Accepting request 261218 from home:jsegitz:branches:Archiving

- Added CVE-2013-0211.patch to fix CVE-2013-0211 (bnc#800024)

OBS-URL: https://build.opensuse.org/request/show/261218
OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=36

CVE-2013-0211.patch

@@ -0,0 +1,18 @@
+Index: libarchive-3.1.2/libarchive/archive_write.c
+===================================================================
+--- libarchive-3.1.2.orig/libarchive/archive_write.c
++++ libarchive-3.1.2/libarchive/archive_write.c
+@@ -671,8 +671,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ 	struct archive_write *a = (struct archive_write *)_a;
++  size_t max_write = INT_MAX;
++
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ 	    ARCHIVE_STATE_DATA, "archive_write_data");
++  /* This catches attempts to pass negative values. */
++  if (s > max_write)
++    s = max_write;
+ 	archive_clear_error(&a->archive);
+ 	return ((a->format_write_data)(a, buff, s));
+ }

libarchive.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Nov 11 12:07:46 UTC 2014 - jsegitz@novell.com
+
+- Added CVE-2013-0211.patch to fix CVE-2013-0211 (bnc#800024)
+
 -------------------------------------------------------------------
 Wed May 28 17:18:59 UTC 2014 - crrodriguez@opensuse.org
 

libarchive.spec

@@ -56,6 +56,7 @@ BuildRequires:  xz-devel
 BuildRequires:  zlib-devel
 Patch0:         libarchive-openssl.patch
 Patch1:         libarchive-xattr.patch
+Patch2:         CVE-2013-0211.patch
 
 %description
 Libarchive is a programming library that can create and read several
@@ -165,6 +166,7 @@ static library for libarchive
 %patch0
 %endif
 %patch1 -p1
+%patch2 -p1
 %build
 autoreconf -fiv
 %global optflags    %{optflags} -D_REENTRANT -pipe