Browse code
libarchive: Fix CVE-2018-1000877, CVE-2018-1000878
Added the upstream patch to fix the CVE
Change-Id: I088403a9d38296ca3d3ec3178e6aeee9ad4fa3a1
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6819
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Ankit Jain authored on 2019/03/05 01:37:11Showing 3 changed files
- SPECS/libarchive/libarchive-CVE-2018-1000877.patch
- SPECS/libarchive/libarchive-CVE-2018-1000878.patch
- SPECS/libarchive/libarchive.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,31 @@ |
| 0 |
+From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Axtens <dja@axtens.net> |
|
| 2 |
+Date: Tue, 20 Nov 2018 17:56:29 +1100 |
|
| 3 |
+Subject: [PATCH] Avoid a double-free when a window size of 0 is specified |
|
| 4 |
+ |
|
| 5 |
+new_size can be 0 with a malicious or corrupted RAR archive. |
|
| 6 |
+ |
|
| 7 |
+realloc(area, 0) is equivalent to free(area), so the region would |
|
| 8 |
+be free()d here and the free()d again in the cleanup function. |
|
| 9 |
+ |
|
| 10 |
+Found with a setup running AFL, afl-rb, and qsym. |
|
| 11 |
+--- |
|
| 12 |
+ libarchive/archive_read_support_format_rar.c | 5 +++++ |
|
| 13 |
+ 1 file changed, 5 insertions(+) |
|
| 14 |
+ |
|
| 15 |
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c |
|
| 16 |
+index 234522229..6f419c270 100644 |
|
| 17 |
+--- a/libarchive/archive_read_support_format_rar.c |
|
| 18 |
+@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a) |
|
| 19 |
+ new_size = DICTIONARY_MAX_SIZE; |
|
| 20 |
+ else |
|
| 21 |
+ new_size = rar_fls((unsigned int)rar->unp_size) << 1; |
|
| 22 |
++ if (new_size == 0) {
|
|
| 23 |
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, |
|
| 24 |
++ "Zero window size is invalid."); |
|
| 25 |
++ return (ARCHIVE_FATAL); |
|
| 26 |
++ } |
|
| 27 |
+ new_window = realloc(rar->lzss.window, new_size); |
|
| 28 |
+ if (new_window == NULL) {
|
|
| 29 |
+ archive_set_error(&a->archive, ENOMEM, |
| 0 | 30 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,72 @@ |
| 0 |
+From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Axtens <dja@axtens.net> |
|
| 2 |
+Date: Tue, 4 Dec 2018 00:55:22 +1100 |
|
| 3 |
+Subject: [PATCH] rar: file split across multi-part archives must match |
|
| 4 |
+ |
|
| 5 |
+Fuzzing uncovered some UAF and memory overrun bugs where a file in a |
|
| 6 |
+single file archive reported that it was split across multiple |
|
| 7 |
+volumes. This was caused by ppmd7 operations calling |
|
| 8 |
+rar_br_fillup. This would invoke rar_read_ahead, which would in some |
|
| 9 |
+situations invoke archive_read_format_rar_read_header. That would |
|
| 10 |
+check the new file name against the old file name, and if they didn't |
|
| 11 |
+match up it would free the ppmd7 buffer and allocate a new |
|
| 12 |
+one. However, because the ppmd7 decoder wasn't actually done with the |
|
| 13 |
+buffer, it would continue to used the freed buffer. Both reads and |
|
| 14 |
+writes to the freed region can be observed. |
|
| 15 |
+ |
|
| 16 |
+This is quite tricky to solve: once the buffer has been freed it is |
|
| 17 |
+too late, as the ppmd7 decoder functions almost universally assume |
|
| 18 |
+success - there's no way for ppmd_read to signal error, nor are there |
|
| 19 |
+good ways for functions like Range_Normalise to propagate them. So we |
|
| 20 |
+can't detect after the fact that we're in an invalid state - e.g. by |
|
| 21 |
+checking rar->cursor, we have to prevent ourselves from ever ending up |
|
| 22 |
+there. So, when we are in the dangerous part or rar_read_ahead that |
|
| 23 |
+assumes a valid split, we set a flag force read_header to either go |
|
| 24 |
+down the path for split files or bail. This means that the ppmd7 |
|
| 25 |
+decoder keeps a valid buffer and just runs out of data. |
