Accepting request 289553 from Archiving

this stupid check should report both errors at the same point of time and it should not be needed to do this as a request reviewer, but could be done directly as source service IMHO

OBS-URL: https://build.opensuse.org/request/show/289553
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=19

directory-traversal-fix.patch

@@ -0,0 +1,136 @@
+commit 59357157706d47c365b2227739e17daba3607526
+Author: Alessandro Ghedini <alessandro@ghedini.me>
+Date:   Sun Mar 1 12:07:45 2015 +0100
+
+    Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option
+    
+    This fixes a directory traversal in the cpio tool.
+
+Index: libarchive-3.1.2/cpio/bsdcpio.1
+===================================================================
+--- libarchive-3.1.2.orig/cpio/bsdcpio.1
++++ libarchive-3.1.2/cpio/bsdcpio.1
+@@ -156,7 +156,8 @@ See above for description.
+ .It Fl Fl insecure
+ (i and p mode only)
+ Disable security checks during extraction or copying.
+-This allows extraction via symbolic links and path names containing
++This allows extraction via symbolic links, absolute paths,
++and path names containing
+ .Sq ..
+ in the name.
+ .It Fl J , Fl Fl xz
+Index: libarchive-3.1.2/cpio/cpio.c
+===================================================================
+--- libarchive-3.1.2.orig/cpio/cpio.c
++++ libarchive-3.1.2/cpio/cpio.c
+@@ -179,6 +179,7 @@ main(int argc, char *argv[])
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER;
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
++	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_PERM;
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS;
+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_ACL;
+@@ -264,6 +265,7 @@ main(int argc, char *argv[])
+ 		case OPTION_INSECURE:
+ 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS;
+ 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT;
++			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
+ 			break;
+ 		case 'L': /* GNU cpio */
+ 			cpio->option_follow_links = 1;
+Index: libarchive-3.1.2/libarchive/archive.h
+===================================================================
+--- libarchive-3.1.2.orig/libarchive/archive.h
++++ libarchive-3.1.2/libarchive/archive.h
+@@ -562,6 +562,8 @@ __LA_DECL int archive_read_set_options(s
+ /* Default: Do not use HFS+ compression if it was not compressed. */
+ /* This has no effect except on Mac OS v10.6 or later. */
+ #define	ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED	(0x8000)
++/* Default: Do not reject entries with absolute paths */
++#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000)
+ 
+ __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *,
+ 		     int flags);
+Index: libarchive-3.1.2/libarchive/archive_write_disk.3
+===================================================================
+--- libarchive-3.1.2.orig/libarchive/archive_write_disk.3
++++ libarchive-3.1.2/libarchive/archive_write_disk.3
+@@ -177,6 +177,9 @@ The default is to not refuse such paths.
+ Note that paths ending in
+ .Pa ..
+ always cause an error, regardless of this flag.
++.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
++Refuse to extract an absolute path.
++The default is to not refuse such paths.
+ .It Cm ARCHIVE_EXTRACT_SPARSE
+ Scan data for blocks of NUL bytes and try to recreate them with holes.
+ This results in sparse files, independent of whether the archive format
+Index: libarchive-3.1.2/libarchive/archive_write_disk_posix.c
+===================================================================
+--- libarchive-3.1.2.orig/libarchive/archive_write_disk_posix.c
++++ libarchive-3.1.2/libarchive/archive_write_disk_posix.c
+@@ -2504,8 +2504,9 @@ cleanup_pathname_win(struct archive_writ
+ /*
+  * Canonicalize the pathname.  In particular, this strips duplicate
+  * '/' characters, '.' elements, and trailing '/'.  It also raises an
+- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is
+- * set) any '..' in the path.
++ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is
++ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
++ * is set) if the path is absolute.
+  */
+ static int
+ cleanup_pathname(struct archive_write_disk *a)
+@@ -2524,8 +2525,15 @@ cleanup_pathname(struct archive_write_di
+ 	cleanup_pathname_win(a);
+ #endif
+ 	/* Skip leading '/'. */
+-	if (*src == '/')
++	if (*src == '/') {
++		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++			                  "Path is absolute");
++			return (ARCHIVE_FAILED);
++		}
++
+ 		separator = *src++;
++	}
+ 
+ 	/* Scan the pathname one element at a time. */
+ 	for (;;) {
+Index: libarchive-3.1.2/libarchive/test/test_write_disk_secure.c
+===================================================================
+--- libarchive-3.1.2.orig/libarchive/test/test_write_disk_secure.c
++++ libarchive-3.1.2/libarchive/test/test_write_disk_secure.c
+@@ -178,6 +178,29 @@ DEFINE_TEST(test_write_disk_secure)
+ 	assert(S_ISDIR(st.st_mode));
+ 	archive_entry_free(ae);
+ 
++	/*
++	 * Without security checks, we should be able to
++	 * extract an absolute path.
++	 */
++	assert((ae = archive_entry_new()) != NULL);
++	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
++	archive_entry_set_mode(ae, S_IFREG | 0777);
++	assert(0 == archive_write_header(a, ae));
++	assert(0 == archive_write_finish_entry(a));
++	assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
++	assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"));
++
++	/* But with security checks enabled, this should fail. */
++	assert(archive_entry_clear(ae) != NULL);
++	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
++	archive_entry_set_mode(ae, S_IFREG | 0777);
++	archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS);
++	failure("Extracting an absolute path should fail here.");
++	assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae));
++	archive_entry_free(ae);
++	assert(0 == archive_write_finish_entry(a));
++	assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
++
+ 	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
+ 
+ 	/* Test the entries on disk. */

libarchive.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar  5 13:36:09 UTC 2015 - adrian@suse.com
+
+- fix a directory traversal in cpio tool (bnc#920870)
+  directory-traversal-fix.patch
+
 -------------------------------------------------------------------
 Tue Nov 11 12:07:46 UTC 2014 - jsegitz@novell.com
 

libarchive.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libarchive
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -56,7 +56,10 @@ BuildRequires:  xz-devel
 BuildRequires:  zlib-devel
 Patch0:         libarchive-openssl.patch
 Patch1:         libarchive-xattr.patch
+# PATCH-FIX-UPSTREAM bnc#800024
 Patch2:         CVE-2013-0211.patch
+# PATCH-FIX-UPSTREAM bnc#920870
+Patch3:         directory-traversal-fix.patch
 
 %description
 Libarchive is a programming library that can create and read several
@@ -167,6 +170,8 @@ static library for libarchive
 %endif
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+
 %build
 autoreconf -fiv
 %global optflags    %{optflags} -D_REENTRANT -pipe