new file mode 100644

@@ -0,0 +1,149 @@

+From 59357157706d47c365b2227739e17daba3607526 Mon Sep 17 00:00:00 2001

+From: Alessandro Ghedini <alessandro@ghedini.me>

+Date: Sun, 1 Mar 2015 12:07:45 +0100

+Subject: [PATCH] Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option

+

+This fixes a directory traversal in the cpio tool.

+

+

+Upstream-Status: backport

+

+Signed-off-by: Li Zhou <li.zhou@windriver.com>

+---

+ cpio/bsdcpio.1                           |    3 ++-

+ cpio/cpio.c                              |    2 ++

+ libarchive/archive.h                     |    2 ++

+ libarchive/archive_write_disk.3          |    3 +++

+ libarchive/archive_write_disk_posix.c    |   14 +++++++++++---

+ libarchive/test/test_write_disk_secure.c |   23 +++++++++++++++++++++++

+ 6 files changed, 43 insertions(+), 4 deletions(-)

+

+diff --git a/cpio/bsdcpio.1 b/cpio/bsdcpio.1

+index f966aa0..e52546e 100644

+--- a/cpio/bsdcpio.1

+@@ -156,7 +156,8 @@ See above for description.

+ .It Fl Fl insecure

+ (i and p mode only)

+ Disable security checks during extraction or copying.

+-This allows extraction via symbolic links and path names containing

++This allows extraction via symbolic links, absolute paths,

++and path names containing

+ .Sq ..

+ in the name.

+ .It Fl J , Fl Fl xz

+diff --git a/cpio/cpio.c b/cpio/cpio.c

+index 0acde11..b267e9b 100644

+--- a/cpio/cpio.c

+@@ -171,6 +171,7 @@ main(int argc, char *argv[])

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER;

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_SYMLINKS;

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NODOTDOT;

++	cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_PERM;

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_FFLAGS;

+ 	cpio->extract_flags |= ARCHIVE_EXTRACT_ACL;

+@@ -256,6 +257,7 @@ main(int argc, char *argv[])

+ 		case OPTION_INSECURE:

+ 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS;

+ 			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT;

++			cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;

+ 			break;

+ 		case 'L': /* GNU cpio */

+ 			cpio->option_follow_links = 1;

+diff --git a/libarchive/archive.h b/libarchive/archive.h

+index 1f0fc38..ef635ac 100644

+--- a/libarchive/archive.h

+@@ -649,6 +649,8 @@ __LA_DECL int archive_read_set_passphrase_callback(struct archive *,

+ /* Default: Do not use HFS+ compression if it was not compressed. */

+ /* This has no effect except on Mac OS v10.6 or later. */

+ #define	ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED	(0x8000)

++/* Default: Do not reject entries with absolute paths */

++#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000)

+ 

+ __LA_DECL int archive_read_extract(struct archive *, struct archive_entry *,

+ 		     int flags);

+diff --git a/libarchive/archive_write_disk.3 b/libarchive/archive_write_disk.3

+index fa925cc..a2e7afa 100644

+--- a/libarchive/archive_write_disk.3

+@@ -177,6 +177,9 @@ The default is to not refuse such paths.

+ Note that paths ending in

+ .Pa ..

+ always cause an error, regardless of this flag.

++.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS

++Refuse to extract an absolute path.

++The default is to not refuse such paths.

+ .It Cm ARCHIVE_EXTRACT_SPARSE

+ Scan data for blocks of NUL bytes and try to recreate them with holes.

+ This results in sparse files, independent of whether the archive format

+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c

+index ab3bdac..c1290eb 100644

+--- a/libarchive/archive_write_disk_posix.c

+@@ -2509,8 +2509,9 @@ cleanup_pathname_win(struct archive_write_disk *a)

+ /*

+  * Canonicalize the pathname.  In particular, this strips duplicate

+  * '/' characters, '.' elements, and trailing '/'.  It also raises an

+- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is

+- * set) any '..' in the path.

++ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is

++ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS

++ * is set) if the path is absolute.

