From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [PATCH 1/1] gnu: libarchive: Fix CVE-2016-1541.
Date: Tue, 10 May 2016 16:29:09 -0400 [thread overview]
Message-ID: <bd77460d7bbff74ef375c28df7d055c52374344a.1462911976.git.leo@famulari.name> (raw)
In-Reply-To: <cover.1462911976.git.leo@famulari.name>
In-Reply-To: <cover.1462911976.git.leo@famulari.name>
* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-CVE-2016-1541.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/backup.scm | 9 +++
.../patches/libarchive-CVE-2016-1541.patch | 67 ++++++++++++++++++++++
3 files changed, 77 insertions(+)
create mode 100644 gnu/packages/patches/libarchive-CVE-2016-1541.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f2436ed..ca1832e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -572,6 +572,7 @@ dist_patch_DATA = \
gnu/packages/patches/liba52-use-mtune-not-mcpu.patch \
gnu/packages/patches/libarchive-bsdtar-test.patch \
gnu/packages/patches/libarchive-CVE-2013-0211.patch \
+ gnu/packages/patches/libarchive-CVE-2016-1541.patch \
gnu/packages/patches/libarchive-fix-lzo-test-case.patch \
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
gnu/packages/patches/libbonobo-activation-test-race.patch \
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index a7b48f1..917bee7 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -136,6 +136,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.1.2")
(source
(origin
@@ -193,6 +194,14 @@ archive. In particular, note that there is currently no built-in support for
random access nor for in-place modification.")
(license license:bsd-2)))
+(define libarchive/fixed
+ (package
+ (inherit libarchive)
+ (source (origin
+ (inherit (package-source libarchive))
+ (patches (cons (search-patch "libarchive-CVE-2016-1541.patch")
+ (origin-patches (package-source libarchive))))))))
+
(define-public rdup
(package
(name "rdup")
diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
new file mode 100644
index 0000000..6ac8773
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
@@ -0,0 +1,67 @@
+Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata)
+
+Taken from upstream source repository:
+https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer. Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+ abort the entire archive if the compressed and uncompressed
+ data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+ abort this entry if either the compressed or uncompressed
+ size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+ size against both the compressed entry size and uncompressed
+ entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 0f8262c..0a0be96 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if (rsrc->uncompressed_size != rsrc->compressed_size) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Malformed OS X metadata entry: inconsistent size");
++ return (ARCHIVE_FATAL);
++ }
+ #ifdef HAVE_ZLIB_H
+ case 8: /* Deflate compression. */
+ #endif
+@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+ (intmax_t)rsrc->uncompressed_size);
+ return (ARCHIVE_WARN);
+ }
++ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Mac metadata is too large: %jd > 4M bytes",
++ (intmax_t)rsrc->compressed_size);
++ return (ARCHIVE_WARN);
++ }
+
+ metadata = malloc((size_t)rsrc->uncompressed_size);
+ if (metadata == NULL) {
+@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
+ bytes_avail = remaining_bytes;
+ switch(rsrc->compression) {
+ case 0: /* No compression. */
++ if ((size_t)bytes_avail > metadata_bytes)
++ bytes_avail = metadata_bytes;
+ memcpy(mp, p, bytes_avail);
+ bytes_used = (size_t)bytes_avail;
+ metadata_bytes -= bytes_used;
--
2.8.2
next prev parent reply other threads:[~2016-05-10 20:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-10 20:29 [PATCH 0/1] libarchive: Fix CVE-2016-1541 Leo Famulari
2016-05-10 20:29 ` Leo Famulari [this message]
2016-05-11 13:44 ` Ludovic Courtès
2016-05-12 1:55 ` Leo Famulari
2016-05-12 5:22 ` Jan Nieuwenhuizen
2016-05-13 6:45 ` Leo Famulari
2016-05-13 18:16 ` Jan Nieuwenhuizen
2016-05-14 17:26 ` Manolis Ragkousis
2016-05-12 7:24 ` Manolis Ragkousis
2016-05-15 6:45 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bd77460d7bbff74ef375c28df7d055c52374344a.1462911976.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.