From e9bdabd6e101ba083ed00a8ca911517facd8b1c7 Mon Sep 17 00:00:00 2001 From: Leonardo Arena Date: Mon, 8 Aug 2016 06:24:26 +0000 Subject: main/libarchive: security fixes. Fixes #5974 CVE-2016-4302 CVE-2016-4809 CVE-2016-5844 CVE-2016-6250 (cherry picked from commit 9d0f5e1e02079c44a9c58169c8b78c743edaf7b8) --- main/libarchive/APKBUILD | 32 +++++++++++++-- main/libarchive/CVE-2016-4302.patch | 32 +++++++++++++++ main/libarchive/CVE-2016-4809.patch | 25 ++++++++++++ main/libarchive/CVE-2016-5844.patch | 37 +++++++++++++++++ main/libarchive/CVE-2016-6250.patch | 81 +++++++++++++++++++++++++++++++++++++ 5 files changed, 203 insertions(+), 4 deletions(-) create mode 100644 main/libarchive/CVE-2016-4302.patch create mode 100644 main/libarchive/CVE-2016-4809.patch create mode 100644 main/libarchive/CVE-2016-5844.patch create mode 100644 main/libarchive/CVE-2016-6250.patch diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD index 2d6c2caf24..fe8ff7925a 100644 --- a/main/libarchive/APKBUILD +++ b/main/libarchive/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libarchive pkgver=3.1.2 -pkgrel=3 +pkgrel=4 pkgdesc="library that can create and read several streaming archive formats" url="http://libarchive.googlecode.com/" arch="all" @@ -14,10 +14,22 @@ source="http://www.libarchive.org/downloads/libarchive-$pkgver.tar.gz CVE-2013-0211.patch CVE-2015-2304.patch CVE-2016-1541.patch + CVE-2016-4302.patch + CVE-2016-4809.patch + CVE-2016-5844.patch + CVE-2016-6250.patch " _builddir="$srcdir"/$pkgname-$pkgver +# security fixes: +# 3.1.2-r4: +# - CVE-2016-4302 +# - CVE-2016-4809 +# - CVE-2016-5844 +# - CVE-2016-6250 + + prepare() { cd "$_builddir" for i in $source; do @@ -53,12 +65,24 @@ tools() { md5sums="efad5a503f66329bb9d2f4308b5de98a libarchive-3.1.2.tar.gz fc5f5158d414e3a7e9f085d8d1470014 CVE-2013-0211.patch b27c60d9288780261410366994103278 CVE-2015-2304.patch -1d6acc1b95e1f6a397dbf332b6e8b0eb CVE-2016-1541.patch" +1d6acc1b95e1f6a397dbf332b6e8b0eb CVE-2016-1541.patch +671e37e5012868487c883d1d3d1a98e8 CVE-2016-4302.patch +441be3deb395c923f775e1a2d0f0d35e CVE-2016-4809.patch +fffa1304e451984b8fa43047da1c9178 CVE-2016-5844.patch +d5e6f412445c5b463d3761995c23f84e CVE-2016-6250.patch" sha256sums="eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e libarchive-3.1.2.tar.gz 75f30c3867d3924461bb764ea2ca3c1b1e43240aeb5b0dd93a103fd7a7ca7fe9 CVE-2013-0211.patch 5a862586b4684d819add1df9d747bc47f9a4f2fecd069175bf00f6927c9633bf CVE-2015-2304.patch -cfe651e5b9a626ea51b92e762474e8bc9ef28d95a42123f69bdbed3c14547b69 CVE-2016-1541.patch" +cfe651e5b9a626ea51b92e762474e8bc9ef28d95a42123f69bdbed3c14547b69 CVE-2016-1541.patch +f5e66529b373d23e9084c38df2c65d2406986cbb7039cf380ff884b3feb78312 CVE-2016-4302.patch +c108796584bdd539eaa892b7ea83257ccf9174c6a23afe4fa7d32f90ac140220 CVE-2016-4809.patch +dbdd82e4e5693fdfb3e510d6238e411f00d68d71c09d6ec84f4b6c7ca44b00d0 CVE-2016-5844.patch +e46a9999388cae275c31ee758b44be99fc04b58257b0c3e068a3e58d266a0fdd CVE-2016-6250.patch" sha512sums="1f3c2a675031f93c7d42ae2ed06742b0b1e2236ff57d9117791d62fb8ae77d6cafffbcb5d45b5bd98daa908bd18c576cf82e01a9b1eba699705e23eff3688114 libarchive-3.1.2.tar.gz c10470ab67dd94944489f72e4d6f39d98163f5d7a92bcd550aa323e9a1b96148588bd04ac7d8c6ff232dc388559fb3e67552bb5c83ac7626ad714517f5022fce CVE-2013-0211.patch ae3161b36605c81622d4d4c44f33c31e596506dc60ffb43a91b0f7b831d15d48abdd64725cd770bca6795230f1505d301a74db63903c91507195ccdea0737b63 CVE-2015-2304.patch -ecbd54a125948c0bf172ad8d877f074e802a4f719a967a69f7c56ea7fda77ec68183bc47642f4437462132af61b91d7b94d9b87d0e84aafbeb492b28d0d1531d CVE-2016-1541.patch" +ecbd54a125948c0bf172ad8d877f074e802a4f719a967a69f7c56ea7fda77ec68183bc47642f4437462132af61b91d7b94d9b87d0e84aafbeb492b28d0d1531d CVE-2016-1541.patch +94db9186246971fbad51d5d1b50719b2ae1d6baeb063fd344546fd4e1d8cec89438ea8baa299af75eb8e1157888b68e8fd53120aaccba1b802b3169baaf13c98 CVE-2016-4302.patch +464692946ad59f7f404a1ac1b123e06b407cabaece95bd062b5c0fca7c62355b4a9c2aa940055aee5b9c40fcc3077fbe2a3b5a3d416b5b2c453fc7518cbc858d CVE-2016-4809.patch +213fbf0b6ac1b6f7662a6d15119696db5c05e071ffa86cb6832677c9676040ed8df199bb22e72dc47264e8873e246737bad327d88f439d8b164c0520095210b2 CVE-2016-5844.patch +1b93ce72c4769aa7467bb68ad7953551bed3b944eeb686ebbacc7ccd450833dc3250b0e3132cf63ae35d873b021ffbcbeb0f08a60f16037ffabc45536292af35 CVE-2016-6250.patch" diff --git a/main/libarchive/CVE-2016-4302.patch b/main/libarchive/CVE-2016-4302.patch new file mode 100644 index 0000000000..4506afb0be --- /dev/null +++ b/main/libarchive/CVE-2016-4302.patch @@ -0,0 +1,32 @@ +From 05caadc7eedbef471ac9610809ba683f0c698700 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Sun, 19 Jun 2016 14:21:42 -0700 +Subject: [PATCH] Issue 719: Fix for TALOS-CAN-154 + +A RAR file with an invalid zero dictionary size was not being +rejected, leading to a zero-sized allocation for the dictionary +storage which was then overwritten during the dictionary initialization. + +Thanks to the Open Source and Threat Intelligence project at Cisco for +reporting this. +--- + libarchive/archive_read_support_format_rar.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 6450aac..6c49f1a 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2127,6 +2127,12 @@ parse_codes(struct archive_read *a) + rar->range_dec.Stream = &rar->bytein; + __archive_ppmd7_functions.Ppmd7_Construct(&rar->ppmd7_context); + ++ if (rar->dictionary_size == 0) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Invalid zero dictionary size"); ++ return (ARCHIVE_FATAL); ++ } ++ + if (!__archive_ppmd7_functions.Ppmd7_Alloc(&rar->ppmd7_context, + rar->dictionary_size, &g_szalloc)) + { diff --git a/main/libarchive/CVE-2016-4809.patch b/main/libarchive/CVE-2016-4809.patch new file mode 100644 index 0000000000..94f801d628 --- /dev/null +++ b/main/libarchive/CVE-2016-4809.patch @@ -0,0 +1,25 @@ +From fd7e0c02e272913a0a8b6d492c7260dfca0b1408 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Sat, 14 May 2016 12:37:37 -0700 +Subject: [PATCH] Reject cpio symlinks that exceed 1MB + +--- + libarchive/archive_read_support_format_cpio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c +index c2ca85b..b09db0e 100644 +--- a/libarchive/archive_read_support_format_cpio.c ++++ b/libarchive/archive_read_support_format_cpio.c +@@ -401,6 +401,11 @@ archive_read_format_cpio_read_header(struct archive_read *a, + + /* If this is a symlink, read the link contents. */ + if (archive_entry_filetype(entry) == AE_IFLNK) { ++ if (cpio->entry_bytes_remaining > 1024 * 1024) { ++ archive_set_error(&a->archive, ENOMEM, ++ "Rejecting malformed cpio archive: symlink contents exceed 1 megabyte"); ++ return (ARCHIVE_FATAL); ++ } + h = __archive_read_ahead(a, + (size_t)cpio->entry_bytes_remaining, NULL); + if (h == NULL) diff --git a/main/libarchive/CVE-2016-5844.patch b/main/libarchive/CVE-2016-5844.patch new file mode 100644 index 0000000000..ab7f649ef8 --- /dev/null +++ b/main/libarchive/CVE-2016-5844.patch @@ -0,0 +1,37 @@ +From 3ad08e01b4d253c66ae56414886089684155af22 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Sun, 19 Jun 2016 14:34:37 -0700 +Subject: [PATCH] Issue 717: Fix integer overflow when computing location of + volume descriptor + +The multiplication here defaulted to 'int' but calculations +of file positions should always use int64_t. A simple cast +suffices to fix this since the base location is always 32 bits +for ISO, so multiplying by the sector size will never overflow +a 64-bit integer. +--- + libarchive/archive_read_support_format_iso9660.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 6934cee..f41ba38 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -1091,7 +1091,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + /* This condition is unlikely; by way of caution. */ + vd = &(iso9660->joliet); + +- skipsize = LOGICAL_BLOCK_SIZE * vd->location; ++ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; + skipsize = __archive_read_consume(a, skipsize); + if (skipsize < 0) + return ((int)skipsize); +@@ -1129,7 +1129,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + && iso9660->seenJoliet) { + /* Switch reading data from primary to joliet. */ + vd = &(iso9660->joliet); +- skipsize = LOGICAL_BLOCK_SIZE * vd->location; ++ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; + skipsize -= iso9660->current_position; + skipsize = __archive_read_consume(a, skipsize); + if (skipsize < 0) diff --git a/main/libarchive/CVE-2016-6250.patch b/main/libarchive/CVE-2016-6250.patch new file mode 100644 index 0000000000..86955c3886 --- /dev/null +++ b/main/libarchive/CVE-2016-6250.patch @@ -0,0 +1,81 @@ +From 3014e19820ea53c15c90f9d447ca3e668a0b76c6 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Sat, 28 May 2016 11:50:39 -0700 +Subject: [PATCH] Issue 711: Be more careful about verifying filename lengths + when writing ISO9660 archives + +* Don't cast size_t to int, since this can lead to overflow + on machines where sizeof(int) < sizeof(size_t) +* Check a + b > limit by writing it as + a > limit || b > limit || a + b > limit + to avoid problems when a + b wraps around. +--- + libarchive/archive_write_set_format_iso9660.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c +index 4d832fb..cb3e54e 100644 +--- a/libarchive/archive_write_set_format_iso9660.c ++++ b/libarchive/archive_write_set_format_iso9660.c +@@ -6225,7 +6225,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + unsigned char *p; + size_t l; + int r; +- int ffmax, parent_len; ++ size_t ffmax, parent_len; + static const struct archive_rb_tree_ops rb_ops = { + isoent_cmp_node_joliet, isoent_cmp_key_joliet + }; +@@ -6239,7 +6239,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + else + ffmax = 128; + +- r = idr_start(a, idr, isoent->children.cnt, ffmax, 6, 2, &rb_ops); ++ r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, 6, 2, &rb_ops); + if (r < 0) + return (r); + +@@ -6252,7 +6252,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + int ext_off, noff, weight; + size_t lt; + +- if ((int)(l = np->file->basename_utf16.length) > ffmax) ++ if ((l = np->file->basename_utf16.length) > ffmax) + l = ffmax; + + p = malloc((l+1)*2); +@@ -6285,7 +6285,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + /* + * Get a length of MBS of a full-pathname. + */ +- if ((int)np->file->basename_utf16.length > ffmax) { ++ if (np->file->basename_utf16.length > ffmax) { + if (archive_strncpy_l(&iso9660->mbs, + (const char *)np->identifier, l, + iso9660->sconv_from_utf16be) != 0 && +@@ -6302,7 +6302,9 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + + /* If a length of full-pathname is longer than 240 bytes, + * it violates Joliet extensions regulation. */ +- if (parent_len + np->mb_len > 240) { ++ if (parent_len > 240 ++ || np->mb_len > 240 ++ || parent_len + np->mb_len > 240) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, + "The regulation of Joliet extensions;" + " A length of a full-pathname of `%s' is " +@@ -6314,11 +6316,11 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, + + /* Make an offset of the number which is used to be set + * hexadecimal number to avoid duplicate identifier. */ +- if ((int)l == ffmax) ++ if (l == ffmax) + noff = ext_off - 6; +- else if ((int)l == ffmax-2) ++ else if (l == ffmax-2) + noff = ext_off - 4; +- else if ((int)l == ffmax-4) ++ else if (l == ffmax-4) + noff = ext_off - 2; + else + noff = ext_off; -- cgit v1.2.3