From 9d7341ca2a4c79db7ba81b44fc96c5d2cd078f1c04f910645f21f8b0c6257978 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 22 Nov 2019 13:20:39 +0000 Subject: [PATCH] fix OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=90 --- CVE-2019-19221.patch | 97 ++++++++++++++++++++++++++++++++++++++++++++ libarchive.changes | 6 +++ libarchive.spec | 2 + 3 files changed, 105 insertions(+) create mode 100644 CVE-2019-19221.patch diff --git a/CVE-2019-19221.patch b/CVE-2019-19221.patch new file mode 100644 index 0000000..211676b --- /dev/null +++ b/CVE-2019-19221.patch @@ -0,0 +1,97 @@ +From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001 +From: Martin Matuska +Date: Thu, 21 Nov 2019 03:08:40 +0100 +Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs() + +The cal to mbrtowc() or mbtowc() should read up to mbs_length +bytes and not wcs_length. This avoids out-of-bounds reads. + +mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when +they encounter an invalid multibyte character and (size_t)-2 when +they they encounter an incomplete multibyte character. As we return +failure and all our callers error out it makes no sense to continue +parsing mbs. + +As we allocate `len` wchars at the beginning and each wchar has +at least one byte, there will never be need to grow the buffer, +so the code can be left out. On the other hand, we are always +allocatng more memory than we need. + +As long as wcs_length == mbs_length == len we can omit wcs_length. +We keep the old code commented if we decide to save memory and +use autoexpanding wcs_length in the future. + +Fixes #1276 +--- + libarchive/archive_string.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c +index 979a418b6..bd39c96f1 100644 +--- a/libarchive/archive_string.c ++++ b/libarchive/archive_string.c +@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, + * No single byte will be more than one wide character, + * so this length estimate will always be big enough. + */ +- size_t wcs_length = len; ++ // size_t wcs_length = len; + size_t mbs_length = len; + const char *mbs = p; + wchar_t *wcs; +@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, + + memset(&shift_state, 0, sizeof(shift_state)); + #endif +- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1)) ++ /* ++ * As we decided to have wcs_length == mbs_length == len ++ * we can use len here instead of wcs_length ++ */ ++ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1)) + return (-1); + wcs = dest->s + dest->length; + /* +@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, + * multi bytes. + */ + while (*mbs && mbs_length > 0) { ++ /* ++ * The buffer we allocated is always big enough. ++ * Keep this code path in a comment if we decide to choose ++ * smaller wcs_length in the future ++ */ ++/* + if (wcs_length == 0) { + dest->length = wcs - dest->s; + dest->s[dest->length] = L'\0'; +@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest, + return (-1); + wcs = dest->s + dest->length; + } ++*/ + #if HAVE_MBRTOWC +- r = mbrtowc(wcs, mbs, wcs_length, &shift_state); ++ r = mbrtowc(wcs, mbs, mbs_length, &shift_state); + #else +- r = mbtowc(wcs, mbs, wcs_length); ++ r = mbtowc(wcs, mbs, mbs_length); + #endif + if (r == (size_t)-1 || r == (size_t)-2) { + ret_val = -1; +- if (errno == EILSEQ) { +- ++mbs; +- --mbs_length; +- continue; +- } else +- break; ++ break; + } + if (r == 0 || r > mbs_length) + break; + wcs++; +- wcs_length--; ++ // wcs_length--; + mbs += r; + mbs_length -= r; + } diff --git a/libarchive.changes b/libarchive.changes index 1ee5fb8..7b445ae 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 22 13:17:53 UTC 2019 - Adrian Schröter + +- fix bsc#1157569 + CVE-2019-19221 out-of-bounds read in libarchive + ------------------------------------------------------------------- Sun Aug 18 12:33:05 UTC 2019 - Ismail Dönmez diff --git a/libarchive.spec b/libarchive.spec index 770b86a..f57d75e 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -43,6 +43,8 @@ Source1000: baselibs.conf Patch1: lib-suffix.patch Patch2: fix-zstd-test.patch Patch3: fix-soversion.patch +# PATCH-FIX-UPSTREAM bsc#1157569 +Patch10: CVE-2019-19221.patch BuildRequires: cmake BuildRequires: libacl-devel BuildRequires: libbz2-devel