Commit 20af74aa authored by Petter Reinholdtsen's avatar Petter Reinholdtsen

Added Issue-539-Fix-CVE-2015-8931.patch

removing possible integer overflow issue when opening any mtree file.
parent 27bd1a77
......@@ -14,6 +14,8 @@ libarchive (3.1.2-11+deb8u2) UNRELEASED; urgency=high
* CVE-2015-8930: Added debian/patches/Issue-522-Fix-CVE-2015-8930.patch
to make sure ISO 9660 file systems with a directory loop do not
smash the stack.
* CVE-2015-8931: Added Issue-539-Fix-CVE-2015-8931.patch removing
possible integer overflow issue when opening any mtree file.
* CVE-2015-8934: Added Issue-521-Fix-CVE-2015-8934.patch from
upstream to properly check reading from lzss decompression buffer.
* CVE-2016-4300: Added debian/patches/Issue-718-Fix-CVE-2016-4300.patch
......
Description:
Merged two commits from upstream related to the same issue. The ns=0
change was not mentioned in the commit messages, but seem sensible
enough to keep.
commit b31744df71084a8734f97199e42418f55d08c6c5
Author: Tim Kientzle <kientzle@acm.org>
Date: Sat May 16 12:16:28 2015 -0700
Issue #539: Try a different way to compute max/min time_t values.
commit c0c52e9aaafb0860c4151c5374372051e9354301
Author: Tim Kientzle <kientzle@gmail.com>
Date: Thu Oct 22 21:43:07 2015 -0700
Don't try to be smart about probing the min/max tim_t values.
Just assume that a signed time_t is really a 64-bit or 32-bit integer.
Index: libarchive/libarchive/archive_read_support_format_mtree.c
===================================================================
--- libarchive.orig/libarchive/archive_read_support_format_mtree.c 2016-06-29 11:57:34.022187010 +0200
+++ libarchive/libarchive/archive_read_support_format_mtree.c 2016-06-29 11:57:34.018186975 +0200
@@ -137,16 +137,22 @@
#if defined(TIME_T_MAX)
return TIME_T_MAX;
#else
- static time_t t;
- time_t a;
- if (t == 0) {
- a = 1;
- while (a > t) {
- t = a;
- a = a * 2 + 1;
+ /* ISO C allows time_t to be a floating-point type,
+ but POSIX requires an integer type. The following
+ should work on any system that follows the POSIX
+ conventions. */
+ if (((time_t)0) < ((time_t)-1)) {
+ /* Time_t is unsigned */
+ return (~(time_t)0);
+ } else {
+ /* Time_t is signed. */
+ /* Assume it's the same as int64_t or int32_t */
+ if (sizeof(time_t) == sizeof(int64_t)) {
+ return (time_t)INT64_MAX;
+ } else {
+ return (time_t)INT32_MAX;
}
}
- return t;
#endif
}
@@ -156,20 +162,17 @@
#if defined(TIME_T_MIN)
return TIME_T_MIN;
#else
- /* 't' will hold the minimum value, which will be zero (if
- * time_t is unsigned) or -2^n (if time_t is signed). */
- static int computed;
- static time_t t;
- time_t a;
- if (computed == 0) {
- a = (time_t)-1;
- while (a < t) {
- t = a;
- a = a * 2;
- }
- computed = 1;
+ if (((time_t)0) < ((time_t)-1)) {
+ /* Time_t is unsigned */
+ return (time_t)0;
+ } else {
+ /* Time_t is signed. */
+ if (sizeof(time_t) == sizeof(int64_t)) {
+ return (time_t)INT64_MIN;
+ } else {
+ return (time_t)INT32_MIN;
+ }
}
- return t;
#endif
}
@@ -1455,7 +1458,7 @@
int64_t m;
int64_t my_time_t_max = get_time_t_max();
int64_t my_time_t_min = get_time_t_min();
- long ns;
+ long ns = 0;
*parsed_kws |= MTREE_HAS_MTIME;
m = mtree_atol10(&val);
......@@ -12,6 +12,7 @@ Issue-656-Fix-CVE-2016-1541-VU-862384.patch
Issue-502+503-CVE-2015-8915.patch
Issue-521-Fix-CVE-2015-8934.patch
Issue-522-Fix-CVE-2015-8930.patch
Issue-539-Fix-CVE-2015-8931.patch
Issue-718-Fix-CVE-2016-4300.patch
Issue-719-Fix-CVE-2016-4302.patch
Issue-705-Fix-CVE-2016-4809.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment