5 files changed, 203 insertions, 4 deletions
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index 2d6c2caf24..fe8ff7925a 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libarchive
 pkgver=3.1.2
-pkgrel=3
+pkgrel=4
 pkgdesc="library that can create and read several streaming archive formats"
 url="http://libarchive.googlecode.com/"
 arch="all"
@@ -14,10 +14,22 @@ source="http://www.libarchive.org/downloads/libarchive-$pkgver.tar.gz
 	CVE-2013-0211.patch
 	CVE-2015-2304.patch
 	CVE-2016-1541.patch
+	CVE-2016-4302.patch
+	CVE-2016-4809.patch
+	CVE-2016-5844.patch
+	CVE-2016-6250.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 
+# security fixes:
+#  3.1.2-r4:
+#    - CVE-2016-4302
+#    - CVE-2016-4809
+#    - CVE-2016-5844
+#    - CVE-2016-6250
+
+
 prepare() {
 	cd "$_builddir"
 	for i in $source; do
@@ -53,12 +65,24 @@ tools() {
 md5sums="efad5a503f66329bb9d2f4308b5de98a  libarchive-3.1.2.tar.gz
 fc5f5158d414e3a7e9f085d8d1470014  CVE-2013-0211.patch
 b27c60d9288780261410366994103278  CVE-2015-2304.patch
-1d6acc1b95e1f6a397dbf332b6e8b0eb  CVE-2016-1541.patch"
+1d6acc1b95e1f6a397dbf332b6e8b0eb  CVE-2016-1541.patch
+671e37e5012868487c883d1d3d1a98e8  CVE-2016-4302.patch
+441be3deb395c923f775e1a2d0f0d35e  CVE-2016-4809.patch
+fffa1304e451984b8fa43047da1c9178  CVE-2016-5844.patch
+d5e6f412445c5b463d3761995c23f84e  CVE-2016-6250.patch"
 sha256sums="eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e  libarchive-3.1.2.tar.gz
 75f30c3867d3924461bb764ea2ca3c1b1e43240aeb5b0dd93a103fd7a7ca7fe9  CVE-2013-0211.patch
 5a862586b4684d819add1df9d747bc47f9a4f2fecd069175bf00f6927c9633bf  CVE-2015-2304.patch
-cfe651e5b9a626ea51b92e762474e8bc9ef28d95a42123f69bdbed3c14547b69  CVE-2016-1541.patch"
+cfe651e5b9a626ea51b92e762474e8bc9ef28d95a42123f69bdbed3c14547b69  CVE-2016-1541.patch
+f5e66529b373d23e9084c38df2c65d2406986cbb7039cf380ff884b3feb78312  CVE-2016-4302.patch
+c108796584bdd539eaa892b7ea83257ccf9174c6a23afe4fa7d32f90ac140220  CVE-2016-4809.patch
+dbdd82e4e5693fdfb3e510d6238e411f00d68d71c09d6ec84f4b6c7ca44b00d0  CVE-2016-5844.patch
+e46a9999388cae275c31ee758b44be99fc04b58257b0c3e068a3e58d266a0fdd  CVE-2016-6250.patch"
 sha512sums="1f3c2a675031f93c7d42ae2ed06742b0b1e2236ff57d9117791d62fb8ae77d6cafffbcb5d45b5bd98daa908bd18c576cf82e01a9b1eba699705e23eff3688114  libarchive-3.1.2.tar.gz
 c10470ab67dd94944489f72e4d6f39d98163f5d7a92bcd550aa323e9a1b96148588bd04ac7d8c6ff232dc388559fb3e67552bb5c83ac7626ad714517f5022fce  CVE-2013-0211.patch
 ae3161b36605c81622d4d4c44f33c31e596506dc60ffb43a91b0f7b831d15d48abdd64725cd770bca6795230f1505d301a74db63903c91507195ccdea0737b63  CVE-2015-2304.patch
-ecbd54a125948c0bf172ad8d877f074e802a4f719a967a69f7c56ea7fda77ec68183bc47642f4437462132af61b91d7b94d9b87d0e84aafbeb492b28d0d1531d  CVE-2016-1541.patch"
+ecbd54a125948c0bf172ad8d877f074e802a4f719a967a69f7c56ea7fda77ec68183bc47642f4437462132af61b91d7b94d9b87d0e84aafbeb492b28d0d1531d  CVE-2016-1541.patch
+94db9186246971fbad51d5d1b50719b2ae1d6baeb063fd344546fd4e1d8cec89438ea8baa299af75eb8e1157888b68e8fd53120aaccba1b802b3169baaf13c98  CVE-2016-4302.patch
+464692946ad59f7f404a1ac1b123e06b407cabaece95bd062b5c0fca7c62355b4a9c2aa940055aee5b9c40fcc3077fbe2a3b5a3d416b5b2c453fc7518cbc858d  CVE-2016-4809.patch
+213fbf0b6ac1b6f7662a6d15119696db5c05e071ffa86cb6832677c9676040ed8df199bb22e72dc47264e8873e246737bad327d88f439d8b164c0520095210b2  CVE-2016-5844.patch
