * directory-traversal-fix.patch + * libarchive-xattr.patch ------------------------------------------------------------------- Fri May 6 14:45:14 UTC 2016 - normand@linux.vnet.ibm.com diff --git a/libarchive.spec b/libarchive.spec index c293062..4e77c13 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -56,7 +56,6 @@ BuildRequires: pkg-config BuildRequires: xz-devel BuildRequires: zlib-devel Patch0: libarchive-openssl.patch -Patch1: libarchive-xattr.patch %description Libarchive is a programming library that can create and read several @@ -163,10 +162,7 @@ static library for libarchive %prep %setup -q %if %{with openssl} -%patch0 -%endif -%if !0%{?skip_autoreconf} -%patch1 -p1 +%patch0 -p0 %endif %build From ac718122e09d95bbe78a9f467b74574e2948bb9b1e501c406b0ef8d0bb35af4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 9 May 2016 09:08:59 +0000 Subject: [PATCH 4/5] fix OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=51 --- libarchive.changes | 1 + libarchive.spec | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libarchive.changes b/libarchive.changes index 68762f8..dac73ff 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -5,6 +5,7 @@ Mon May 9 08:42:19 UTC 2016 - adrian@suse.de * Fixes CVE-2016-1541 * changes are only documented in git history * updated openssl patch + * new bsdcat utility - removed obsolete patches for: * CVE-2013-0211.patch diff --git a/libarchive.spec b/libarchive.spec index 4e77c13..b0d0f96 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -193,8 +193,9 @@ sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc %files -n bsdtar %defattr(-,root,root) -%{_bindir}/bsdtar +%{_bindir}/bsdcat %{_bindir}/bsdcpio +%{_bindir}/bsdtar %{_mandir}/man1/* %{_mandir}/man5/* From 682182a4ce7b5ec4e0d98ccf1aa52f08b6e0a6efcb02c34e84d3762606e27967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 9 May 2016 09:15:56 +0000 Subject: [PATCH 5/5] add comment OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=52 --- libarchive.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libarchive.changes b/libarchive.changes index dac73ff..6f8ed9b 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,6 +1,8 @@ ------------------------------------------------------------------- Mon May 9 08:42:19 UTC 2016 - adrian@suse.de +- 4GB _constraints for ppc64le only, it would break other archs + - update to version 3.2.0 * Fixes CVE-2016-1541 * changes are only documented in git history