From c288b9d2c3e6f6c3917b7e609fe31185a328773d71b4b363e7ecdacfafb72cc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 16 Jun 2016 09:59:00 +0000 Subject: [PATCH] Accepting request 402699 from OBS:Server:Unstable - limit size of symlinks in cpio archives (CVE-2016-4809, boo#984990) OBS-URL: https://build.opensuse.org/request/show/402699 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=54 --- CVE-2016-4809.patch | 22 ++++++++++++++++++++++ libarchive.changes | 5 +++++ libarchive.spec | 3 +++ 3 files changed, 30 insertions(+) create mode 100644 CVE-2016-4809.patch diff --git a/CVE-2016-4809.patch b/CVE-2016-4809.patch new file mode 100644 index 0000000..911d540 --- /dev/null +++ b/CVE-2016-4809.patch @@ -0,0 +1,22 @@ +commit fd7e0c02e272913a0a8b6d492c7260dfca0b1408 +Author: Tim Kientzle +Date: Sat May 14 12:37:37 2016 -0700 + + Reject cpio symlinks that exceed 1MB + +diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c +index c2ca85b..b09db0e 100644 +--- a/libarchive/archive_read_support_format_cpio.c ++++ b/libarchive/archive_read_support_format_cpio.c +@@ -401,6 +401,11 @@ archive_read_format_cpio_read_header(struct archive_read *a, + + /* If this is a symlink, read the link contents. */ + if (archive_entry_filetype(entry) == AE_IFLNK) { ++ if (cpio->entry_bytes_remaining > 1024 * 1024) { ++ archive_set_error(&a->archive, ENOMEM, ++ "Rejecting malformed cpio archive: symlink contents exceed 1 megabyte"); ++ return (ARCHIVE_FATAL); ++ } + h = __archive_read_ahead(a, + (size_t)cpio->entry_bytes_remaining, NULL); + if (h == NULL) diff --git a/libarchive.changes b/libarchive.changes index 6f8ed9b..98c924e 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 16 09:33:17 UTC 2016 - adrian@suse.de + +- limit size of symlinks in cpio archives (CVE-2016-4809, boo#984990) + ------------------------------------------------------------------- Mon May 9 08:42:19 UTC 2016 - adrian@suse.de diff --git a/libarchive.spec b/libarchive.spec index b0d0f96..c45cd76 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -56,6 +56,8 @@ BuildRequires: pkg-config BuildRequires: xz-devel BuildRequires: zlib-devel Patch0: libarchive-openssl.patch +# PATCH-FIX-UPSTREAM bnc#984990 +Patch1: CVE-2016-4809.patch %description Libarchive is a programming library that can create and read several @@ -164,6 +166,7 @@ static library for libarchive %if %{with openssl} %patch0 -p0 %endif +%patch1 -p1 %build %if !0%{?skip_autoreconf}