fix
OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=82
This commit is contained in:
parent
c118cad477
commit
d0395584d2
@ -25,11 +25,11 @@ and I was able to replicate it with a qsym + AFL + afl-rb setup.
|
||||
libarchive/archive_acl.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
|
||||
index 512beee1f..7beeee86e 100644
|
||||
--- a/libarchive/archive_acl.c
|
||||
+++ b/libarchive/archive_acl.c
|
||||
@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
|
||||
Index: libarchive-3.3.3/libarchive/archive_acl.c
|
||||
===================================================================
|
||||
--- libarchive-3.3.3.orig/libarchive/archive_acl.c
|
||||
+++ libarchive-3.3.3/libarchive/archive_acl.c
|
||||
@@ -1707,6 +1707,11 @@ archive_acl_from_text_l(struct archive_a
|
||||
st = field[n].start + 1;
|
||||
len = field[n].end - field[n].start;
|
||||
|
||||
|
53
CVE-2019-1000019.patch
Normal file
53
CVE-2019-1000019.patch
Normal file
@ -0,0 +1,53 @@
|
||||
commit 65a23f5dbee4497064e9bb467f81138a62b0dae1
|
||||
Author: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue Jan 1 16:01:40 2019 +1100
|
||||
|
||||
7zip: fix crash when parsing certain archives
|
||||
|
||||
Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
|
||||
would sometimes fail to return at least 'minimum' bytes. This can cause
|
||||
the crc32() invocation in header_bytes to read off into invalid memory.
|
||||
|
||||
A specially crafted archive can use this to cause a crash.
|
||||
|
||||
An ASAN trace is below, but ASAN is not required - an uninstrumented
|
||||
binary will also crash.
|
||||
|
||||
==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
|
||||
==7719==The signal is caused by a READ memory access.
|
||||
#0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
|
||||
#1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
|
||||
#2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
|
||||
#3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
|
||||
#4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
|
||||
#5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
|
||||
#6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
|
||||
#7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
|
||||
#8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
|
||||
#9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
|
||||
#10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
|
||||
#11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
|
||||
#12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
|
||||
|
||||
This was primarly done with afl and FairFuzz. Some early corpus entries
|
||||
may have been generated by qsym.
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
|
||||
index bccbf896..b6d1505d 100644
|
||||
--- a/libarchive/archive_read_support_format_7zip.c
|
||||
+++ b/libarchive/archive_read_support_format_7zip.c
|
||||
@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
|
||||
if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
|
||||
/* Copy mode. */
|
||||
|
||||
- /*
|
||||
- * Note: '1' here is a performance optimization.
|
||||
- * Recall that the decompression layer returns a count of
|
||||
- * available bytes; asking for more than that forces the
|
||||
- * decompressor to combine reads by copying data.
|
||||
- */
|
||||
- *buff = __archive_read_ahead(a, 1, &bytes_avail);
|
||||
+ *buff = __archive_read_ahead(a, minimum, &bytes_avail);
|
||||
if (bytes_avail <= 0) {
|
||||
archive_set_error(&a->archive,
|
||||
ARCHIVE_ERRNO_FILE_FORMAT,
|
53
CVE-2019-1000020.patch
Normal file
53
CVE-2019-1000020.patch
Normal file
@ -0,0 +1,53 @@
|
||||
commit 8312eaa576014cd9b965012af51bc1f967b12423
|
||||
Author: Daniel Axtens <dja@axtens.net>
|
||||
Date: Tue Jan 1 17:10:49 2019 +1100
|
||||
|
||||
iso9660: Fail when expected Rockridge extensions is missing
|
||||
|
||||
A corrupted or malicious ISO9660 image can cause read_CE() to loop
|
||||
forever.
|
||||
|
||||
read_CE() calls parse_rockridge(), expecting a Rockridge extension
|
||||
to be read. However, parse_rockridge() is structured as a while
|
||||
loop starting with a sanity check, and if the sanity check fails
|
||||
before the loop has run, the function returns ARCHIVE_OK without
|
||||
advancing the position in the file. This causes read_CE() to retry
|
||||
indefinitely.
|
||||
|
||||
Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
|
||||
extension. As someone with no real knowledge of the format, this
|
||||
seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
|
||||
it to a fatal error immediately anyway.
|
||||
|
||||
Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
|
||||
index 28acfefb..bad8f1df 100644
|
||||
--- a/libarchive/archive_read_support_format_iso9660.c
|
||||
+++ b/libarchive/archive_read_support_format_iso9660.c
|
||||
@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
|
||||
const unsigned char *p, const unsigned char *end)
|
||||
{
|
||||
struct iso9660 *iso9660;
|
||||
+ int entry_seen = 0;
|
||||
|
||||
iso9660 = (struct iso9660 *)(a->format->data);
|
||||
|
||||
@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
|
||||
}
|
||||
|
||||
p += p[2];
|
||||
+ entry_seen = 1;
|
||||
+ }
|
||||
+
|
||||
+ if (entry_seen)
|
||||
+ return (ARCHIVE_OK);
|
||||
+ else {
|
||||
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
||||
+ "Tried to parse Rockridge extensions, but none found");
|
||||
+ return (ARCHIVE_WARN);
|
||||
}
|
||||
- return (ARCHIVE_OK);
|
||||
}
|
||||
|
||||
static int
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 5 15:16:08 UTC 2019 - Adrian Schröter <adrian@suse.de>
|
||||
|
||||
- Added patches (boo#1124342):
|
||||
* CVE-2019-1000019.patch Fixes 7zip crash
|
||||
* CVE-2019-1000020.patch ISO9660 infinite loop fixed
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 3 15:26:58 UTC 2019 - Karol Babioch <kbabioch@suse.de>
|
||||
|
||||
|
@ -43,6 +43,8 @@ Patch0: CVE-2018-1000877.patch
|
||||
Patch1: CVE-2018-1000878.patch
|
||||
Patch2: CVE-2018-1000879.patch
|
||||
Patch3: CVE-2018-1000880.patch
|
||||
Patch4: CVE-2019-1000019.patch
|
||||
Patch5: CVE-2019-1000020.patch
|
||||
BuildRequires: libacl-devel
|
||||
BuildRequires: libbz2-devel
|
||||
BuildRequires: libtool
|
||||
@ -164,6 +166,8 @@ Static library for libarchive
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
%if !0%{?skip_autoreconf}
|
||||
|
Loading…
Reference in New Issue
Block a user