Commit e7d10095 authored by Andreas Henriksson's avatar Andreas Henriksson

Drop debian/patches/ now part of upstream release:

- Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch
- Do-something-sensible-for-empty-strings-to-make-fuzz.patch
- Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
- Reject-LHA-archive-entries-with-negative-size.patch
- Reread-the-CAB-header-skipping-the-self-extracting-b.patch
- archive_strncat_l-allocate-and-do-not-convert-if-len.patch
- iso9660-validate-directory-record-length.patch

Gbp-Dch: full
parent 3f95a261
From: Joerg Sonnenberger <joerg@bec.de>
Date: Sat, 9 Sep 2017 17:47:32 +0200
Subject: Avoid a read off-by-one error for UTF16 names in RAR archives.
Origin: https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14502
Bug-Debian: https://bugs.debian.org/875974
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
Reported-By: OSS-Fuzz issue 573
---
libarchive/archive_read_support_format_rar.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index cbb14c32..751de697 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
return (ARCHIVE_FATAL);
}
filename[filename_size++] = '\0';
- filename[filename_size++] = '\0';
+ /*
+ * Do not increment filename_size here as the computations below
+ * add the space for the terminating NUL explicitly.
+ */
+ filename[filename_size] = '\0';
/* Decoded unicode form is UTF-16BE, so we have to update a string
* conversion object for it. */
--
2.11.0
From: Joerg Sonnenberger <joerg@bec.de>
Date: Tue, 5 Sep 2017 18:12:19 +0200
Subject: Do something sensible for empty strings to make fuzzers happy.
Origin: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
Bug-Debian: https://bugs.debian.org/874539
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14166
Bug: https://github.com/libarchive/libarchive/issues/935
---
libarchive/archive_read_support_format_xar.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
index 7a22beb9..93eeacc5 100644
--- a/libarchive/archive_read_support_format_xar.c
+++ b/libarchive/archive_read_support_format_xar.c
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
uint64_t l;
int digit;
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
digit = *p - '0';
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
{
int64_t l;
int digit;
-
+
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
while (char_cnt-- > 0) {
if (*p >= '0' && *p <= '7')
--
2.14.1
From: Martin Matuska <martin@matuska.org>
Date: Thu, 19 Jan 2017 22:00:18 +0100
Subject: Fail with negative lha->compsize in lha_read_file_header_1() Fixes a
heap buffer overflow reported in Secunia SA74169
---
libarchive/archive_read_support_format_lha.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index a7f1d8d9..34b5f8e8 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha)
/* Get a real compressed file size. */
lha->compsize -= extdsize - 2;
+ if (lha->compsize < 0)
+ goto invalid; /* Invalid compressed file size */
+
if (sum_calculated != headersum) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
"LHa header sum error");
From: Joerg Sonnenberger <joerg@bec.de>
Date: Thu, 19 Jul 2018 21:14:53 +0200
Subject: Reject LHA archive entries with negative size.
Origin: https://github.com/libarchive/libarchive/commit/2c8c83b9731ff822fad6cc8c670ea5519c366a14
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14503
Bug-Debian: https://bugs.debian.org/875960
Bug: https://github.com/libarchive/libarchive/issues/948
---
libarchive/archive_read_support_format_lha.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index b8ef4ae1..95c99bb1 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -701,6 +701,12 @@ archive_read_format_lha_read_header(struct archive_read *a,
* Prepare variables used to read a file content.
*/
lha->entry_bytes_remaining = lha->compsize;
+ if (lha->entry_bytes_remaining < 0) {
+ archive_set_error(&a->archive,
+ ARCHIVE_ERRNO_FILE_FORMAT,
+ "Invalid LHa entry size");
+ return (ARCHIVE_FATAL);
+ }
lha->entry_offset = 0;
lha->entry_crc_calculated = 0;
--
2.18.0
From: Joerg Sonnenberger <joerg@bec.de>
Date: Thu, 1 Dec 2016 19:56:43 +0100
Subject: Reread the CAB header skipping the self-extracting binary code.
Origin: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3
Bug-Debian: https://bugs.debian.org/861609
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10349
Bug: https://github.com/libarchive/libarchive/issues/834
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10350
Bug: https://github.com/libarchive/libarchive/issues/835
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15 as found
by the "OSS-Fuzz" project.
---
libarchive/archive_read_support_format_cab.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libarchive/archive_read_support_format_cab.c b/libarchive/archive_read_support_format_cab.c
index fc70684a..099f4a83 100644
--- a/libarchive/archive_read_support_format_cab.c
+++ b/libarchive/archive_read_support_format_cab.c
@@ -645,12 +645,13 @@ cab_read_header(struct archive_read *a)
cab = (struct cab *)(a->format->data);
if (cab->found_header == 0 &&
p[0] == 'M' && p[1] == 'Z') {
- /* This is an executable? Must be self-extracting... */
