1. photon
  2. Commit d1bdcbebfa90d5e6b54435e8b5125b0f7fdfbead
Browse code

Add patch for libarchive CVE-2016-6250

Change-Id: I22592ddf68af869f2f575cf1ce3a09a61ec31051
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1446
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Vinay Kulkarni <kulkarniv@vmware.com>
(cherry picked from commit aaaecaa2c7f375a8aeadcd5db12748ec96dd53c4)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1450

suezzelur authored on 2016/09/23 07:15:19
Showing 2 changed files
SPECS/libarchive/libarchive-CVE-2016-6250.patch
History View file @ d1bdcbe
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,81 @@
0 
+From 3014e19820ea53c15c90f9d447ca3e668a0b76c6 Mon Sep 17 00:00:00 2001
1 
+From: Tim Kientzle <kientzle@acm.org>
2 
+Date: Sat, 28 May 2016 11:50:39 -0700
3 
+Subject: [PATCH] Issue 711:  Be more careful about verifying filename lengths
4 
+ when writing ISO9660 archives
5 
+
6 
+* Don't cast size_t to int, since this can lead to overflow
7 
+  on machines where sizeof(int) < sizeof(size_t)
8 
+* Check a + b > limit by writing it as
9 
+    a > limit || b > limit || a + b > limit
10 
+  to avoid problems when a + b wraps around.
11 
+---
12 
+ libarchive/archive_write_set_format_iso9660.c | 18 ++++++++++--------
13 
+ 1 file changed, 10 insertions(+), 8 deletions(-)
14 
+
15 
+diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c
16 
+index 4d832fb..cb3e54e 100644
17 
+--- a/libarchive/archive_write_set_format_iso9660.c
18 
+@@ -6225,7 +6225,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
19 
+ 	unsigned char *p;
20 
+ 	size_t l;
21 
+ 	int r;
22 
+-	int ffmax, parent_len;
23 
++	size_t ffmax, parent_len;
24 
+ 	static const struct archive_rb_tree_ops rb_ops = {
25 
+ 		isoent_cmp_node_joliet, isoent_cmp_key_joliet
26 
+ 	};
27 
+@@ -6239,7 +6239,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
28 
+ 	else
29 
+ 		ffmax = 128;
30 
+
31 
+-	r = idr_start(a, idr, isoent->children.cnt, ffmax, 6, 2, &rb_ops);
32 
++	r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, 6, 2, &rb_ops);
33 
+ 	if (r < 0)
34 
+ 		return (r);
35 
+
36 
+@@ -6252,7 +6252,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
37 
+ 		int ext_off, noff, weight;
38 
+ 		size_t lt;
39 
+
40 
+-		if ((int)(l = np->file->basename_utf16.length) > ffmax)
41 
++		if ((l = np->file->basename_utf16.length) > ffmax)
42 
+ 			l = ffmax;
43 
+
44 
+ 		p = malloc((l+1)*2);
45 
+@@ -6285,7 +6285,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
46 
+ 		/*
47 
+ 		 * Get a length of MBS of a full-pathname.
48 
+ 		 */
49 
+-		if ((int)np->file->basename_utf16.length > ffmax) {
50 
++		if (np->file->basename_utf16.length > ffmax) {
51 
+ 			if (archive_strncpy_l(&iso9660->mbs,
52 
+ 			    (const char *)np->identifier, l,
53 
+ 				iso9660->sconv_from_utf16be) != 0 &&
54 
+@@ -6302,7 +6302,9 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
55 
+
56 
+ 		/* If a length of full-pathname is longer than 240 bytes,
57 
+ 		 * it violates Joliet extensions regulation. */
58 
+-		if (parent_len + np->mb_len > 240) {
59 
++		if (parent_len > 240
60 
++		    || np->mb_len > 240
61 
++		    || parent_len + np->mb_len > 240) {
62 
+ 			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
63 
+ 			    "The regulation of Joliet extensions;"
64 
+ 			    " A length of a full-pathname of `%s' is "
65 
+@@ -6314,11 +6316,11 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
66 
+
67 
+ 		/* Make an offset of the number which is used to be set
68 
+ 		 * hexadecimal number to avoid duplicate identifier. */
69 
+-		if ((int)l == ffmax)
70 
++		if (l == ffmax)
71 
+ 			noff = ext_off - 6;
72 
+-		else if ((int)l == ffmax-2)
73 
++		else if (l == ffmax-2)
74 
+ 			noff = ext_off - 4;
75 
+-		else if ((int)l == ffmax-4)
76 
++		else if (l == ffmax-4)
77 
+ 			noff = ext_off - 2;
78 
+ 		else
79 
+ 			noff = ext_off;
SPECS/libarchive/libarchive.spec
History View file @ d1bdcbe
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:    Multi-format archive and compression library
2 2 
 Name:       libarchive
3 3 
 Version:    3.1.2
4 
-Release:    6%{?dist}
4 
+Release:    7%{?dist}
5 5 
 License:    BSD 2-Clause License
6 6 
 URL:        http://www.libarchive.org/
7 7 
 Group:      System Environment/Development
... ... 
@@ -11,6 +11,7 @@ Source0:    http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz
11 11 
 %define sha1 libarchive=6a991777ecb0f890be931cec4aec856d1a195489
12 12 
 Patch0: libarchive-CVE-2013-0211.patch
13 13 
 Patch1:	0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
14 
+Patch2: libarchive-CVE-2016-6250.patch
14 15
15 16 
 %description
16 17 
 Multi-format archive and compression library
... ... 
@@ -25,6 +26,7 @@ It contains the libraries and header files to create applications
25 25 
 %setup -q
26 26 
 %patch0 -p1
27 27 
 %patch1 -p1
28 
+%patch2 -p1
28 29
29 30 
 %build
30 31 
 export CFLAGS="%{optflags}"
... ... 
@@ -54,8 +56,10 @@ find %{buildroot}%{_libdir} -name '*.la' -delete
54 54 
 %{_libdir}/pkgconfig/*.pc
55 55
56 56 
 %changelog
57 
-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.1.2-6
58 
--	GA - Bump release of all rpms
57 
+*   Thu Sep 22 2016 Anish Swaminathan <anishs@vmware.com> 3.1.2-7
58 
+-   Adding patch for security fix CVE-2016-6250
59 
+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.1.2-6
60 
+-   GA - Bump release of all rpms
59 61 
 *   Mon Oct 12 2015 Xiaolin Li <xiaolinl@vmware.com> 3.1.2-5
60 62 
 -   Moving static lib files to devel package.
61 63 
 *   Fri Oct 9 2015 Xiaolin Li <xiaolinl@vmware.com> 3.1.2-4