+  */

+ static int

+ cleanup_pathname(struct archive_write_disk *a)

+@@ -2529,8 +2530,15 @@ cleanup_pathname(struct archive_write_disk *a)

+ 	cleanup_pathname_win(a);

+ #endif

+ 	/* Skip leading '/'. */

+-	if (*src == '/')

++	if (*src == '/') {

++		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {

++			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,

++			                  "Path is absolute");

++			return (ARCHIVE_FAILED);

++		}

++

+ 		separator = *src++;

++	}

+ 

+ 	/* Scan the pathname one element at a time. */

+ 	for (;;) {

+diff --git a/libarchive/test/test_write_disk_secure.c b/libarchive/test/test_write_disk_secure.c

+index 31c5bfd..2c94206 100644

+--- a/libarchive/test/test_write_disk_secure.c

+@@ -178,6 +178,29 @@ DEFINE_TEST(test_write_disk_secure)

+ 	assert(S_ISDIR(st.st_mode));

+ 	archive_entry_free(ae);

+ 

++	/*

++	 * Without security checks, we should be able to

++	 * extract an absolute path.

++	 */

++	assert((ae = archive_entry_new()) != NULL);

++	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");

++	archive_entry_set_mode(ae, S_IFREG | 0777);

++	assert(0 == archive_write_header(a, ae));

++	assert(0 == archive_write_finish_entry(a));

++	assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");

++	assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"));

++

++	/* But with security checks enabled, this should fail. */

++	assert(archive_entry_clear(ae) != NULL);

++	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");

++	archive_entry_set_mode(ae, S_IFREG | 0777);

++	archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS);

++	failure("Extracting an absolute path should fail here.");

++	assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae));

++	archive_entry_free(ae);

++	assert(0 == archive_write_finish_entry(a));

++	assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");

++

+ 	assertEqualInt(ARCHIVE_OK, archive_write_free(a));

+ 

+ 	/* Test the entries on disk. */

+---

new file mode 100644

@@ -0,0 +1,36 @@

+From 2f55d6bd308ea61975558c2469ae349dba297e89 Mon Sep 17 00:00:00 2001

+From: Robert Yang <liezhi.yang@windriver.com>

+Date: Sat, 22 Feb 2014 14:35:59 +0800

+Subject: [PATCH] Fix CVE-2013-0211

+

+This patch comes from:https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4

+

+Upstream-Status: Backport

+

+Signed-off-by: Baogen shang <baogen.shang@windriver.com>

+

+Update the patch because of uprev on 20140222

+

+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>

+---

+ libarchive/archive_write.c | 4 ++++

+ 1 file changed, 4 insertions(+)

+

+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c

+index a3d1a33..a323588 100644

+--- a/libarchive/archive_write.c

+@@ -671,8 +671,12 @@ static ssize_t

+ _archive_write_data(struct archive *_a, const void *buff, size_t s)

+ {

+ 	struct archive_write *a = (struct archive_write *)_a;

++	const size_t max_write = INT_MAX;

+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,

+ 	    ARCHIVE_STATE_DATA, "archive_write_data");

++	/* In particular, this catches attempts to pass negative values. */

++	if (s > max_write)

++		s = max_write;

+ 	archive_clear_error(&a->archive);

+ 	return ((a->format_write_data)(a, buff, s));

+ }

+-- 

@@ -1,7 +1,7 @@

 Summary:    Multi-format archive and compression library

 Name:       libarchive

 Version:    3.1.2

-Release:    2%{?dist}

+Release:    3%{?dist}

 License:    BSD 2-Clause License

 URL:        http://www.libarchive.org/

 Group:      System Environment/Development

@@ -9,6 +9,8 @@ Vendor:     VMware, Inc.

 Distribution:   Photon

 Source0:    http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz

 %define sha1 libarchive=6a991777ecb0f890be931cec4aec856d1a195489

+Patch0: libarchive-CVE-2013-0211.patch

+Patch1:	0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch

 %description

 Multi-format archive and compression library

@@ -21,6 +23,8 @@ It contains the libraries and header files to create applications

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

 %build

 export CFLAGS="%{optflags}"

@@ -46,6 +50,8 @@ make DESTDIR=%{buildroot} install

 %{_mandir}

 %changelog

+*   Fri Aug 14 2015 Alexey Makhalov <amakhalov@vmware.com> 3.1.2-3

+-   Adding patches for security fixes CVE-2013-2011 and CVE-2015-2304.

 *   Wed Jul 8 2015 Alexey Makhalov <amakhalov@vmware.com> 3.1.2-2

 -   Added devel package, dist tag. Use macroses part.

 *   Fri Jun 5 2015 Touseef Liaqat <tliaqat@vmware.com> 3.1.2-1