+1b93ce72c4769aa7467bb68ad7953551bed3b944eeb686ebbacc7ccd450833dc3250b0e3132cf63ae35d873b021ffbcbeb0f08a60f16037ffabc45536292af35  CVE-2016-6250.patch"
diff --git a/main/libarchive/CVE-2016-4302.patch b/main/libarchive/CVE-2016-4302.patch
new file mode 100644
index 0000000000..4506afb0be
--- /dev/null
+++ b/main/libarchive/CVE-2016-4302.patch
@@ -0,0 +1,32 @@
+From 05caadc7eedbef471ac9610809ba683f0c698700 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 19 Jun 2016 14:21:42 -0700
+Subject: [PATCH] Issue 719:  Fix for TALOS-CAN-154
+
+A RAR file with an invalid zero dictionary size was not being
+rejected, leading to a zero-sized allocation for the dictionary
+storage which was then overwritten during the dictionary initialization.
+
+Thanks to the Open Source and Threat Intelligence project at Cisco for
+reporting this.
+---
+ libarchive/archive_read_support_format_rar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 6450aac..6c49f1a 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -2127,6 +2127,12 @@ parse_codes(struct archive_read *a)
+       rar->range_dec.Stream = &rar->bytein;
+       __archive_ppmd7_functions.Ppmd7_Construct(&rar->ppmd7_context);
+ 
++      if (rar->dictionary_size == 0) {
++	      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                          "Invalid zero dictionary size");
++	      return (ARCHIVE_FATAL);
++      }
++
+       if (!__archive_ppmd7_functions.Ppmd7_Alloc(&rar->ppmd7_context,
+         rar->dictionary_size, &g_szalloc))
+       {
diff --git a/main/libarchive/CVE-2016-4809.patch b/main/libarchive/CVE-2016-4809.patch
new file mode 100644
index 0000000000..94f801d628
--- /dev/null
+++ b/main/libarchive/CVE-2016-4809.patch
@@ -0,0 +1,25 @@
+From fd7e0c02e272913a0a8b6d492c7260dfca0b1408 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sat, 14 May 2016 12:37:37 -0700
+Subject: [PATCH] Reject cpio symlinks that exceed 1MB
+
+---
+ libarchive/archive_read_support_format_cpio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
+index c2ca85b..b09db0e 100644
+--- a/libarchive/archive_read_support_format_cpio.c
++++ b/libarchive/archive_read_support_format_cpio.c
+@@ -401,6 +401,11 @@ archive_read_format_cpio_read_header(struct archive_read *a,
+ 
+ 	/* If this is a symlink, read the link contents. */
+ 	if (archive_entry_filetype(entry) == AE_IFLNK) {
++		if (cpio->entry_bytes_remaining > 1024 * 1024) {
++			archive_set_error(&a->archive, ENOMEM,
++			    "Rejecting malformed cpio archive: symlink contents exceed 1 megabyte");
++			return (ARCHIVE_FATAL);
++		}
+ 		h = __archive_read_ahead(a,
+ 			(size_t)cpio->entry_bytes_remaining, NULL);
+ 		if (h == NULL)
diff --git a/main/libarchive/CVE-2016-5844.patch b/main/libarchive/CVE-2016-5844.patch
new file mode 100644
index 0000000000..ab7f649ef8
--- /dev/null
+++ b/main/libarchive/CVE-2016-5844.patch
@@ -0,0 +1,37 @@
+From 3ad08e01b4d253c66ae56414886089684155af22 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 19 Jun 2016 14:34:37 -0700
+Subject: [PATCH] Issue 717:  Fix integer overflow when computing location of
+ volume descriptor
+
+The multiplication here defaulted to 'int' but calculations
+of file positions should always use int64_t.  A simple cast
+suffices to fix this since the base location is always 32 bits
+for ISO, so multiplying by the sector size will never overflow
+a 64-bit integer.
