From 2341bd7a2fbd6fe73faa4e88cdfb0ddcb3744b5de9a1cc9fabeea1fcbf928f12 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 3 Mar 2022 12:36:53 +0000 Subject: [PATCH] Accepting request 957430 from home:susnux:branches:Archiving Update to 3.6.0 Fix use-after-free bug (CVE-2021-36976) OBS-URL: https://build.opensuse.org/request/show/957430 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=110 --- fix-following-symlinks.patch | 193 ----------------------------------- libarchive-3.5.2.tar.xz | 3 - libarchive-3.5.2.tar.xz.asc | 16 --- libarchive-3.6.0.tar.xz | 3 + libarchive-3.6.0.tar.xz.asc | 16 +++ libarchive.changes | 16 +++ libarchive.spec | 6 +- 7 files changed, 37 insertions(+), 216 deletions(-) delete mode 100644 fix-following-symlinks.patch delete mode 100644 libarchive-3.5.2.tar.xz delete mode 100644 libarchive-3.5.2.tar.xz.asc create mode 100644 libarchive-3.6.0.tar.xz create mode 100644 libarchive-3.6.0.tar.xz.asc diff --git a/fix-following-symlinks.patch b/fix-following-symlinks.patch deleted file mode 100644 index 8c7cf82..0000000 --- a/fix-following-symlinks.patch +++ /dev/null @@ -1,193 +0,0 @@ -commit 8a1bd5c18e896f0411a991240ce0d772bb02c840 -Author: Martin Matuska -Date: Fri Aug 27 10:56:28 2021 +0200 - - Fix following symlinks when processing the fixup list - - The previous fix in b41daecb5 was incomplete. Fixup entries are - given the original path without calling cleanup_pathname(). - To make sure we don't follow a symlink, we must strip trailing - slashes from the path. - - The fixup entries are always directories. Make sure we try to modify - only directories by providing O_DIRECTORY to open() (if supported) - and if it fails to check directory via lstat(). - - Fixes #1566 - -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index fcd733af..aadc5871 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -2462,6 +2462,7 @@ _archive_write_disk_close(struct archive *_a) - struct archive_write_disk *a = (struct archive_write_disk *)_a; - struct fixup_entry *next, *p; - struct stat st; -+ char *c; - int fd, ret; - - archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, -@@ -2475,24 +2476,49 @@ _archive_write_disk_close(struct archive *_a) - while (p != NULL) { - fd = -1; - a->pst = NULL; /* Mark stat cache as out-of-date. */ -- if (p->fixup & -- (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { -- fd = open(p->name, -- O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); -+ -+ /* We must strip trailing slashes from the path to avoid -+ dereferencing symbolic links to directories */ -+ c = p->name; -+ while (*c != '\0') -+ c++; -+ while (c != p->name && *(c - 1) == '/') { -+ c--; -+ *c = '\0'; -+ } -+ -+ if (p->fixup == 0) -+ goto skip_fixup_entry; -+ else { -+ fd = open(p->name, O_BINARY | O_NOFOLLOW | O_RDONLY -+#if defined(O_DIRECTORY) -+ | O_DIRECTORY -+#endif -+ | O_CLOEXEC); -+ /* -+ ` * If we don't support O_DIRECTORY, -+ * or open() has failed, we must stat() -+ * to verify that we are opening a directory -+ */ -+#if defined(O_DIRECTORY) - if (fd == -1) { -- /* If we cannot lstat, skip entry */ -- if (lstat(p->name, &st) != 0) -+ if (lstat(p->name, &st) != 0 || -+ !S_ISDIR(st.st_mode)) { - goto skip_fixup_entry; -- /* -- * If we deal with a symbolic link, mark -- * it in the fixup mode to ensure no -- * modifications are made to its target. -- */ -- if (S_ISLNK(st.st_mode)) { -- p->mode &= ~S_IFMT; -- p->mode |= S_IFLNK; - } - } -+#else -+#if HAVE_FSTAT -+ if (fd > 0 && ( -+ fstat(fd, &st) != 0 || !S_ISDIR(st.st_mode))) { -+ goto skip_fixup_entry; -+ } else -+#endif -+ if (lstat(p->name, &st) != 0 || -+ !S_ISDIR(st.st_mode)) { -+ goto skip_fixup_entry; -+ } -+#endif - } - if (p->fixup & TODO_TIMES) { - set_times(a, fd, p->mode, p->name, -@@ -2504,14 +2530,13 @@ _archive_write_disk_close(struct archive *_a) - if (p->fixup & TODO_MODE_BASE) { - #ifdef HAVE_FCHMOD - if (fd >= 0) -- fchmod(fd, p->mode); -+ fchmod(fd, p->mode & 07777); - else - #endif - #ifdef HAVE_LCHMOD -- lchmod(p->name, p->mode); -+ lchmod(p->name, p->mode & 07777); - #else -- if (!S_ISLNK(p->mode)) -- chmod(p->name, p->mode); -+ chmod(p->name, p->mode & 07777); - #endif - } - if (p->fixup & TODO_ACLS) -@@ -2664,7 +2689,6 @@ new_fixup(struct archive_write_disk *a, const char *pathname) - fe->next = a->fixup_list; - a->fixup_list = fe; - fe->fixup = 0; -- fe->mode = 0; - fe->name = strdup(pathname); - return (fe); - } -diff --git a/libarchive/test/test_write_disk_fixup.c b/libarchive/test/test_write_disk_fixup.c -index c399c984..b83b7307 100644 ---- a/libarchive/test/test_write_disk_fixup.c -+++ b/libarchive/test/test_write_disk_fixup.c -@@ -47,26 +47,50 @@ DEFINE_TEST(test_write_disk_fixup) - /* - * Create a file - */ -- assertMakeFile("victim", 0600, "a"); -+ assertMakeFile("file", 0600, "a"); -+ -+ /* -+ * Create a directory -+ */ -+ assertMakeDir("dir", 0700); - - /* - * Create a directory and a symlink with the same name - */ - -- /* Directory: dir */ -+ /* Directory: dir1 */ -+ assert((ae = archive_entry_new()) != NULL); -+ archive_entry_copy_pathname(ae, "dir1/"); -+ archive_entry_set_mode(ae, AE_IFDIR | 0555); -+ assertEqualIntA(ad, 0, archive_write_header(ad, ae)); -+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); -+ archive_entry_free(ae); -+ -+ /* Directory: dir2 */ - assert((ae = archive_entry_new()) != NULL); -- archive_entry_copy_pathname(ae, "dir"); -- archive_entry_set_mode(ae, AE_IFDIR | 0606); -+ archive_entry_copy_pathname(ae, "dir2/"); -+ archive_entry_set_mode(ae, AE_IFDIR | 0555); - assertEqualIntA(ad, 0, archive_write_header(ad, ae)); - assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); - archive_entry_free(ae); - -- /* Symbolic Link: dir -> foo */ -+ /* Symbolic Link: dir1 -> dir */ -+ assert((ae = archive_entry_new()) != NULL); -+ archive_entry_copy_pathname(ae, "dir1"); -+ archive_entry_set_mode(ae, AE_IFLNK | 0777); -+ archive_entry_set_size(ae, 0); -+ archive_entry_copy_symlink(ae, "dir"); -+ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); -+ if (r >= ARCHIVE_WARN) -+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); -+ archive_entry_free(ae); -+ -+ /* Symbolic Link: dir2 -> file */ - assert((ae = archive_entry_new()) != NULL); -- archive_entry_copy_pathname(ae, "dir"); -+ archive_entry_copy_pathname(ae, "dir2"); - archive_entry_set_mode(ae, AE_IFLNK | 0777); - archive_entry_set_size(ae, 0); -- archive_entry_copy_symlink(ae, "victim"); -+ archive_entry_copy_symlink(ae, "file"); - assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); - if (r >= ARCHIVE_WARN) - assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); -@@ -75,7 +99,9 @@ DEFINE_TEST(test_write_disk_fixup) - assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); - - /* Test the entries on disk. */ -- assertIsSymlink("dir", "victim", 0); -- assertFileMode("victim", 0600); -+ assertIsSymlink("dir1", "dir", 0); -+ assertIsSymlink("dir2", "file", 0); -+ assertFileMode("dir", 0700); -+ assertFileMode("file", 0600); - #endif - } diff --git a/libarchive-3.5.2.tar.xz b/libarchive-3.5.2.tar.xz deleted file mode 100644 index 5345883..0000000 --- a/libarchive-3.5.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f0b19ff39c3c9a5898a219497ababbadab99d8178acc980155c7e1271089b5a0 -size 4905416 diff --git a/libarchive-3.5.2.tar.xz.asc b/libarchive-3.5.2.tar.xz.asc deleted file mode 100644 index e101ccc..0000000 --- a/libarchive-3.5.2.