GNU bug report logs - #28374
[PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 6 Sep 2017 19:46:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28374 in the body.
You can then email your comments to 28374 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28374; Package guix-patches. (Wed, 06 Sep 2017 19:46:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 06 Sep 2017 19:46:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fix
 CVE-2017-14166.
Date: Wed,  6 Sep 2017 15:44:44 -0400

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.2): New variable.
* gnu/packages/patches/libarchive-CVE-2017-14166.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/backup.scm                            |  9 +++--
 .../patches/libarchive-CVE-2017-14166.patch        | 45 ++++++++++++++++++++++
 3 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14166.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a38e4e2d5..60e9ff29f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -752,6 +752,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
+  %D%/packages/patches/libarchive-CVE-2017-14166.patch		\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index eca69bebe..006d00ef0 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -184,6 +184,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive-3.3.2)
     (version "3.3.1")
     (source
      (origin
@@ -239,19 +240,19 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
-(define libarchive-3.3.1
+(define libarchive-3.3.2
   (package
     (inherit libarchive)
-    (name "libarchive")
-    (version "3.3.1")
+    (version "3.3.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
+       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
        (sha256
         (base32
-         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))))
+         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))
 
 (define-public rdup
   (package
diff --git a/gnu/packages/patches/libarchive-CVE-2017-14166.patch b/gnu/packages/patches/libarchive-CVE-2017-14166.patch
new file mode 100644
index 000000000..a12284844
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2017-14166.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-14166:
+
+https://github.com/libarchive/libarchive/issues/935
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
+
+From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg <at> bec.de>
+Date: Tue, 5 Sep 2017 18:12:19 +0200
+Subject: [PATCH] Do something sensible for empty strings to make fuzzers
+ happy.
+
+---
+ libarchive/archive_read_support_format_xar.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb9d..93eeacc5e 100644
+--- a/libarchive/archive_read_support_format_xar.c
++++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+ 	uint64_t l;
+ 	int digit;
+ 
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	digit = *p - '0';
+ 	while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+ 	int64_t l;
+ 	int digit;
+-        
++
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	while (char_cnt-- > 0) {
+ 		if (*p >= '0' && *p <= '7')
-- 
2.14.1
bug closed, send any further explanations to 28374 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Thu, 07 Sep 2017 18:31:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 06 Oct 2017 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 263 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.