From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 1/1] gnu: libarchive: Fix CVE-2016-1541. Date: Tue, 10 May 2016 16:29:09 -0400 Message-ID: References: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46551) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0EHg-0006Ld-8M for guix-devel@gnu.org; Tue, 10 May 2016 16:29:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b0EHU-0007VM-5q for guix-devel@gnu.org; Tue, 10 May 2016 16:29:36 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:44781) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b0EHR-0007Sq-IV for guix-devel@gnu.org; Tue, 10 May 2016 16:29:24 -0400 Received: from jasmine.lan (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id CDAE4C00019 for ; Tue, 10 May 2016 16:29:12 -0400 (EDT) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-CVE-2016-1541.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 9 +++ .../patches/libarchive-CVE-2016-1541.patch | 67 ++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 gnu/packages/patches/libarchive-CVE-2016-1541.patch diff --git a/gnu/local.mk b/gnu/local.mk index f2436ed..ca1832e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -572,6 +572,7 @@ dist_patch_DATA = \ gnu/packages/patches/liba52-use-mtune-not-mcpu.patch \ gnu/packages/patches/libarchive-bsdtar-test.patch \ gnu/packages/patches/libarchive-CVE-2013-0211.patch \ + gnu/packages/patches/libarchive-CVE-2016-1541.patch \ gnu/packages/patches/libarchive-fix-lzo-test-case.patch \ gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \ gnu/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index a7b48f1..917bee7 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -136,6 +136,7 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") + (replacement libarchive/fixed) (version "3.1.2") (source (origin @@ -193,6 +194,14 @@ archive. In particular, note that there is currently no built-in support for random access nor for in-place modification.") (license license:bsd-2))) +(define libarchive/fixed + (package + (inherit libarchive) + (source (origin + (inherit (package-source libarchive)) + (patches (cons (search-patch "libarchive-CVE-2016-1541.patch") + (origin-patches (package-source libarchive)))))))) + (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch b/gnu/packages/patches/libarchive-CVE-2016-1541.patch new file mode 100644 index 0000000..6ac8773 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2016-1541.patch @@ -0,0 +1,67 @@ +Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata) + +Taken from upstream source repository: +https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 + +When reading OS X metadata entries in Zip archives that were stored +without compression, libarchive would use the uncompressed entry size +to allocate a buffer but would use the compressed entry size to limit +the amount of data copied into that buffer. Since the compressed +and uncompressed sizes are provided by data in the archive itself, +an attacker could manipulate these values to write data beyond +the end of the allocated buffer. + +This fix provides three new checks to guard against such +manipulation and to make libarchive generally more robust when +handling this type of entry: + 1. If an OS X metadata entry is stored without compression, + abort the entire archive if the compressed and uncompressed + data sizes do not match. + 2. When sanity-checking the size of an OS X metadata entry, + abort this entry if either the compressed or uncompressed + size is larger than 4MB. + 3. When copying data into the allocated buffer, check the copy + size against both the compressed entry size and uncompressed + entry size. +--- + libarchive/archive_read_support_format_zip.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 0f8262c..0a0be96 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if (rsrc->uncompressed_size != rsrc->compressed_size) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Malformed OS X metadata entry: inconsistent size"); ++ return (ARCHIVE_FATAL); ++ } + #ifdef HAVE_ZLIB_H + case 8: /* Deflate compression. */ + #endif +@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + (intmax_t)rsrc->uncompressed_size); + return (ARCHIVE_WARN); + } ++ if (rsrc->compressed_size > (4 * 1024 * 1024)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mac metadata is too large: %jd > 4M bytes", ++ (intmax_t)rsrc->compressed_size); ++ return (ARCHIVE_WARN); ++ } + + metadata = malloc((size_t)rsrc->uncompressed_size); + if (metadata == NULL) { +@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + bytes_avail = remaining_bytes; + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if ((size_t)bytes_avail > metadata_bytes) ++ bytes_avail = metadata_bytes; + memcpy(mp, p, bytes_avail); + bytes_used = (size_t)bytes_avail; + metadata_bytes -= bytes_used; -- 2.8.2