[PATCH 0/1] Libarchive 3.2.2 update

[PATCH 0/1] Libarchive 3.2.2 update

[Leo Famulari]

This patch updates libarchive to 3.2.2. Besides integrating our bug-fix
patches, this release fixes some other bugs, too:

https://github.com/libarchive/libarchive/compare/v3.2.1...v3.2.2

It's a little more than we want to do on staging...

Building the following 551 packages would ensure 1222 dependent packages
are rebuilt

Leo Famulari (1):
  gnu: libarchive: Update to 3.2.2.

 gnu/local.mk                                       |   4 -
 gnu/packages/backup.scm                            |   9 +-
 .../patches/libarchive-7zip-heap-overflow.patch    |  77 ----
 .../libarchive-fix-filesystem-attacks.patch        | 445 ---------------------
 .../patches/libarchive-fix-symlink-check.patch     |  60 ---
 .../libarchive-safe_fprintf-buffer-overflow.patch  |  44 --
 6 files changed, 2 insertions(+), 637 deletions(-)
 delete mode 100644 gnu/packages/patches/libarchive-7zip-heap-overflow.patch
 delete mode 100644 gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
 delete mode 100644 gnu/packages/patches/libarchive-fix-symlink-check.patch
 delete mode 100644 gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch

-- 
2.10.2

[PATCH 1/1] gnu: libarchive: Update to 3.2.2.

[Leo Famulari]

