mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: libarchive: Apply fixes including for CVE-2013-0211.
* gnu/packages/patches/libarchive-CVE-2013-0211.patch, gnu/packages/patches/libarchive-fix-lzo-test-case.patch, gnu/packages/patches/libarchive-mtree-filename-length-fix.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/backup.scm (libarchive)[source]: Add patches.
This commit is contained in:
parent
36ae58488b
commit
1b7d5242c3
5 changed files with 130 additions and 1 deletions
|
@ -359,6 +359,9 @@ dist_patch_DATA = \
|
||||||
gnu/packages/patches/inkscape-stray-comma.patch \
|
gnu/packages/patches/inkscape-stray-comma.patch \
|
||||||
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
||||||
gnu/packages/patches/kmod-module-directory.patch \
|
gnu/packages/patches/kmod-module-directory.patch \
|
||||||
|
gnu/packages/patches/libarchive-CVE-2013-0211.patch \
|
||||||
|
gnu/packages/patches/libarchive-fix-lzo-test-case.patch \
|
||||||
|
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
|
||||||
gnu/packages/patches/libbonobo-activation-test-race.patch \
|
gnu/packages/patches/libbonobo-activation-test-race.patch \
|
||||||
gnu/packages/patches/libevent-dns-tests.patch \
|
gnu/packages/patches/libevent-dns-tests.patch \
|
||||||
gnu/packages/patches/liboop-mips64-deplibs-fix.patch \
|
gnu/packages/patches/liboop-mips64-deplibs-fix.patch \
|
||||||
|
|
|
@ -138,7 +138,11 @@ (define-public libarchive
|
||||||
version ".tar.gz"))
|
version ".tar.gz"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0pixqnrcf35dnqgv0lp7qlcw7k13620qkhgxr288v7p4iz6ym1zb"))))
|
"0pixqnrcf35dnqgv0lp7qlcw7k13620qkhgxr288v7p4iz6ym1zb"))
|
||||||
|
(patches
|
||||||
|
(list (search-patch "libarchive-mtree-filename-length-fix.patch")
|
||||||
|
(search-patch "libarchive-fix-lzo-test-case.patch")
|
||||||
|
(search-patch "libarchive-CVE-2013-0211.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(inputs
|
(inputs
|
||||||
`(("zlib" ,zlib)
|
`(("zlib" ,zlib)
|
||||||
|
|
21
gnu/packages/patches/libarchive-CVE-2013-0211.patch
Normal file
21
gnu/packages/patches/libarchive-CVE-2013-0211.patch
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
|
||||||
|
Origin: upstream
|
||||||
|
Bug-Debian: http://bugs.debian.org/703957
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
--- libarchive-3.0.4.orig/libarchive/archive_write.c
|
||||||
|
+++ libarchive-3.0.4/libarchive/archive_write.c
|
||||||
|
@@ -665,8 +665,13 @@ static ssize_t
|
||||||
|
_archive_write_data(struct archive *_a, const void *buff, size_t s)
|
||||||
|
{
|
||||||
|
struct archive_write *a = (struct archive_write *)_a;
|
||||||
|
+ const size_t max_write = INT_MAX;
|
||||||
|
+
|
||||||
|
archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
|
||||||
|
ARCHIVE_STATE_DATA, "archive_write_data");
|
||||||
|
+ /* In particular, this catches attempts to pass negative values. */
|
||||||
|
+ if (s > max_write)
|
||||||
|
+ s = max_write;
|
||||||
|
archive_clear_error(&a->archive);
|
||||||
|
return ((a->format_write_data)(a, buff, s));
|
||||||
|
}
|
83
gnu/packages/patches/libarchive-fix-lzo-test-case.patch
Normal file
83
gnu/packages/patches/libarchive-fix-lzo-test-case.patch
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
Description: This patch fixes test cases for LZO write support in various
|
||||||
|
architectures, such as armhf. Writing a certain amount of files would
|
||||||
|
cause the LZO compressor level 9 to produce a bigger archive than the
|
||||||
|
default compressor level.
