From d0395584d2dbded9371a2c154fcf6925ad46f6cda68cf4d210442b3ea48a13ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian.schroeter@suse.com>
Date: Tue, 5 Feb 2019 15:17:56 +0000
Subject: [PATCH] fix

OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=82
---
 CVE-2018-1000879.patch | 10 ++++----
 CVE-2019-1000019.patch | 53 ++++++++++++++++++++++++++++++++++++++++++
 CVE-2019-1000020.patch | 53 ++++++++++++++++++++++++++++++++++++++++++
 libarchive.changes     |  7 ++++++
 libarchive.spec        |  4 ++++
 5 files changed, 122 insertions(+), 5 deletions(-)
 create mode 100644 CVE-2019-1000019.patch
 create mode 100644 CVE-2019-1000020.patch

diff --git a/CVE-2018-1000879.patch b/CVE-2018-1000879.patch
index 3e535aa..420918d 100644
--- a/CVE-2018-1000879.patch
+++ b/CVE-2018-1000879.patch
@@ -25,11 +25,11 @@ and I was able to replicate it with a qsym + AFL + afl-rb setup.
  libarchive/archive_acl.c | 5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
-index 512beee1f..7beeee86e 100644
---- a/libarchive/archive_acl.c
-+++ b/libarchive/archive_acl.c
-@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
+Index: libarchive-3.3.3/libarchive/archive_acl.c
+===================================================================
+--- libarchive-3.3.3.orig/libarchive/archive_acl.c
++++ libarchive-3.3.3/libarchive/archive_acl.c
+@@ -1707,6 +1707,11 @@ archive_acl_from_text_l(struct archive_a
  			st = field[n].start + 1;
  			len = field[n].end - field[n].start;
  
diff --git a/CVE-2019-1000019.patch b/CVE-2019-1000019.patch
new file mode 100644
index 0000000..4668daa
--- /dev/null
+++ b/CVE-2019-1000019.patch
@@ -0,0 +1,53 @@
+commit 65a23f5dbee4497064e9bb467f81138a62b0dae1
+Author: Daniel Axtens <dja@axtens.net>
+Date:   Tue Jan 1 16:01:40 2019 +1100
+
+    7zip: fix crash when parsing certain archives
+    
+    Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
+    would sometimes fail to return at least 'minimum' bytes. This can cause
+    the crc32() invocation in header_bytes to read off into invalid memory.
+    
+    A specially crafted archive can use this to cause a crash.
+    
+    An ASAN trace is below, but ASAN is not required - an uninstrumented
+    binary will also crash.
+    
+    ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
+    ==7719==The signal is caused by a READ memory access.
+        #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
+        #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
+        #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
+        #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
+        #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
+        #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
+        #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
+        #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
+        #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
+        #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
+        #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
+        #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
+        #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
+    
+    This was primarly done with afl and FairFuzz. Some early corpus entries
+    may have been generated by qsym.
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index bccbf896..b6d1505d 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
+ 	if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
+ 		/* Copy mode. */
+ 
+-		/*
+-		 * Note: '1' here is a performance optimization.
+-		 * Recall that the decompression layer returns a count of
+-		 * available bytes; asking for more than that forces the
+-		 * decompressor to combine reads by copying data.
+-		 */
+-		*buff = __archive_read_ahead(a, 1, &bytes_avail);
++		*buff = __archive_read_ahead(a, minimum, &bytes_avail);
+ 		if (bytes_avail <= 0) {
+ 			archive_set_error(&a->archive,
+ 			    ARCHIVE_ERRNO_FILE_FORMAT,
diff --git a/CVE-2019-1000020.patch b/CVE-2019-1000020.patch
new file mode 100644
index 0000000..1ec8005
--- /dev/null
+++ b/CVE-2019-1000020.patch
@@ -0,0 +1,53 @@
+commit 8312eaa576014cd9b965012af51bc1f967b12423
+Author: Daniel Axtens <dja@axtens.net>
+Date:   Tue Jan 1 17:10:49 2019 +1100
+
+    iso9660: Fail when expected Rockridge extensions is missing
+    
+    A corrupted or malicious ISO9660 image can cause read_CE() to loop
+    forever.
+    
+    read_CE() calls parse_rockridge(), expecting a Rockridge extension
+    to be read. However, parse_rockridge() is structured as a while
+    loop starting with a sanity check, and if the sanity check fails
+    before the loop has run, the function returns ARCHIVE_OK without
+    advancing the position in the file. This causes read_CE() to retry
+    indefinitely.
+    
+    Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
+    extension. As someone with no real knowledge of the format, this
+    seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
+    it to a fatal error immediately anyway.
+    
+    Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index 28acfefb..bad8f1df 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+     const unsigned char *p, const unsigned char *end)
+ {
+ 	struct iso9660 *iso9660;
++	int entry_seen = 0;
+ 
+ 	iso9660 = (struct iso9660 *)(a->format->data);
+ 
+@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+ 		}
+ 
+ 		p += p[2];
++		entry_seen = 1;
++	}
++
++	if (entry_seen)
++		return (ARCHIVE_OK);
++	else {
++		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++				  "Tried to parse Rockridge extensions, but none found");
++		return (ARCHIVE_WARN);
+ 	}
+-	return (ARCHIVE_OK);
+ }
+ 
+ static int
diff --git a/libarchive.changes b/libarchive.changes
index b42da68..b389f62 100644
--- a/libarchive.changes
+++ b/libarchive.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb  5 15:16:08 UTC 2019 - Adrian Schröter <adrian@suse.de>
+
+- Added patches (boo#1124342):
+  * CVE-2019-1000019.patch Fixes 7zip crash
+  * CVE-2019-1000020.patch ISO9660 infinite loop fixed
+
 -------------------------------------------------------------------
 Thu Jan  3 15:26:58 UTC 2019 - Karol Babioch <kbabioch@suse.de>
 
diff --git a/libarchive.spec b/libarchive.spec
index 5524e0a..070ad66 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -43,6 +43,8 @@ Patch0:         CVE-2018-1000877.patch
 Patch1:         CVE-2018-1000878.patch
 Patch2:         CVE-2018-1000879.patch
 Patch3:         CVE-2018-1000880.patch
+Patch4:         CVE-2019-1000019.patch
+Patch5:         CVE-2019-1000020.patch
 BuildRequires:  libacl-devel
 BuildRequires:  libbz2-devel
 BuildRequires:  libtool
@@ -164,6 +166,8 @@ Static library for libarchive
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 %if !0%{?skip_autoreconf}