Accepting request 394316 from Archiving

version update, including security fix, fix constraints

OBS-URL: https://build.opensuse.org/request/show/394316
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=23

CVE-2013-0211.patch

@@ -1,18 +0,0 @@
-Index: libarchive-3.1.2/libarchive/archive_write.c
-===================================================================
---- libarchive-3.1.2.orig/libarchive/archive_write.c
-+++ libarchive-3.1.2/libarchive/archive_write.c
-@@ -671,8 +671,13 @@ static ssize_t
- _archive_write_data(struct archive *_a, const void *buff, size_t s)
- {
- 	struct archive_write *a = (struct archive_write *)_a;
-+  size_t max_write = INT_MAX;
-+
- 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
- 	    ARCHIVE_STATE_DATA, "archive_write_data");
-+  /* This catches attempts to pass negative values. */
-+  if (s > max_write)
-+    s = max_write;
- 	archive_clear_error(&a->archive);
- 	return ((a->format_write_data)(a, buff, s));
- }

_constraints

@@ -0,0 +1,13 @@
+<constraints>
+  <overwrite>
+    <conditions>
+      <arch>ppc64</arch>
+      <arch>ppc64le</arch>
+    </conditions>
+    <hardware>
+      <physicalmemory>
+        <size unit="M">4096</size>
+      </physicalmemory>
+    </hardware>
+  </overwrite>
+</constraints>