* gnu/packages/backup.scm (libarchive): Update to 3.2.2.
[source]: Remove obsolete patches.
* gnu/packages/patches/libarchive-7zip-heap-overflow.patch,
gnu/packages/patches/libarchive-fix-filesystem-attacks.patch,
gnu/packages/patches/libarchive-fix-symlink-check.patch,
gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch:
Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |   4 -
 gnu/packages/backup.scm                            |   9 +-
 .../patches/libarchive-7zip-heap-overflow.patch    |  77 ----
 .../libarchive-fix-filesystem-attacks.patch        | 445 ---------------------
 .../patches/libarchive-fix-symlink-check.patch     |  60 ---
 .../libarchive-safe_fprintf-buffer-overflow.patch  |  44 --
 6 files changed, 2 insertions(+), 637 deletions(-)
 delete mode 100644 gnu/packages/patches/libarchive-7zip-heap-overflow.patch
 delete mode 100644 gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
 delete mode 100644 gnu/packages/patches/libarchive-fix-symlink-check.patch
 delete mode 100644 gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 1b2bb47..e91e740 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -641,10 +641,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
-  %D%/packages/patches/libarchive-7zip-heap-overflow.patch	\
-  %D%/packages/patches/libarchive-fix-symlink-check.patch	\
-  %D%/packages/patches/libarchive-fix-filesystem-attacks.patch	\
-  %D%/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch	\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcmis-fix-test-onedrive.patch		\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 203ff4c..d127769 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -172,20 +172,15 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (version "3.2.1")
+    (version "3.2.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
-       (patches (search-patches
-                  "libarchive-7zip-heap-overflow.patch"
-                  "libarchive-fix-symlink-check.patch"
-                  "libarchive-fix-filesystem-attacks.patch"
-                  "libarchive-safe_fprintf-buffer-overflow.patch"))
        (sha256
         (base32
-         "1lngng84k1kkljl74q0cdqc3s82vn2kimfm02dgm4d6m7x71mvkj"))))
+         "03q6y428rg723c9fj1vidzjw46w1vf8z0h95lkvz1l9jw571j739"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
deleted file mode 100644
index bef628f..0000000
--- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix buffer overflow reading 7Zip files:
-
-https://github.com/libarchive/libarchive/issues/761
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
-
-From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 18 Sep 2016 18:14:58 -0700
-Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
-
-The sample file that demonstrated this had multiple 'EmptyStream'
-attributes.  The first one ended up being used to calculate
-certain statistics, then was overwritten by the second which
-was incompatible with those statistics.
-
-The fix here is to reject any header with multiple EmptyStream
-attributes.  While here, also reject headers with multiple
-EmptyFile, AntiFile, Name, or Attributes markers.
----
- libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
-index 1dfe52b..c0a536c 100644
---- a/libarchive/archive_read_support_format_7zip.c
-+++ b/libarchive/archive_read_support_format_7zip.c
-@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 
- 		switch (type) {
- 		case kEmptyStream:
-+			if (h->emptyStreamBools != NULL)
-+				return (-1);
- 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->emptyStreamBools));
- 			if (h->emptyStreamBools == NULL)
-@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->emptyFileBools != NULL)
-+				return (-1);
- 			h->emptyFileBools = calloc(empty_streams,
- 			    sizeof(*h->emptyFileBools));
- 			if (h->emptyFileBools == NULL)
-@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->antiBools != NULL)
-+				return (-1);
- 			h->antiBools = calloc(empty_streams,
- 			    sizeof(*h->antiBools));
- 			if (h->antiBools == NULL)
-@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((ll & 1) || ll < zip->numFiles * 4)
- 				return (-1);
- 
-+			if (zip->entry_names != NULL)
-+				return (-1);
- 			zip->entry_names = malloc(ll);
- 			if (zip->entry_names == NULL)
- 				return (-1);
-@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((p = header_bytes(a, 2)) == NULL)
- 				return (-1);
- 			allAreDefined = *p;
-+			if (h->attrBools != NULL)
-+				return (-1);
- 			h->attrBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->attrBools));
- 			if (h->attrBools == NULL)
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
deleted file mode 100644
index bce63d5..0000000
--- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
+++ /dev/null
@@ -1,445 +0,0 @@
-This patch fixes two bugs that allow attackers to overwrite or change
-the permissions of arbitrary files:
-
-https://github.com/libarchive/libarchive/issues/745
-https://github.com/libarchive/libarchive/issues/746
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
-
-From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 11 Sep 2016 13:21:57 -0700
-Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
-
----
- libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
- 1 file changed, 227 insertions(+), 67 deletions(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 8f0421e..abe1a86 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -326,12 +326,14 @@ struct archive_write_disk {
- 
- #define HFS_BLOCKS(s)	((s) >> 12)
- 
-+static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	check_symlinks(struct archive_write_disk *);
- static int	create_filesystem_object(struct archive_write_disk *);
- static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
- #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
- static void	edit_deep_directories(struct archive_write_disk *ad);
- #endif
-+static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	cleanup_pathname(struct archive_write_disk *);
- static int	create_dir(struct archive_write_disk *, char *);
- static int	create_parent_dir(struct archive_write_disk *, char *);
-@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
- 	const char *linkname;
- 	mode_t final_mode, mode;
- 	int r;
-+	/* these for check_symlinks_fsobj */
-+	char *linkname_copy;	/* non-const copy of linkname */
-+	struct archive_string error_string;
-+	int error_number;
- 
- 	/* We identify hard/symlinks according to the link names. */
- 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
-@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
- #if !HAVE_LINK
- 		return (EPERM);
- #else
-+		archive_string_init(&error_string);
-+		linkname_copy = strdup(linkname);
-+		if (linkname_copy == NULL) {
-+		    return (EPERM);
-+		}
-+		/* TODO: consider using the cleaned-up path as the link target? */
-+		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		free(linkname_copy);
- 		r = link(linkname, a->name) ? errno : 0;
- 		/*
- 		 * New cpio and pax formats allow hardlink entries
-@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
-  * recent paths.
-  */
- /* TODO: Extend this to support symlinks on Windows Vista and later. */
-+
-+/*
-+ * Checks the given path to see if any elements along it are symlinks.  Returns
-+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
-+ */
- static int
--check_symlinks(struct archive_write_disk *a)
-+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- #if !defined(HAVE_LSTAT)
- 	/* Platform doesn't have lstat, so we can't look for symlinks. */
- 	(void)a; /* UNUSED */
-+	(void)path; /* UNUSED */
-+	(void)error_number; /* UNUSED */
-+	(void)error_string; /* UNUSED */
-+	(void)flags; /* UNUSED */
- 	return (ARCHIVE_OK);
- #else
--	char *pn;
-+	int res = ARCHIVE_OK;
-+	char *tail;
-+	char *head;
-+	int last;
- 	char c;
- 	int r;
- 	struct stat st;
-+	int restore_pwd;
-+
-+	/* Nothing to do here if name is empty */
-+	if(path[0] == '\0')
-+	    return (ARCHIVE_OK);
- 
- 	/*
- 	 * Guard against symlink tricks.  Reject any archive entry whose
- 	 * destination would be altered by a symlink.
-+	 *
-+	 * Walk the filename in chunks separated by '/'.  For each segment:
-+	 *  - if it doesn't exist, continue
-+	 *  - if it's symlink, abort or remove it
-+	 *  - if it's a directory and it's not the last chunk, cd into it
-+	 * As we go:
-+	 *  head points to the current (relative) path
-+	 *  tail points to the temporary \0 terminating the segment we're currently examining
-+	 *  c holds what used to be in *tail
-+	 *  last is 1 if this is the last tail
- 	 */
--	/* Whatever we checked last time doesn't need to be re-checked. */
--	pn = a->name;
--	if (archive_strlen(&(a->path_safe)) > 0) {
--		char *p = a->path_safe.s;
--		while ((*pn != '\0') && (*p == *pn))
--			++p, ++pn;
--	}
-+	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
-+	__archive_ensure_cloexec_flag(restore_pwd);
-+	if (restore_pwd < 0)
-+		return (ARCHIVE_FATAL);
-+	head = path;
-+	tail = path;
-+	last = 0;
-+	/* TODO: reintroduce a safe cache here? */
- 	/* Skip the root directory if the path is absolute. */
--	if(pn == a->name && pn[0] == '/')
--		++pn;
--	c = pn[0];
--	/* Keep going until we've checked the entire name. */
--	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
-+	if(tail == path && tail[0] == '/')
-+		++tail;
-+	/* Keep going until we've checked the entire name.
-+	 * head, tail, path all alias the same string, which is
-+	 * temporarily zeroed at tail, so be careful restoring the
-+	 * stashed (c=tail[0]) for error messages.
-+	 * Exiting the loop with break is okay; continue is not.
-+	 */
-+	while (!last) {
-+		/* Skip the separator we just consumed, plus any adjacent ones */
-+		while (*tail == '/')
-+		    ++tail;
- 		/* Skip the next path element. */
--		while (*pn != '\0' && *pn != '/')
--			++pn;
--		c = pn[0];
--		pn[0] = '\0';
-+		while (*tail != '\0' && *tail != '/')
-+			++tail;
-+		/* is this the last path component? */
-+		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
-+		/* temporarily truncate the string here */
-+		c = tail[0];
-+		tail[0] = '\0';
- 		/* Check that we haven't hit a symlink. */
--		r = lstat(a->name, &st);
-+		r = lstat(head, &st);
- 		if (r != 0) {
-+			tail[0] = c;
- 			/* We've hit a dir that doesn't exist; stop now. */
- 			if (errno == ENOENT) {
- 				break;
- 			} else {
--				/* Note: This effectively disables deep directory
-+				/* Treat any other error as fatal - best to be paranoid here