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEpaRbEq2S2WS4nu4t7FYMgc7CJ24FAmEi5oQACgkQ7FYMgc7C -J27VmxAAtGiOO0Fbgrux+88htnCc3bNqAN/PLc/rxcZxP28X9E4wcGtJXwnCUW3F -S39Cav1rxywM+zWCC25SI5uUAzzUGplTnVf1caxNyI0PrB9moj7qfyeWw9JJrDXs -WVMBAMP89yrrcQIJh+nbdecIhHzcySA9c8fUeZ2flj6Qu0NRPaVtw3KY6qbdvVIB -ecQ3Nx3fKqZIP7gNX19g7eY9cPQuz7uGhli0ZU066i2DiAYHiO3EM5RwqxZaXQXS -1wl2jGjINQNzGjIcMWps6hh2DCUc2bWe1JLhKD8WUrzO4DfAoEPygF8A2Gf/Msm/ -w8O1Mmd3x9RaeQ/HrV7EJfJALjIRdGRJfzKaj2xCf+BCO8NDH0OEJjG384H+k8qi -F9wVn6G1aL9hpTf81dIX8zFsgh2YHbOMdM16chLGSsahCfvFHZwuA9RPISrGuao7 -rn9iQQIPk7YgTB1rH0k6YOur8ZmmU5ihb0I9Xv+HCFDUd+LILNTkZMpdyanylvCo -4nRVFE0Cbb4oYnoyK+rtpUkKVJqZ7N0mDqxzCgK7n+GE2H5ZXAyIgyaCi77w/hDQ -PJvOOIzXAkLRj+C+dKdnCMi9KJlY1hIoA8w0t3xAp6amdx0IwoTtKc5ZBpAvNDdf -J3CE2M92n2Vj/fJ7/MxxZ07VpU0N0dcRgnKBLepwDKvJKPhrpUk= -=tnrr ------END PGP SIGNATURE----- diff --git a/libarchive-3.6.0.tar.xz b/libarchive-3.6.0.tar.xz new file mode 100644 index 0000000..36abb73 --- /dev/null +++ b/libarchive-3.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df283917799cb88659a5b33c0a598f04352d61936abcd8a48fe7b64e74950de7 +size 6400620 diff --git a/libarchive-3.6.0.tar.xz.asc b/libarchive-3.6.0.tar.xz.asc new file mode 100644 index 0000000..9754daf --- /dev/null +++ b/libarchive-3.6.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEpaRbEq2S2WS4nu4t7FYMgc7CJ24FAmIDuEYACgkQ7FYMgc7C +J27jzxAAgljw3UAiatKlnwkMSqYhLmWDOPC21cDvlxvrcBOcqisDpnQXatyd53g/ +MJ2hx73+iL6kI6J0KxnJ8Y31P3qiBapiEZuJ+7b0QRPcp/H9zmPZbjcglhqRmx4A +53j8JaoD4BbwPg64rpU3yOqlCTVR3AXEr7/c/uZh2X3gPEWJm3Nq+8E+kp/aqjg/ +82cFAIs1M7C/f8KrsJdM075QjhzoSLV0ul7LiUuG3abY05+pjfgROv+pxZPkgoEM +gWsUKijy7n4ikYN/rbCl/vUaguy3+CE6QwmhqpbmbKscpodczVkaBQVvc2tMA1vM +1sRiwE+sfyyBxeIvmi3cdFNbqHS4Zjof/n/S2/7jbmUHrJNzOQaZSUocpCRKX10W +iafAna3ZTsxh6g2UEhrKVovKq3Sbt82a5NPPc40rNsbVOcmyp6cIWc9pZEDGrVt+ +dNLg2F6bo7KWIXCn0il7/f/brB3rl6W18K5SWkjsll6IOAJgjliaeW6StfHMe9my +zqVrtQuCMr5iaoLH2LHfDF5Lx1y26lIwVb4/+mSg+5zrdm+QnsYdFqleF6oVPu6d +RdxckxD1fSyuLgvYU8Nu+TyaaGDJenbaNnwkbLGNzkehlPs3q46tzoNBpEQv1blT +dYkWe/XtNuTWU/bTFtgrOfpYCObdIbNCNMCafezQKgOK7e+nUUs= +=XkqI +-----END PGP SIGNATURE----- diff --git a/libarchive.changes b/libarchive.changes index 2bcc44a..5e5147d 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,8 +1,24 @@ +------------------------------------------------------------------- +Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen + +- Update to 3.6.0 + * Fix use-after-free bug (CVE-2021-36976) + * tar: new option "--no-read-sparse" + * tar: threads support for zstd + * RAR reader: filter support + * RAR5 reader: self-extracting archive support + * ZIP reader: zstd decompression support + * tar: respect "--ignore-zeros" in c, r and u modes + * reduced size of application binaries + * internal code optimizations +- Drop upstream merged fix-following-symlinks.patch + ------------------------------------------------------------------- Mon Nov 29 09:00:26 UTC 2021 - Adrian Schröter - fix permission settings on following symlinks (fix-following-symlinks.patch) this fixes also wrong permissions of /var/tmp in factory systems + CVE-2021-31566 ------------------------------------------------------------------- Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger diff --git a/libarchive.spec b/libarchive.spec index 04bc3bb..95b1eab 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,7 +1,7 @@ # # spec file for package libarchive # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ %bcond_without ext2fs %endif Name: libarchive -Version: 3.5.2 +Version: 3.6.0 Release: 0 Summary: Utility and C library to create and read several different streaming archive formats License: BSD-2-Clause @@ -42,8 +42,6 @@ Source2: libarchive.keyring Source1000: baselibs.conf Patch1: lib-suffix.patch Patch2: fix-soversion.patch -# PATCH-FIX-UPSTREAM -Patch3: fix-following-symlinks.patch BuildRequires: cmake BuildRequires: libacl-devel BuildRequires: libbz2-devel