+ /* This is an executable? Must be self-extracting... */
err = cab_skip_sfx(a);
if (err < ARCHIVE_WARN)
return (err);
- if ((p = __archive_read_ahead(a, sizeof(*p), NULL)) == NULL)
+ /* Re-read header after processing the SFX. */
+ if ((p = __archive_read_ahead(a, 42, NULL)) == NULL)
return (truncated_error(a));
}
--
2.14.1
From: Martin Matuska <martin@matuska.org>
Date: Mon, 26 Dec 2016 22:23:24 +0100
Subject: archive_strncat_l(): allocate and do not convert if length == 0
Origin: https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
Bug-Debian: https://bugs.debian.org/859456
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10209
Bug: https://github.com/libarchive/libarchive/issues/842
This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set
aes_set = AES_SET_MBS with aes_mbs.s == NULL.
Resolves possible null-pointer dereference reported by OSS-Fuzz.
Reported-By: OSS-Fuzz issue 286
---
libarchive/archive_string.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 645570b2..bbb1e458 100644
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
struct archive_string_conv *sc)
{
const void *s;
- size_t length;
+ size_t length = 0;
int i, r = 0, r2;
+ if (_p != NULL && n > 0) {
+ if (sc != NULL && (sc->flag & SCONV_FROM_UTF16))
+ length = utf16nbytes(_p, n);
+ else
+ length = mbsnbytes(_p, n);
+ }
+
/* We must allocate memory even if there is no data for conversion
* or copy. This simulates archive_string_append behavior. */
- if (_p == NULL || n == 0) {
+ if (length == 0) {
int tn = 1;
if (sc != NULL && (sc->flag & SCONV_TO_UTF16))
tn = 2;
@@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
* If sc is NULL, we just make a copy.
*/
if (sc == NULL) {
- length = mbsnbytes(_p, n);
if (archive_string_append(as, _p, length) == NULL)
return (-1);/* No memory */
return (0);
}
- if (sc->flag & SCONV_FROM_UTF16)
- length = utf16nbytes(_p, n);
- else
- length = mbsnbytes(_p, n);
s = _p;
i = 0;
if (sc->nconverter > 1) {
--
2.14.1
From: John Starks <jostarks@microsoft.com>
Date: Wed, 25 Jul 2018 12:16:34 -0700
Subject: iso9660: validate directory record length
Origin: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14501
Bug-Debian: https://bugs.debian.org/875966
Bug: https://github.com/libarchive/libarchive/issues/949
---
.../archive_read_support_format_iso9660.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
index f01d37bf..089bb723 100644
--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
@@ -409,7 +409,8 @@ static int next_entry_seek(struct archive_read *, struct iso9660 *,
struct file_info **);
static struct file_info *
parse_file_info(struct archive_read *a,
- struct file_info *parent, const unsigned char *isodirrec);
+ struct file_info *parent, const unsigned char *isodirrec,
+ size_t reclen);
static int parse_rockridge(struct archive_read *a,
struct file_info *file, const unsigned char *start,
const unsigned char *end);
@@ -1022,7 +1023,7 @@ read_children(struct archive_read *a, struct file_info *parent)
if (*(p + DR_name_len_offset) == 1
&& *(p + DR_name_offset) == '\001')
continue;
- child = parse_file_info(a, parent, p);
+ child = parse_file_info(a, parent, p, b - p);
if (child == NULL) {
__archive_read_consume(a, skip_size);
return (ARCHIVE_FATAL);
@@ -1112,7 +1113,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
*/
seenJoliet = iso9660->seenJoliet;/* Save flag. */
iso9660->seenJoliet = 0;
- file = parse_file_info(a, NULL, block);
+ file = parse_file_info(a, NULL, block, vd->size);
if (file == NULL)
return (ARCHIVE_FATAL);
iso9660->seenJoliet = seenJoliet;
@@ -1144,7 +1145,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
return (ARCHIVE_FATAL);
}
iso9660->seenJoliet = 0;
- file = parse_file_info(a, NULL, block);
+ file = parse_file_info(a, NULL, block, vd->size);
if (file == NULL)
return (ARCHIVE_FATAL);
iso9660->seenJoliet = seenJoliet;
@@ -1749,7 +1750,7 @@ archive_read_format_iso9660_cleanup(struct archive_read *a)
*/
static struct file_info *
parse_file_info(struct archive_read *a, struct file_info *parent,
- const unsigned char *isodirrec)
+ const unsigned char *isodirrec, size_t reclen)
{
struct iso9660 *iso9660;
struct file_info *file, *filep;
@@ -1763,7 +1764,11 @@ parse_file_info(struct archive_read *a, struct file_info *parent,
iso9660 = (struct iso9660 *)(a->format->data);
- dr_len = (size_t)isodirrec[DR_length_offset];
+ if (reclen == 0 || reclen < (dr_len = (size_t)isodirrec[DR_length_offset])) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+ "Invalid directory record length");
+ return (NULL);
+ }
name_len = (size_t)isodirrec[DR_name_len_offset];
location = archive_le32dec(isodirrec + DR_extent_offset);
fsize = toi(isodirrec + DR_size_offset, DR_size_size);
--
2.18.0
Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
archive_strncat_l-allocate-and-do-not-convert-if-len.patch
Reread-the-CAB-header-skipping-the-self-extracting-b.patch
Do-something-sensible-for-empty-strings-to-make-fuzz.patch
Reject-LHA-archive-entries-with-negative-size.patch
Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch
iso9660-validate-directory-record-length.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment