From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44677) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpgH0-0003kQ-1h for guix-patches@gnu.org; Wed, 06 Sep 2017 15:46:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpgGw-0000Ts-CM for guix-patches@gnu.org; Wed, 06 Sep 2017 15:46:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:44738) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dpgGw-0000Tn-8U for guix-patches@gnu.org; Wed, 06 Sep 2017 15:46:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dpgGv-0002FT-Vh for guix-patches@gnu.org; Wed, 06 Sep 2017 15:46:01 -0400 Subject: [bug#28374] [PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44485) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpgFr-0003g9-Pq for guix-patches@gnu.org; Wed, 06 Sep 2017 15:45:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpgFn-0000AF-NR for guix-patches@gnu.org; Wed, 06 Sep 2017 15:44:55 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60453) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dpgFn-00009M-Bj for guix-patches@gnu.org; Wed, 06 Sep 2017 15:44:51 -0400 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id DE6667E101 for ; Wed, 6 Sep 2017 15:44:47 -0400 (EDT) From: Leo Famulari Date: Wed, 6 Sep 2017 15:44:44 -0400 Message-Id: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 28374@debbugs.gnu.org * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive-3.3.2): New variable. * gnu/packages/patches/libarchive-CVE-2017-14166.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 9 +++-- .../patches/libarchive-CVE-2017-14166.patch | 45 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14166.patch diff --git a/gnu/local.mk b/gnu/local.mk index a38e4e2d5..60e9ff29f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -752,6 +752,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-link-with-libm.patch \ %D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ + %D%/packages/patches/libarchive-CVE-2017-14166.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index eca69bebe..006d00ef0 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -184,6 +184,7 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") + (replacement libarchive-3.3.2) (version "3.3.1") (source (origin @@ -239,19 +240,19 @@ archive. In particular, note that there is currently no built-in support for random access nor for in-place modification.") (license license:bsd-2))) -(define libarchive-3.3.1 +(define libarchive-3.3.2 (package (inherit libarchive) - (name "libarchive") - (version "3.3.1") + (version "3.3.2") (source (origin (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) + (patches (search-patches "libarchive-CVE-2017-14166.patch")) (sha256 (base32 - "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9")))))) + "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))))) (define-public rdup (package diff --git a/gnu/packages/patches/libarchive-CVE-2017-14166.patch b/gnu/packages/patches/libarchive-CVE-2017-14166.patch new file mode 100644 index 000000000..a12284844 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14166.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-14166: + +https://github.com/libarchive/libarchive/issues/935 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 + +From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: [PATCH] Do something sensible for empty strings to make fuzzers + happy. + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9d..93eeacc5e 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') -- 2.14.1