-+				 * Note: This effectively disables deep directory
- 				 * support when security checks are enabled.
- 				 * Otherwise, very long pathnames that trigger
- 				 * an error here could evade the sandbox.
- 				 * TODO: We could do better, but it would probably
- 				 * require merging the symlink checks with the
- 				 * deep-directory editing. */
--				return (ARCHIVE_FAILED);
-+				if (error_number) *error_number = errno;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Could not stat %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
-+			}
-+		} else if (S_ISDIR(st.st_mode)) {
-+			if (!last) {
-+				if (chdir(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not chdir %s",
-+								path);
-+					res = (ARCHIVE_FATAL);
-+					break;
-+				}
-+				/* Our view is now from inside this dir: */
-+				head = tail + 1;
- 			}
- 		} else if (S_ISLNK(st.st_mode)) {
--			if (c == '\0') {
-+			if (last) {
- 				/*
- 				 * Last element is symlink; remove it
- 				 * so we can overwrite it with the
- 				 * item being extracted.
- 				 */
--				if (unlink(a->name)) {
--					archive_set_error(&a->archive, errno,
--					    "Could not remove symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head)) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not remove symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
- 				/*
- 				 * Even if we did remove it, a warning
- 				 * is in order.  The warning is silly,
- 				 * though, if we're just replacing one
- 				 * symlink with another symlink.
- 				 */
--				if (!S_ISLNK(a->mode)) {
--					archive_set_error(&a->archive, 0,
--					    "Removing symlink %s",
--					    a->name);
-+				tail[0] = c;
-+				/* FIXME:  not sure how important this is to restore
-+				if (!S_ISLNK(path)) {
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Removing symlink %s",
-+								path);
- 				}
-+				*/
- 				/* Symlink gone.  No more problem! */
--				pn[0] = c;
--				return (0);
--			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
-+				res = ARCHIVE_OK;
-+				break;
-+			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
- 				/* User asked us to remove problems. */
--				if (unlink(a->name) != 0) {
--					archive_set_error(&a->archive, 0,
--					    "Cannot remove intervening symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Cannot remove intervening symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
-+				tail[0] = c;
- 			} else {
--				archive_set_error(&a->archive, 0,
--				    "Cannot extract through symlink %s",
--				    a->name);
--				pn[0] = c;
--				return (ARCHIVE_FAILED);
-+				tail[0] = c;
-+				if (error_number) *error_number = 0;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Cannot extract through symlink %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
- 			}
- 		}
--		pn[0] = c;
--		if (pn[0] != '\0')
--			pn++; /* Advance to the next segment. */
-+		/* be sure to always maintain this */
-+		tail[0] = c;
-+		if (tail[0] != '\0')
-+			tail++; /* Advance to the next segment. */
- 	}
--	pn[0] = c;
--	/* We've checked and/or cleaned the whole path, so remember it. */
--	archive_strcpy(&a->path_safe, a->name);
--	return (ARCHIVE_OK);
-+	/* Catches loop exits via break */
-+	tail[0] = c;
-+#ifdef HAVE_FCHDIR
-+	/* If we changed directory above, restore it here. */
-+	if (restore_pwd >= 0) {
-+		r = fchdir(restore_pwd);
-+		if (r != 0) {
-+			if(error_number) *error_number = errno;
-+			if(error_string)
-+				archive_string_sprintf(error_string,
-+						"chdir() failure");
-+		}
-+		close(restore_pwd);
-+		restore_pwd = -1;
-+		if (r != 0) {
-+			res = (ARCHIVE_FATAL);
-+		}
-+	}
-+#endif
-+	/* TODO: reintroduce a safe cache here? */
-+	return res;
- #endif
- }
- 
-+/*
-+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
-+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
-+ */
-+static int
-+check_symlinks(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	a->pst = NULL;	/* to be safe */
-+	return rc;
-+}
-+
-+
- #if defined(__CYGWIN__)
- /*
-  * 1. Convert a path separator from '\' to '/' .
-@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
-  * is set) if the path is absolute.
-  */
- static int
--cleanup_pathname(struct archive_write_disk *a)
-+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- 	char *dest, *src;
- 	char separator = '\0';
- 
--	dest = src = a->name;
-+	dest = src = path;
- 	if (*src == '\0') {
--		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--		    "Invalid empty pathname");
-+		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+		if (error_string)
-+		    archive_string_sprintf(error_string,
-+			    "Invalid empty pathname");
- 		return (ARCHIVE_FAILED);
- 	}
- 
-@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
- #endif
- 	/* Skip leading '/'. */
- 	if (*src == '/') {
--		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
--			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--			                  "Path is absolute");
-+		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
-+			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+			if (error_string)
-+			    archive_string_sprintf(error_string,
-+				    "Path is absolute");
- 			return (ARCHIVE_FAILED);
- 		}
- 
-@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
- 			} else if (src[1] == '.') {
- 				if (src[2] == '/' || src[2] == '\0') {
- 					/* Conditionally warn about '..' */
--					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
--						archive_set_error(&a->archive,
--						    ARCHIVE_ERRNO_MISC,
--						    "Path contains '..'");
-+					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
-+						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+						if (error_string)
-+						    archive_string_sprintf(error_string,
-+							    "Path contains '..'");
- 						return (ARCHIVE_FAILED);
- 					}
- 				}
-@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
- 	 * We've just copied zero or more path elements, not including the
- 	 * final '/'.
- 	 */
--	if (dest == a->name) {
-+	if (dest == path) {
- 		/*
- 		 * Nothing got copied.  The path must have been something
- 		 * like '.' or '/' or './' or '/././././/./'.
-@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
- 	return (ARCHIVE_OK);
- }
- 
-+static int
-+cleanup_pathname(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	return rc;
-+}
-+
- /*
-  * Create the parent directory of the specified path, assuming path
-  * is already in mutable storage.
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch
deleted file mode 100644
index f042c31..0000000
--- a/gnu/packages/patches/libarchive-fix-symlink-check.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Make sure to check for symlinks even if the pathname is very long:
-
-https://github.com/libarchive/libarchive/issues/744
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
-
-From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 17:11:45 -0700
-Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
- long pathnames
-
-Because check_symlinks is handled separately from the deep-directory
-support, very long pathnames cause problems.  Previously, the code
-ignored most failures to lstat() a path component.  In particular,
-this led to check_symlinks always passing for very long paths, which
-in turn provides a way to evade the symlink checks in the sandboxing
-code.
-
-We now fail on unrecognized lstat() failures, which plugs this
-hole at the cost of disabling deep directory support when the
-user requests sandboxing.
-
-TODO:  This probably cannot be completely fixed without
-entirely reimplementing the deep directory support to
-integrate the symlink checks.  I want to reimplement the
-deep directory hanlding someday anyway; openat() and
-related system calls now provide a much cleaner way to
-handle deep directories than the chdir approach used by this
-code.
----
- libarchive/archive_write_disk_posix.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 39ee3b6..8f0421e 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
- 		r = lstat(a->name, &st);
- 		if (r != 0) {
- 			/* We've hit a dir that doesn't exist; stop now. */
--			if (errno == ENOENT)
-+			if (errno == ENOENT) {
- 				break;
-+			} else {
-+				/* Note: This effectively disables deep directory
-+				 * support when security checks are enabled.
-+				 * Otherwise, very long pathnames that trigger
-+				 * an error here could evade the sandbox.
-+				 * TODO: We could do better, but it would probably
-+				 * require merging the symlink checks with the
-+				 * deep-directory editing. */
-+				return (ARCHIVE_FAILED);
-+			}
- 		} else if (S_ISLNK(st.st_mode)) {
- 			if (c == '\0') {
- 				/*
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
deleted file mode 100644
index 0e70ac9..0000000
--- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fixes this buffer overflow:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-Patch copied from upstream source repository:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 10:51:43 -0700
-Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
-
-The safe_fprintf function attempts to ensure clean output for an
-arbitrary sequence of bytes by doing a trial conversion of the
-multibyte characters to wide characters -- if the resulting wide
-character is printable then we pass through the corresponding bytes
-unaltered, otherwise, we convert them to C-style ASCII escapes.
-
-The stack trace in Issue #767 suggest that the 20-byte buffer
-was getting overflowed trying to format a non-printable multibyte
-character.  This should only happen if there is a valid multibyte
-character of more than 5 bytes that was unprintable.  (Each byte
-would get expanded to a four-charcter octal-style escape of the form
-"\123" resulting in >20 characters for the >5 byte multibyte character.)
-
-I've not been able to reproduce this, but have expanded the conversion
-buffer to 128 bytes on the belief that no multibyte character set
-has a single character of more than 32 bytes.
----
- tar/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tar/util.c b/tar/util.c
-index 9ff22f2..2b4aebe 100644
---- a/tar/util.c
-+++ b/tar/util.c
-@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
- 		}
- 
- 		/* If our output buffer is full, dump it and keep going. */
--		if (i > (sizeof(outbuff) - 20)) {
-+		if (i > (sizeof(outbuff) - 128)) {
- 			outbuff[i] = '\0';
- 			fprintf(f, "%s", outbuff);
- 			i = 0;
-- 
2.10.2