directory-traversal-fix.patch

@@ -1,136 +0,0 @@
-commit 59357157706d47c365b2227739e17daba3607526
-Author: Alessandro Ghedini <alessandro@ghedini.me>
-Date:   Sun Mar 1 12:07:45 2015 +0100
-
-    Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option
-    
-    This fixes a directory traversal in the cpio tool.
-
-Index: libarchive-3.1.2/cpio/bsdcpio.1
-===================================================================
---- libarchive-3.1.2.orig/cpio/bsdcpio.1
-+++ libarchive-3.1.2/cpio/bsdcpio.1
-@@ -156,7 +156,8 @@ See above for description.
- .It Fl Fl insecure
- (i and p mode only)
- Disable security checks during extraction or copying.
--This allows extraction via symbolic links and path names containing
-+This allows extraction via symbolic links, absolute paths,
-+and path names containing
- .Sq ..
- in the name.
- .It Fl J , Fl Fl xz
-Index: libarchive-3.1.2/cpio/cpio.c
-===================================================================
---- libarchive-3.1.2.orig/cpio/cpio.c
-+++ libarchive-3.1.2/cpio/cpio.c
-@@ -179,6 +179,7 @@ main(int argc, char *argv[])
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER;
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS;
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-+	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_PERM;
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS;
- 	cpio->extract_flags |= ARCHIVE_EXTRACT_ACL;
-@@ -264,6 +265,7 @@ main(int argc, char *argv[])
- 		case OPTION_INSECURE:
- 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS;
- 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT;
-+			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
- 			break;
- 		case 'L': /* GNU cpio */
- 			cpio->option_follow_links = 1;
-Index: libarchive-3.1.2/libarchive/archive.h
-===================================================================
---- libarchive-3.1.2.orig/libarchive/archive.h
-+++ libarchive-3.1.2/libarchive/archive.h
-@@ -562,6 +562,8 @@ __LA_DECL int archive_read_set_options(s
- /* Default: Do not use HFS+ compression if it was not compressed. */
- /* This has no effect except on Mac OS v10.6 or later. */
- #define	ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED	(0x8000)
-+/* Default: Do not reject entries with absolute paths */
-+#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000)
- 
- __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *,
- 		     int flags);
-Index: libarchive-3.1.2/libarchive/archive_write_disk.3
-===================================================================
---- libarchive-3.1.2.orig/libarchive/archive_write_disk.3
-+++ libarchive-3.1.2/libarchive/archive_write_disk.3
-@@ -177,6 +177,9 @@ The default is to not refuse such paths.
- Note that paths ending in
- .Pa ..
- always cause an error, regardless of this flag.
-+.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
-+Refuse to extract an absolute path.
-+The default is to not refuse such paths.
- .It Cm ARCHIVE_EXTRACT_SPARSE
- Scan data for blocks of NUL bytes and try to recreate them with holes.
- This results in sparse files, independent of whether the archive format
-Index: libarchive-3.1.2/libarchive/archive_write_disk_posix.c
-===================================================================
---- libarchive-3.1.2.orig/libarchive/archive_write_disk_posix.c
-+++ libarchive-3.1.2/libarchive/archive_write_disk_posix.c
-@@ -2504,8 +2504,9 @@ cleanup_pathname_win(struct archive_writ
- /*
-  * Canonicalize the pathname.  In particular, this strips duplicate
-  * '/' characters, '.' elements, and trailing '/'.  It also raises an
-- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is
-- * set) any '..' in the path.
-+ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is
-+ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
-+ * is set) if the path is absolute.
-  */
- static int
- cleanup_pathname(struct archive_write_disk *a)
-@@ -2524,8 +2525,15 @@ cleanup_pathname(struct archive_write_di
- 	cleanup_pathname_win(a);
- #endif
- 	/* Skip leading '/'. */
--	if (*src == '/')
-+	if (*src == '/') {
-+		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
-+			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
-+			                  "Path is absolute");
-+			return (ARCHIVE_FAILED);
-+		}
-+
- 		separator = *src++;
-+	}
- 
- 	/* Scan the pathname one element at a time. */
- 	for (;;) {
-Index: libarchive-3.1.2/libarchive/test/test_write_disk_secure.c
-===================================================================
---- libarchive-3.1.2.orig/libarchive/test/test_write_disk_secure.c
-+++ libarchive-3.1.2/libarchive/test/test_write_disk_secure.c
-@@ -178,6 +178,29 @@ DEFINE_TEST(test_write_disk_secure)
- 	assert(S_ISDIR(st.st_mode));
- 	archive_entry_free(ae);
- 
-+	/*
-+	 * Without security checks, we should be able to
-+	 * extract an absolute path.
-+	 */
-+	assert((ae = archive_entry_new()) != NULL);
-+	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
-+	archive_entry_set_mode(ae, S_IFREG | 0777);
-+	assert(0 == archive_write_header(a, ae));
-+	assert(0 == archive_write_finish_entry(a));
-+	assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
-+	assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"));
-+
-+	/* But with security checks enabled, this should fail. */
-+	assert(archive_entry_clear(ae) != NULL);
-+	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
-+	archive_entry_set_mode(ae, S_IFREG | 0777);
-+	archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS);
-+	failure("Extracting an absolute path should fail here.");
-+	assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae));
-+	archive_entry_free(ae);
-+	assert(0 == archive_write_finish_entry(a));
-+	assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
-+
- 	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
- 
- 	/* Test the entries on disk. */

libarchive-3.1.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e
-size 4527540

libarchive-3.2.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7bce45fd71ff01dc20d19edd78322d4965583d81b8bed8e26cacb65d6f5baa87
+size 5448095

libarchive-openssl.patch

@@ -1,5 +1,7 @@
---- libarchive/archive_crypto.c.orig
-+++ libarchive/archive_crypto.c
+Index: libarchive/archive_digest.c
+===================================================================
+--- libarchive/archive_digest.c.orig
++++ libarchive/archive_digest.c
 @@ -207,6 +207,7 @@ __archive_nettle_md5final(archive_md5_ct
  static int
  __archive_openssl_md5init(archive_md5_ctx *ctx)
@@ -48,13 +50,15 @@
    EVP_DigestInit(ctx, EVP_sha512());
    return (ARCHIVE_OK);
  }
---- libarchive/archive_crypto_private.h.orig
-+++ libarchive/archive_crypto_private.h
-@@ -135,6 +135,7 @@
-   defined(ARCHIVE_CRYPTO_SHA512_OPENSSL)
- #define	ARCHIVE_CRYPTO_OPENSSL 1
+Index: libarchive/archive_cryptor_private.h
+===================================================================
+--- libarchive/archive_cryptor_private.h.orig
++++ libarchive/archive_cryptor_private.h
+@@ -100,6 +100,7 @@ typedef struct {
+ 
+ #elif defined(HAVE_LIBCRYPTO)
  #include <openssl/evp.h>
 +#include <openssl/conf.h>
- #endif
+ #define AES_BLOCK_SIZE	16
+ #define AES_MAX_KEY_SIZE 32
  
- /* Windows crypto headers */

libarchive-xattr.patch

@@ -1,11 +0,0 @@
---- libarchive-3.1.2.orig/configure.ac
-+++ libarchive-3.1.2/configure.ac
-@@ -568,7 +568,7 @@ AC_ARG_ENABLE([xattr],
- if test "x$enable_xattr" != "xno"; then
- 	AC_CHECK_HEADERS([attr/xattr.h])
- 	AC_CHECK_HEADERS([sys/xattr.h sys/ea.h])
--	AC_CHECK_LIB(attr,setxattr)
-+	AC_SEARCH_LIBS([setxattr], [attr])
- 	AC_CHECK_FUNCS([extattr_get_file extattr_list_file])
- 	AC_CHECK_FUNCS([extattr_set_fd extattr_set_file])
- 	AC_CHECK_FUNCS([fgetxattr flistxattr fsetxattr getxattr])

libarchive.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon May  9 08:42:19 UTC 2016 - adrian@suse.de
+
+- 4GB _constraints for ppc64le only, it would break other archs
+
+- update to version 3.2.0
+  * Fixes CVE-2016-1541
+  * changes are only documented in git history
+  * updated openssl patch
+  * new bsdcat utility
+
+- removed obsolete patches for:
+  * CVE-2013-0211.patch
+  * directory-traversal-fix.patch
+  * libarchive-xattr.patch
+
+-------------------------------------------------------------------
+Fri May  6 14:45:14 UTC 2016 - normand@linux.vnet.ibm.com
+
+- add _constraints memory 4096MB to avoid ppc64le build failure
+
 -------------------------------------------------------------------
 Sat Sep 19 20:17:41 UTC 2015 - astieger@suse.com
 

libarchive.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libarchive
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,7 @@
 %define libname libarchive%{somajor}
 
 Name:           libarchive
-Version:        3.1.2
+Version:        3.2.0
 Release:        0
 Summary:        Creates and reads several different streaming archive formats
 License:        BSD-2-Clause
@@ -56,11 +56,6 @@ BuildRequires:  pkg-config
 BuildRequires:  xz-devel
 BuildRequires:  zlib-devel
 Patch0:         libarchive-openssl.patch
-Patch1:         libarchive-xattr.patch
-# PATCH-FIX-UPSTREAM bnc#800024
-Patch2:         CVE-2013-0211.patch
-# PATCH-FIX-UPSTREAM bnc#920870
-Patch3:         directory-traversal-fix.patch
 
 %description
 Libarchive is a programming library that can create and read several
@@ -167,13 +162,8 @@ static library for libarchive
 %prep
 %setup -q
 %if %{with openssl}
-%patch0
+%patch0 -p0
 %endif
-%if !0%{?skip_autoreconf}
-%patch1 -p1
-%endif
-%patch2 -p1
-%patch3 -p1
 
 %build
 %if !0%{?skip_autoreconf}
@@ -203,8 +193,9 @@ sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc
 
 %files -n bsdtar
 %defattr(-,root,root)
-%{_bindir}/bsdtar
+%{_bindir}/bsdcat
 %{_bindir}/bsdcpio
+%{_bindir}/bsdtar
 %{_mandir}/man1/*
 %{_mandir}/man5/*