|
||||||
|
Author: Andres Mejia <amejia@debian.org>
|
||||||
|
|
||||||
|
--- a/libarchive/test/test_write_filter_lzop.c
|
||||||
|
+++ b/libarchive/test/test_write_filter_lzop.c
|
||||||
|
@@ -39,7 +39,7 @@
|
||||||
|
size_t buffsize, datasize;
|
||||||
|
char path[16];
|
||||||
|
size_t used1, used2;
|
||||||
|
- int i, r, use_prog = 0;
|
||||||
|
+ int i, r, use_prog = 0, filecount;
|
||||||
|
|
||||||
|
assert((a = archive_write_new()) != NULL);
|
||||||
|
r = archive_write_add_filter_lzop(a);
|
||||||
|
@@ -58,9 +58,10 @@
|
||||||
|
|
||||||
|
datasize = 10000;
|
||||||
|
assert(NULL != (data = (char *)calloc(1, datasize)));
|
||||||
|
+ filecount = 10;
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Write a 100 files and read them all back.
|
||||||
|
+ * Write a filecount files and read them all back.
|
||||||
|
*/
|
||||||
|
assert((a = archive_write_new()) != NULL);
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a));
|
||||||
|
@@ -77,7 +78,7 @@
|
||||||
|
assert((ae = archive_entry_new()) != NULL);
|
||||||
|
archive_entry_set_filetype(ae, AE_IFREG);
|
||||||
|
archive_entry_set_size(ae, datasize);
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
archive_entry_copy_pathname(ae, path);
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae));
|
||||||
|
@@ -97,7 +98,7 @@
|
||||||
|
} else {
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK,
|
||||||
|
archive_read_open_memory(a, buff, used1));
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
if (!assertEqualInt(ARCHIVE_OK,
|
||||||
|
archive_read_next_header(a, &ae)))
|
||||||
|
@@ -133,7 +134,7 @@
|
||||||
|
archive_write_set_options(a, "lzop:compression-level=9"));
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK,
|
||||||
|
archive_write_open_memory(a, buff, buffsize, &used2));
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
assert((ae = archive_entry_new()) != NULL);
|
||||||
|
archive_entry_copy_pathname(ae, path);
|
||||||
|
@@ -161,7 +162,7 @@
|
||||||
|
archive_read_support_filter_all(a));
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK,
|
||||||
|
archive_read_open_memory(a, buff, used2));
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
if (!assertEqualInt(ARCHIVE_OK,
|
||||||
|
archive_read_next_header(a, &ae)))
|
||||||
|
@@ -186,7 +187,7 @@
|
||||||
|
archive_write_set_filter_option(a, NULL, "compression-level", "1"));
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK,
|
||||||
|
archive_write_open_memory(a, buff, buffsize, &used2));
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
assert((ae = archive_entry_new()) != NULL);
|
||||||
|
archive_entry_copy_pathname(ae, path);
|
||||||
|
@@ -216,7 +217,7 @@
|
||||||
|
} else {
|
||||||
|
assertEqualIntA(a, ARCHIVE_OK,
|
||||||
|
archive_read_open_memory(a, buff, used2));
|
||||||
|
- for (i = 0; i < 100; i++) {
|
||||||
|
+ for (i = 0; i < filecount; i++) {
|
||||||
|
sprintf(path, "file%03d", i);
|
||||||
|
if (!assertEqualInt(ARCHIVE_OK,
|
||||||
|
archive_read_next_header(a, &ae)))
|
|
@ -0,0 +1,18 @@
|
||||||
|
Description: Patch to fix filename length calculation when writing mtree archives.
|
||||||
|
Author: Dave Reisner <dreisner@archlinux.org>
|
||||||
|
Origin: upstream
|
||||||
|
|
||||||
|
--- a/libarchive/archive_write_set_format_mtree.c
|
||||||
|
+++ b/libarchive/archive_write_set_format_mtree.c
|
||||||
|
@@ -1855,9 +1855,9 @@
|
||||||
|
return (ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Make a basename from dirname and slash */
|
||||||
|
+ /* Make a basename from file->parentdir.s and slash */
|
||||||
|
*slash = '\0';
|
||||||
|
- file->parentdir.length = slash - dirname;
|
||||||
|
+ file->parentdir.length = slash - file->parentdir.s;
|
||||||
|
archive_strcpy(&(file->basename), slash + 1);
|
||||||
|
return (ret);
|
||||||
|
}
|
Loading…
Reference in a new issue