mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166.
* gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive-3.3.2): New variable. * gnu/packages/patches/libarchive-CVE-2017-14166.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
This commit is contained in:
parent
5a7deb1174
commit
94d671f673
3 changed files with 51 additions and 4 deletions
|
@ -752,6 +752,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/liba52-link-with-libm.patch \
|
%D%/packages/patches/liba52-link-with-libm.patch \
|
||||||
%D%/packages/patches/liba52-set-soname.patch \
|
%D%/packages/patches/liba52-set-soname.patch \
|
||||||
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
|
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
|
||||||
|
%D%/packages/patches/libarchive-CVE-2017-14166.patch \
|
||||||
%D%/packages/patches/libbase-fix-includes.patch \
|
%D%/packages/patches/libbase-fix-includes.patch \
|
||||||
%D%/packages/patches/libbase-use-own-logging.patch \
|
%D%/packages/patches/libbase-use-own-logging.patch \
|
||||||
%D%/packages/patches/libbonobo-activation-test-race.patch \
|
%D%/packages/patches/libbonobo-activation-test-race.patch \
|
||||||
|
|
|
@ -184,6 +184,7 @@ (define-public hdup
|
||||||
(define-public libarchive
|
(define-public libarchive
|
||||||
(package
|
(package
|
||||||
(name "libarchive")
|
(name "libarchive")
|
||||||
|
(replacement libarchive-3.3.2)
|
||||||
(version "3.3.1")
|
(version "3.3.1")
|
||||||
(source
|
(source
|
||||||
(origin
|
(origin
|
||||||
|
@ -239,19 +240,19 @@ (define-public libarchive
|
||||||
random access nor for in-place modification.")
|
random access nor for in-place modification.")
|
||||||
(license license:bsd-2)))
|
(license license:bsd-2)))
|
||||||
|
|
||||||
(define libarchive-3.3.1
|
(define libarchive-3.3.2
|
||||||
(package
|
(package
|
||||||
(inherit libarchive)
|
(inherit libarchive)
|
||||||
(name "libarchive")
|
(version "3.3.2")
|
||||||
(version "3.3.1")
|
|
||||||
(source
|
(source
|
||||||
(origin
|
(origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "http://libarchive.org/downloads/libarchive-"
|
(uri (string-append "http://libarchive.org/downloads/libarchive-"
|
||||||
version ".tar.gz"))
|
version ".tar.gz"))
|
||||||
|
(patches (search-patches "libarchive-CVE-2017-14166.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))))
|
"1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))
|
||||||
|
|
||||||
(define-public rdup
|
(define-public rdup
|
||||||
(package
|
(package
|
||||||
|
|
45
gnu/packages/patches/libarchive-CVE-2017-14166.patch
Normal file
45
gnu/packages/patches/libarchive-CVE-2017-14166.patch
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
Fix CVE-2017-14166:
|
||||||
|
|
||||||
|
https://github.com/libarchive/libarchive/issues/935
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
|
||||||
|
|
||||||
|
From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joerg Sonnenberger <joerg@bec.de>
|
||||||
|
Date: Tue, 5 Sep 2017 18:12:19 +0200
|
||||||
|
Subject: [PATCH] Do something sensible for empty strings to make fuzzers
|
||||||
|
happy.
|
||||||
|
|
||||||
|
---
|
||||||
|
libarchive/archive_read_support_format_xar.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
|
||||||
|
index 7a22beb9d..93eeacc5e 100644
|
||||||
|
--- a/libarchive/archive_read_support_format_xar.c
|
||||||
|
+++ b/libarchive/archive_read_support_format_xar.c
|
||||||
|
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
|
||||||
|
uint64_t l;
|
||||||
|
int digit;
|
||||||
|
|
||||||
|
+ if (char_cnt == 0)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
l = 0;
|
||||||
|
digit = *p - '0';
|
||||||
|
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
|
||||||
|
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
|
||||||
|
{
|
||||||
|
int64_t l;
|
||||||
|
int digit;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ if (char_cnt == 0)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
l = 0;
|
||||||
|
while (char_cnt-- > 0) {
|
||||||
|
if (*p >= '0' && *p <= '7')
|
Loading…
Reference in a new issue