From 2a0e3d163581f053138508b0d40a28e07dc37923 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 20 Dec 2017 19:39:59 -0500 Subject: [PATCH] gnu: libarchive: Fix CVE-2017-14502. * gnu/packages/patches/libarchive-CVE-2017-14502.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/backup.scm (libarchive-3.3.2)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 3 +- .../patches/libarchive-CVE-2017-14502.patch | 40 +++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14502.patch diff --git a/gnu/local.mk b/gnu/local.mk index dcb08c1caa..32f24ab3b1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -791,6 +791,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libarchive-CVE-2017-14166.patch \ + %D%/packages/patches/libarchive-CVE-2017-14502.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index e634d6ab96..fab71d055a 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -253,7 +253,8 @@ (define libarchive-3.3.2 (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) - (patches (search-patches "libarchive-CVE-2017-14166.patch")) + (patches (search-patches "libarchive-CVE-2017-14166.patch" + "libarchive-CVE-2017-14502.patch")) (sha256 (base32 "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))))) diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch new file mode 100644 index 0000000000..8e0508afb5 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch @@ -0,0 +1,40 @@ +Fix CVE-2017-14502: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 + +From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Sat, 9 Sep 2017 17:47:32 +0200 +Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR + archives. + +Reported-By: OSS-Fuzz issue 573 +--- + libarchive/archive_read_support_format_rar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index cbb14c32..751de697 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry, + return (ARCHIVE_FATAL); + } + filename[filename_size++] = '\0'; +- filename[filename_size++] = '\0'; ++ /* ++ * Do not increment filename_size here as the computations below ++ * add the space for the terminating NUL explicitly. ++ */ ++ filename[filename_size] = '\0'; + + /* Decoded unicode form is UTF-16BE, so we have to update a string + * conversion object for it. */ +-- +2.15.1 +