GNU bug report logs - #29793
[PATCH] gnu: libarchive: Fix CVE-2017-14502.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 21 Dec 2017 00:44:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29793 in the body.
You can then email your comments to 29793 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#29793; Package guix-patches. (Thu, 21 Dec 2017 00:44:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 21 Dec 2017 00:44:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libarchive: Fix CVE-2017-14502.
Date: Wed, 20 Dec 2017 19:43:18 -0500

* gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/backup.scm                            |  3 +-
 .../patches/libarchive-CVE-2017-14502.patch        | 40 ++++++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14502.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index efb91fd82..d5cd0b339 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -791,6 +791,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
   %D%/packages/patches/libarchive-CVE-2017-14166.patch		\
+  %D%/packages/patches/libarchive-CVE-2017-14502.patch		\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index e634d6ab9..fab71d055 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -253,7 +253,8 @@ random access nor for in-place modification.")
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
-       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
+       (patches (search-patches "libarchive-CVE-2017-14166.patch"
+                                "libarchive-CVE-2017-14502.patch"))
        (sha256
         (base32
          "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))
diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
new file mode 100644
index 000000000..8e0508afb
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
@@ -0,0 +1,40 @@
+Fix CVE-2017-14502:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
+
+From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg <at> bec.de>
+Date: Sat, 9 Sep 2017 17:47:32 +0200
+Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
+ archives.
+
+Reported-By: OSS-Fuzz issue 573
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32..751de697 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+         return (ARCHIVE_FATAL);
+       }
+       filename[filename_size++] = '\0';
+-      filename[filename_size++] = '\0';
++      /*
++       * Do not increment filename_size here as the computations below
++       * add the space for the terminating NUL explicitly.
++       */
++      filename[filename_size] = '\0';
+ 
+       /* Decoded unicode form is UTF-16BE, so we have to update a string
+        * conversion object for it. */
+-- 
+2.15.1
+
-- 
2.15.1
Information forwarded to guix-patches <at> gnu.org:
bug#29793; Package guix-patches. (Thu, 21 Dec 2017 10:13:01 GMT) Full text and rfc822 format available.

Message #8 received at 29793 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 29793 <at> debbugs.gnu.org
Subject: Re: [bug#29793] [PATCH] gnu: libarchive: Fix CVE-2017-14502.
Date: Thu, 21 Dec 2017 11:12:23 +0100

Leo Famulari <leo <at> famulari.name> skribis:

> * gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it.

LGTM, thanks!
bug closed, send any further explanations to 29793 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Thu, 21 Dec 2017 17:31:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 19 Jan 2018 12:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 214 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.