+---
+ libarchive/archive_read_support_format_iso9660.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index 6934cee..f41ba38 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -1091,7 +1091,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 		/* This condition is unlikely; by way of caution. */
+ 		vd = &(iso9660->joliet);
+ 
+-	skipsize = LOGICAL_BLOCK_SIZE * vd->location;
++	skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
+ 	skipsize = __archive_read_consume(a, skipsize);
+ 	if (skipsize < 0)
+ 		return ((int)skipsize);
+@@ -1129,7 +1129,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 	    && iso9660->seenJoliet) {
+ 		/* Switch reading data from primary to joliet. */
+ 		vd = &(iso9660->joliet);
+-		skipsize = LOGICAL_BLOCK_SIZE * vd->location;
++		skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
+ 		skipsize -= iso9660->current_position;
+ 		skipsize = __archive_read_consume(a, skipsize);
+ 		if (skipsize < 0)
diff --git a/main/libarchive/CVE-2016-6250.patch b/main/libarchive/CVE-2016-6250.patch
new file mode 100644
index 0000000000..86955c3886
--- /dev/null
+++ b/main/libarchive/CVE-2016-6250.patch
@@ -0,0 +1,81 @@
+From 3014e19820ea53c15c90f9d447ca3e668a0b76c6 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sat, 28 May 2016 11:50:39 -0700
+Subject: [PATCH] Issue 711:  Be more careful about verifying filename lengths
+ when writing ISO9660 archives
+
+* Don't cast size_t to int, since this can lead to overflow
+  on machines where sizeof(int) < sizeof(size_t)
+* Check a + b > limit by writing it as
+    a > limit || b > limit || a + b > limit
+  to avoid problems when a + b wraps around.
+---
+ libarchive/archive_write_set_format_iso9660.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c
+index 4d832fb..cb3e54e 100644
+--- a/libarchive/archive_write_set_format_iso9660.c
++++ b/libarchive/archive_write_set_format_iso9660.c
+@@ -6225,7 +6225,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 	unsigned char *p;
+ 	size_t l;
+ 	int r;
+-	int ffmax, parent_len;
++	size_t ffmax, parent_len;
+ 	static const struct archive_rb_tree_ops rb_ops = {
+ 		isoent_cmp_node_joliet, isoent_cmp_key_joliet
+ 	};
+@@ -6239,7 +6239,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 	else
+ 		ffmax = 128;
+ 
+-	r = idr_start(a, idr, isoent->children.cnt, ffmax, 6, 2, &rb_ops);
++	r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, 6, 2, &rb_ops);
+ 	if (r < 0)
+ 		return (r);
+ 
+@@ -6252,7 +6252,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 		int ext_off, noff, weight;
+ 		size_t lt;
+ 
+-		if ((int)(l = np->file->basename_utf16.length) > ffmax)
++		if ((l = np->file->basename_utf16.length) > ffmax)
+ 			l = ffmax;
+ 
+ 		p = malloc((l+1)*2);
+@@ -6285,7 +6285,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 		/*
+ 		 * Get a length of MBS of a full-pathname.
+ 		 */
+-		if ((int)np->file->basename_utf16.length > ffmax) {
++		if (np->file->basename_utf16.length > ffmax) {
+ 			if (archive_strncpy_l(&iso9660->mbs,
+ 			    (const char *)np->identifier, l,
+ 				iso9660->sconv_from_utf16be) != 0 &&
+@@ -6302,7 +6302,9 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 
+ 		/* If a length of full-pathname is longer than 240 bytes,
+ 		 * it violates Joliet extensions regulation. */
+-		if (parent_len + np->mb_len > 240) {
++		if (parent_len > 240
++		    || np->mb_len > 240
++		    || parent_len + np->mb_len > 240) {
+ 			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+ 			    "The regulation of Joliet extensions;"
+ 			    " A length of a full-pathname of `%s' is "
+@@ -6314,11 +6316,11 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
+ 
+ 		/* Make an offset of the number which is used to be set
+ 		 * hexadecimal number to avoid duplicate identifier. */
+-		if ((int)l == ffmax)
++		if (l == ffmax)
+ 			noff = ext_off - 6;
+-		else if ((int)l == ffmax-2)
++		else if (l == ffmax-2)
+ 			noff = ext_off - 4;
+-		else if ((int)l == ffmax-4)
++		else if (l == ffmax-4)
+ 			noff = ext_off - 2;
+ 		else
+ 			noff = ext_off;