Re: [PATCH 0/1] Libarchive 3.2.2 update

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

Leo Famulari <leo@famulari.name> writes:

> This patch updates libarchive to 3.2.2. Besides integrating our bug-fix
> patches, this release fixes some other bugs, too:
>
> https://github.com/libarchive/libarchive/compare/v3.2.1...v3.2.2
>
> It's a little more than we want to do on staging...
>
> Building the following 551 packages would ensure 1222 dependent packages
> are rebuilt
>

Yes, this is pretty close. I'll let someone more experienced with the
build farm determine where this should go.

> Leo Famulari (1):
>   gnu: libarchive: Update to 3.2.2.
>
>  gnu/local.mk                                       |   4 -
>  gnu/packages/backup.scm                            |   9 +-
>  .../patches/libarchive-7zip-heap-overflow.patch    |  77 ----
>  .../libarchive-fix-filesystem-attacks.patch        | 445 ---------------------
>  .../patches/libarchive-fix-symlink-check.patch     |  60 ---
>  .../libarchive-safe_fprintf-buffer-overflow.patch  |  44 --
>  6 files changed, 2 insertions(+), 637 deletions(-)
>  delete mode 100644 gnu/packages/patches/libarchive-7zip-heap-overflow.patch
>  delete mode 100644 gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
>  delete mode 100644 gnu/packages/patches/libarchive-fix-symlink-check.patch
>  delete mode 100644 gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch

LGTM.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [PATCH 0/1] Libarchive 3.2.2 update

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> This patch updates libarchive to 3.2.2. Besides integrating our bug-fix
> patches, this release fixes some other bugs, too:
>
> https://github.com/libarchive/libarchive/compare/v3.2.1...v3.2.2
>
> It's a little more than we want to do on staging...
>
> Building the following 551 packages would ensure 1222 dependent packages
> are rebuilt

If there are no known security issues fixed, could this go to
‘core-updates’?  WDYT?

The patch LGTM.

Thanks,
Ludo’.

Re: [PATCH 0/1] Libarchive 3.2.2 update

[Leo Famulari]

On Mon, Nov 28, 2016 at 02:56:52PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > This patch updates libarchive to 3.2.2. Besides integrating our bug-fix
> > patches, this release fixes some other bugs, too:
> >
> > https://github.com/libarchive/libarchive/compare/v3.2.1...v3.2.2
> >
> > It's a little more than we want to do on staging...
> >
> > Building the following 551 packages would ensure 1222 dependent packages
> > are rebuilt
> 
> If there are no known security issues fixed, could this go to
> ‘core-updates’?  WDYT?

None that I know of, but I'm not an expert. I think that there are a lot
of people are paying attention to libarchive at the moment, so hopefully
the bugs will be publicized if necessary.

> The patch LGTM.

I pushed it to core-updates after fixing a thinko in one of the patches
(wrong URL to the libarchive bug tracker). I figured we might as well
have the right URL somewhere in `git log`.