diff --git a/CVE-2018-1000879.patch b/CVE-2018-1000879.patch index 3e535aa..420918d 100644 --- a/CVE-2018-1000879.patch +++ b/CVE-2018-1000879.patch @@ -25,11 +25,11 @@ and I was able to replicate it with a qsym + AFL + afl-rb setup. libarchive/archive_acl.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c -index 512beee1f..7beeee86e 100644 ---- a/libarchive/archive_acl.c -+++ b/libarchive/archive_acl.c -@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, +Index: libarchive-3.3.3/libarchive/archive_acl.c +=================================================================== +--- libarchive-3.3.3.orig/libarchive/archive_acl.c ++++ libarchive-3.3.3/libarchive/archive_acl.c +@@ -1707,6 +1707,11 @@ archive_acl_from_text_l(struct archive_a st = field[n].start + 1; len = field[n].end - field[n].start; diff --git a/CVE-2019-1000019.patch b/CVE-2019-1000019.patch new file mode 100644 index 0000000..4668daa --- /dev/null +++ b/CVE-2019-1000019.patch @@ -0,0 +1,53 @@ +commit 65a23f5dbee4497064e9bb467f81138a62b0dae1 +Author: Daniel Axtens +Date: Tue Jan 1 16:01:40 2019 +1100 + + 7zip: fix crash when parsing certain archives + + Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data() + would sometimes fail to return at least 'minimum' bytes. This can cause + the crc32() invocation in header_bytes to read off into invalid memory. + + A specially crafted archive can use this to cause a crash. + + An ASAN trace is below, but ASAN is not required - an uninstrumented + binary will also crash. + + ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0) + ==7719==The signal is caused by a READ memory access. + #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c) + #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb) + #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156) + #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134) + #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690) + #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7) + #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63) + #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd) + #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f) + #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be) + #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb) + #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 + #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09) + + This was primarly done with afl and FairFuzz. Some early corpus entries + may have been generated by qsym. + +diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c +index bccbf896..b6d1505d 100644 +--- a/libarchive/archive_read_support_format_7zip.c ++++ b/libarchive/archive_read_support_format_7zip.c +@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size, + if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) { + /* Copy mode. */ + +- /* +- * Note: '1' here is a performance optimization. +- * Recall that the decompression layer returns a count of +- * available bytes; asking for more than that forces the +- * decompressor to combine reads by copying data. +- */ +- *buff = __archive_read_ahead(a, 1, &bytes_avail); ++ *buff = __archive_read_ahead(a, minimum, &bytes_avail); + if (bytes_avail <= 0) { + archive_set_error(&a->archive, + ARCHIVE_ERRNO_FILE_FORMAT, diff --git a/CVE-2019-1000020.patch b/CVE-2019-1000020.patch new file mode 100644 index 0000000..1ec8005 --- /dev/null +++ b/CVE-2019-1000020.patch @@ -0,0 +1,53 @@ +commit 8312eaa576014cd9b965012af51bc1f967b12423 +Author: Daniel Axtens +Date: Tue Jan 1 17:10:49 2019 +1100 + + iso9660: Fail when expected Rockridge extensions is missing + + A corrupted or malicious ISO9660 image can cause read_CE() to loop + forever. + + read_CE() calls parse_rockridge(), expecting a Rockridge extension + to be read. However, parse_rockridge() is structured as a while + loop starting with a sanity check, and if the sanity check fails + before the loop has run, the function returns ARCHIVE_OK without + advancing the position in the file. This causes read_CE() to retry + indefinitely. + + Make parse_rockridge() return ARCHIVE_WARN if it didn't read an + extension. As someone with no real knowledge of the format, this + seems more apt than ARCHIVE_FATAL, but both the call-sites escalate + it to a fatal error immediately anyway. + + Found with a combination of AFL, afl-rb (FairFuzz) and qsym. + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 28acfefb..bad8f1df 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + const unsigned char *p, const unsigned char *end) + { + struct iso9660 *iso9660; ++ int entry_seen = 0; + + iso9660 = (struct iso9660 *)(a->format->data); + +@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + } + + p += p[2]; ++ entry_seen = 1; ++ } ++ ++ if (entry_seen) ++ return (ARCHIVE_OK); ++ else { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Tried to parse Rockridge extensions, but none found"); ++ return (ARCHIVE_WARN); + } +- return (ARCHIVE_OK); + } + + static int diff --git a/libarchive.changes b/libarchive.changes index b42da68..b389f62 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 5 15:16:08 UTC 2019 - Adrian Schröter + +- Added patches (boo#1124342): + * CVE-2019-1000019.patch Fixes 7zip crash + * CVE-2019-1000020.patch ISO9660 infinite loop fixed + ------------------------------------------------------------------- Thu Jan 3 15:26:58 UTC 2019 - Karol Babioch diff --git a/libarchive.spec b/libarchive.spec index 5524e0a..070ad66 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -43,6 +43,8 @@ Patch0: CVE-2018-1000877.patch Patch1: CVE-2018-1000878.patch Patch2: CVE-2018-1000879.patch Patch3: CVE-2018-1000880.patch +Patch4: CVE-2019-1000019.patch +Patch5: CVE-2019-1000020.patch BuildRequires: libacl-devel BuildRequires: libbz2-devel BuildRequires: libtool @@ -164,6 +166,8 @@ Static library for libarchive %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %if !0%{?skip_autoreconf}