From unknown Thu Aug 21 12:11:04 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#29793 <29793@debbugs.gnu.org> To: bug#29793 <29793@debbugs.gnu.org> Subject: Status: [PATCH] gnu: libarchive: Fix CVE-2017-14502. Reply-To: bug#29793 <29793@debbugs.gnu.org> Date: Thu, 21 Aug 2025 19:11:04 +0000 retitle 29793 [PATCH] gnu: libarchive: Fix CVE-2017-14502. reassign 29793 guix-patches submitter 29793 Leo Famulari severity 29793 normal tag 29793 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 20 19:43:49 2017 Received: (at submit) by debbugs.gnu.org; 21 Dec 2017 00:43:49 +0000 Received: from localhost ([127.0.0.1]:44982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eRoxZ-0007vI-K6 for submit@debbugs.gnu.org; Wed, 20 Dec 2017 19:43:49 -0500 Received: from eggs.gnu.org ([208.118.235.92]:47278) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eRoxW-0007v0-Dp for submit@debbugs.gnu.org; Wed, 20 Dec 2017 19:43:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eRoxP-00069M-UX for submit@debbugs.gnu.org; Wed, 20 Dec 2017 19:43:33 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:32944) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eRoxP-00068u-Qc for submit@debbugs.gnu.org; Wed, 20 Dec 2017 19:43:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38191) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eRoxO-00010i-9C for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eRoxK-00061I-Au for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:30 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:50363) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eRoxK-00060m-3T for guix-patches@gnu.org; Wed, 20 Dec 2017 19:43:26 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 2040820EA7; Wed, 20 Dec 2017 19:43:24 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Wed, 20 Dec 2017 19:43:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=YJO0bOH6/QJNZR2jFEe/1A3WOVvenzC+KEvkD3 tyKf4=; b=jF94E2kMDrvj6d2wPYGOFPYNrBKKZdjZrTXEwIp+JjAj4sLo9aK6RT 68NZsnW/h2FDHz6fv36f8PVG+ynLPBL26IuB+u3EqJJQROvC1bJ8yi9wUkFI3sG3 dvQl154bUX4kkjn10qIxNgRnmMtNaKIJYqCi6WHKddHRF4Ps8fkvE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=YJO0bOH6/QJNZR2jF Ee/1A3WOVvenzC+KEvkD3tyKf4=; b=Jg8pk3e/DFOmphoGAHufn+TLrpkHX99Lz 3PEevsJ0TamxgbCkngc3avjJO6A0HViXJOa13ddai6mPsqR6WZX6sO5ugpyPDI7N ZL6T71lD7B6Rmgbonlw4F064xYTXP7bdgLbX6cfCu0Zx9qPpfIwfgFVqdIanK9c/ +5OBPYhrSuABwqPDGjVkohde57xlxH+CrJY8MPRJJJFeOD4w8h+pFOXp4cL3CUeH 5qTIhHRJGzRykc5ztHjKGw/lFHgA/0eYOvd73ylSNL+JeWN67+aVbl4HucJj8xs6 Q5AVICDhe4oP/NdBlG1CLEcAvtZwXcINbOYVKZn6sHgRz8fLHrtbw== X-ME-Sender: Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id A45997E537 for ; Wed, 20 Dec 2017 19:43:23 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libarchive: Fix CVE-2017-14502. Date: Wed, 20 Dec 2017 19:43:18 -0500 Message-Id: X-Mailer: git-send-email 2.15.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 3 +- .../patches/libarchive-CVE-2017-14502.patch | 40 ++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14502.patch diff --git a/gnu/local.mk b/gnu/local.mk index efb91fd82..d5cd0b339 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -791,6 +791,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libarchive-CVE-2017-14166.patch \ + %D%/packages/patches/libarchive-CVE-2017-14502.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index e634d6ab9..fab71d055 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -253,7 +253,8 @@ random access nor for in-place modification.") (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) - (patches (search-patches "libarchive-CVE-2017-14166.patch")) + (patches (search-patches "libarchive-CVE-2017-14166.patch" + "libarchive-CVE-2017-14502.patch")) (sha256 (base32 "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))))) diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch new file mode 100644 index 000000000..8e0508afb --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch @@ -0,0 +1,40 @@ +Fix CVE-2017-14502: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 + +From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Sat, 9 Sep 2017 17:47:32 +0200 +Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR + archives. + +Reported-By: OSS-Fuzz issue 573 +--- + libarchive/archive_read_support_format_rar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index cbb14c32..751de697 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry, + return (ARCHIVE_FATAL); + } + filename[filename_size++] = '\0'; +- filename[filename_size++] = '\0'; ++ /* ++ * Do not increment filename_size here as the computations below ++ * add the space for the terminating NUL explicitly. ++ */ ++ filename[filename_size] = '\0'; + + /* Decoded unicode form is UTF-16BE, so we have to update a string + * conversion object for it. */ +-- +2.15.1 + -- 2.15.1 From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 21 05:12:29 2017 Received: (at 29793) by debbugs.gnu.org; 21 Dec 2017 10:12:29 +0000 Received: from localhost ([127.0.0.1]:45238 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eRxq1-0006vd-8N for submit@debbugs.gnu.org; Thu, 21 Dec 2017 05:12:29 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:48950) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eRxpw-0006vT-N7 for 29793@debbugs.gnu.org; Thu, 21 Dec 2017 05:12:28 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id F08D2FDC4; Thu, 21 Dec 2017 11:12:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0bArpG8aNhJ; Thu, 21 Dec 2017 11:12:27 +0100 (CET) Received: from ribbon (unknown [193.50.110.235]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 26DB7EEAC; Thu, 21 Dec 2017 11:12:27 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#29793] [PATCH] gnu: libarchive: Fix CVE-2017-14502. References: X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 1 =?utf-8?Q?Niv=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 21 Dec 2017 11:12:23 +0100 In-Reply-To: (Leo Famulari's message of "Wed, 20 Dec 2017 19:43:18 -0500") Message-ID: <87h8sk8k54.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29793 Cc: 29793@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Leo Famulari skribis: > * gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it. LGTM, thanks! From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 21 12:30:55 2017 Received: (at control) by debbugs.gnu.org; 21 Dec 2017 17:30:55 +0000 Received: from localhost ([127.0.0.1]:46385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eS4gJ-0002tF-Jd for submit@debbugs.gnu.org; Thu, 21 Dec 2017 12:30:55 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46833) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eS4gH-0002t5-DR for control@debbugs.gnu.org; Thu, 21 Dec 2017 12:30:53 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 4B6DD20A81; Thu, 21 Dec 2017 12:30:53 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 21 Dec 2017 12:30:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc; s=mesmtp; bh=Ru/9lNfE0naOISoR67awuoFB4b VW8UZYjLxhAz9D7uQ=; b=Qy4nioHLJWgItdimJBaElxl0Hs085YGDxGSeyNx1kW i/J2utfXwc2ImvMFVH7k3fzi8i5pbc975bTPsT6yc1DaWUMecuxsU9fOnkIgoim/ MWFr7xFOVKp3ygnL5YoAiFVMeZhWUhbsZm9TRzL0VCS4Dvh15vUThEnOVTQZTSM0 E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=R u/9lNfE0naOISoR67awuoFB4bVW8UZYjLxhAz9D7uQ=; b=LKJ2Xz8SoRZGcjABp AqmzgokqzA5z8zBni2o5JSA7kduJ96Xd4JsoGmbqrGiO8/kZtHxx4Hk1/TminQv0 PtCiwZOnwUfyYM7SWmba2xkTjARCS66l6NSPYpc54OzHNPn0jyBEV0qTMH/cPLs4 F+RJ4R6wDdggOry2a4zPm9CEQxxkgrIM5t2vT4PKZgH77sU1xJiW8nU8EvjidLkI ustsTYP4dOQEfqBLi7v5be5gL1Ts+wPekf7Bbasa6yJ+bi8NN3+1kZwMK5Q8rDcv 38w0xGUyFYx9VV0KWGo41zY38ZGarWEBfOmIWPxkT2kEsqKrvV6+h9W71BvXpl1R mL9Ng== X-ME-Sender: Received: from localhost (unknown [172.58.200.109]) by mail.messagingengine.com (Postfix) with ESMTPA id E6A1D24447 for ; Thu, 21 Dec 2017 12:30:52 -0500 (EST) Date: Thu, 21 Dec 2017 12:30:51 -0500 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20171221173051.GA2978@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 29793 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.27 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.27 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 29793 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.27 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.27 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 TVD_SPACE_RATIO No description available. close 29793 From unknown Thu Aug 21 12:11:04 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 19 Jan 2018 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator