From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38857) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eRoxy-0001C4-Q6 for guix-patches@gnu.org; Wed, 20 Dec 2017 19:44:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eRoxu-0006Zw-QA for guix-patches@gnu.org; Wed, 20 Dec 2017 19:44:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:36301) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eRoxu-0006Zo-Mj for guix-patches@gnu.org; Wed, 20 Dec 2017 19:44:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eRoxu-0007w1-EF for guix-patches@gnu.org; Wed, 20 Dec 2017 19:44:02 -0500 Subject: [bug#29793] [PATCH] gnu: libarchive: Fix CVE-2017-14502. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38191) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eRoxO-00010i-9C for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eRoxK-00061I-Au for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:30 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:50363) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eRoxK-00060m-3T for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:26 -0500 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id A45997E537 for ; Wed, 20 Dec 2017 19:43:23 -0500 (EST) From: Leo Famulari Date: Wed, 20 Dec 2017 19:43:18 -0500 Message-Id: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 29793@debbugs.gnu.org * gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 3 +- .../patches/libarchive-CVE-2017-14502.patch | 40 ++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14502.patch diff --git a/gnu/local.mk b/gnu/local.mk index efb91fd82..d5cd0b339 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -791,6 +791,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libarchive-CVE-2017-14166.patch \ + %D%/packages/patches/libarchive-CVE-2017-14502.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index e634d6ab9..fab71d055 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -253,7 +253,8 @@ random access nor for in-place modification.") (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) - (patches (search-patches "libarchive-CVE-2017-14166.patch")) + (patches (search-patches "libarchive-CVE-2017-14166.patch" + "libarchive-CVE-2017-14502.patch")) (sha256 (base32 "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))))) diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch new file mode 100644 index 000000000..8e0508afb --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch @@ -0,0 +1,40 @@ +Fix CVE-2017-14502: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 + +From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Sat, 9 Sep 2017 17:47:32 +0200 +Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR + archives. + +Reported-By: OSS-Fuzz issue 573 +--- + libarchive/archive_read_support_format_rar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index cbb14c32..751de697 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry, + return (ARCHIVE_FATAL); + } + filename[filename_size++] = '\0'; +- filename[filename_size++] = '\0'; ++ /* ++ * Do not increment filename_size here as the computations below ++ * add the space for the terminating NUL explicitly. ++ */ ++ filename[filename_size] = '\0'; + + /* Decoded unicode form is UTF-16BE, so we have to update a string + * conversion object for it. */ +-- +2.15.1 + -- 2.15.1