|
| 26 |
+ |
|
| 27 |
+Found with a combination of AFL, afl-rb and qsym. |
|
| 28 |
+--- |
|
| 29 |
+ libarchive/archive_read_support_format_rar.c | 9 +++++++++ |
|
| 30 |
+ 1 file changed, 9 insertions(+) |
|
| 31 |
+ |
|
| 32 |
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c |
|
| 33 |
+index 6f419c270..a8cc5c94d 100644 |
|
| 34 |
+--- a/libarchive/archive_read_support_format_rar.c |
|
| 35 |
+@@ -258,6 +258,7 @@ struct rar |
|
| 36 |
+ struct data_block_offsets *dbo; |
|
| 37 |
+ unsigned int cursor; |
|
| 38 |
+ unsigned int nodes; |
|
| 39 |
++ char filename_must_match; |
|
| 40 |
+ |
|
| 41 |
+ /* LZSS members */ |
|
| 42 |
+ struct huffman_code maincode; |
|
| 43 |
+@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry, |
|
| 44 |
+ } |
|
| 45 |
+ return ret; |
|
| 46 |
+ } |
|
| 47 |
++ else if (rar->filename_must_match) |
|
| 48 |
++ {
|
|
| 49 |
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, |
|
| 50 |
++ "Mismatch of file parts split across multi-volume archive"); |
|
| 51 |
++ return (ARCHIVE_FATAL); |
|
| 52 |
++ } |
|
| 53 |
+ |
|
| 54 |
+ rar->filename_save = (char*)realloc(rar->filename_save, |
|
| 55 |
+ filename_size + 1); |
|
| 56 |
+@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail) |
|
| 57 |
+ else if (*avail == 0 && rar->main_flags & MHD_VOLUME && |
|
| 58 |
+ rar->file_flags & FHD_SPLIT_AFTER) |
|
| 59 |
+ {
|
|
| 60 |
++ rar->filename_must_match = 1; |
|
| 61 |
+ ret = archive_read_format_rar_read_header(a, a->entry); |
|
| 62 |
+ if (ret == (ARCHIVE_EOF)) |
|
| 63 |
+ {
|
|
| 64 |
+ rar->has_endarc_header = 1; |
|
| 65 |
+ ret = archive_read_format_rar_read_header(a, a->entry); |
|
| 66 |
+ } |
|
| 67 |
++ rar->filename_must_match = 0; |
|
| 68 |
+ if (ret != (ARCHIVE_OK)) |
|
| 69 |
+ return NULL; |
|
| 70 |
+ return rar_read_ahead(a, min, avail); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Multi-format archive and compression library |
| 2 | 2 |
Name: libarchive |
| 3 | 3 |
Version: 3.3.3 |
| 4 |
-Release: 1%{?dist}
|
|
| 4 |
+Release: 2%{?dist}
|
|
| 5 | 5 |
License: BSD 2-Clause License |
| 6 | 6 |
URL: http://www.libarchive.org/ |
| 7 | 7 |
Group: System Environment/Development |
| ... | ... |
@@ -9,6 +9,8 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz
|
| 11 | 11 |
%define sha1 libarchive=499a8f48a895faff4151d7398b24070d578f0b2e |
| 12 |
+Patch0: libarchive-CVE-2018-1000877.patch |
|
| 13 |
+Patch1: libarchive-CVE-2018-1000878.patch |
|
| 12 | 14 |
BuildRequires: xz-libs |
| 13 | 15 |
BuildRequires: xz-devel |
| 14 | 16 |
Requires: xz-libs |
| ... | ... |
@@ -19,14 +21,16 @@ Multi-format archive and compression library |
| 19 | 19 |
Summary: Header and development files |
| 20 | 20 |
Requires: %{name} = %{version}
|
| 21 | 21 |
%description devel |
| 22 |
-It contains the libraries and header files to create applications |
|
| 22 |
+It contains the libraries and header files to create applications |
|
| 23 | 23 |
|
| 24 | 24 |
%prep |
| 25 | 25 |
%setup -q |
| 26 |
+%patch0 -p1 |
|
| 27 |
+%patch1 -p1 |
|
| 26 | 28 |
|
| 27 | 29 |
%build |
| 28 | 30 |
export CFLAGS="%{optflags}"
|
| 29 |
-./configure --prefix=%{_prefix} --disable-static
|
|
| 31 |
+%configure --disable-static |
|
| 30 | 32 |
|
| 31 | 33 |
make %{?_smp_mflags}
|
| 32 | 34 |
|
| ... | ... |
@@ -54,6 +58,8 @@ make %{?_smp_mflags} check
|
| 54 | 54 |
%{_libdir}/pkgconfig/*.pc
|
| 55 | 55 |
|
| 56 | 56 |
%changelog |
| 57 |
+* Mon Mar 04 2019 Ankit Jain <ankitja@vmware.com> 3.3.3-2 |
|
| 58 |
+- Fix for CVE-2018-1000877 and CVE-2018-1000878 |
|
| 57 | 59 |
* Thu Sep 13 2018 Siju Maliakkal <smaliakkal@vmware.com> 3.3.3-1 |
| 58 | 60 |
- Updated to latest version |
| 59 | 61 |
* Fri Sep 15 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.3.1-2 |