| Message ID | 20220905130608.9341-1-ranjitsinh.rathod@kpit.com |
|---|---|
| State | Accepted, archived |
| Commit | 01d7e2c7a0da55a7c00aebed107c1338f5f032b1 |
| Headers | show |
| Series | [dunfell,1/2] libarchive: Fix CVE-2021-23177 issue | expand |
On Mon, Sep 5, 2022 at 3:06 AM Ranjitsinh Rathod via lists.openembedded.org <ranjitsinh.rathod=kpit.com@lists.openembedded.org> wrote: > > Add patch to fix CVE-2021-23177 issue for libarchive > Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz Fails to build with this patch: NOTE: Applying patch 'CVE-2021-23177.patch' (../meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch) ERROR: Applying patch 'CVE-2021-23177.patch' on target directory 'TOPDIR/tmp/work/x86_64-linux/libarchive-native/3.4.2-r0/libarchive-3.4.2' Command Error: 'quilt --quiltrc TOPDIR/tmp/work/x86_64-linux/libarchive-native/3.4.2-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2021-23177.patch patching file libarchive/archive_disk_acl_freebsd.c Hunk #1 succeeded at 319 with fuzz 1. Hunk #2 FAILED at 364. Hunk #3 FAILED at 542. Hunk #4 FAILED at 677. Hunk #5 FAILED at 693. 4 out of 5 hunks FAILED -- rejects in file libarchive/archive_disk_acl_freebsd.c patching file libarchive/archive_disk_acl_linux.c Hunk #1 FAILED at 343. Hunk #2 succeeded at 455 with fuzz 1. Hunk #3 FAILED at 488. Hunk #4 FAILED at 727. 3 out of 4 hunks FAILED -- rejects in file libarchive/archive_disk_acl_linux.c patching file libarchive/archive_disk_acl_sunos.c Hunk #1 succeeded at 443 with fuzz 1. Hunk #2 FAILED at 467. Hunk #3 FAILED at 492. Hunk #4 FAILED at 801. Hunk #5 FAILED at 810. 4 out of 5 hunks FAILED -- rejects in file libarchive/archive_disk_acl_sunos.c Patch CVE-2021-23177.patch does not apply (enforce with -f) DEBUG: Python function patch_do_patch finished DEBUG: Python function do_patch finished I'm going to drop both patches in the series and await a v2. Steve > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> > --- > .../libarchive/CVE-2021-23177.patch | 183 ++++++++++++++++++ > .../libarchive/libarchive_3.4.2.bb | 1 + > 2 files changed, 184 insertions(+) > create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > > diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > new file mode 100644 > index 0000000000..555c7a47f7 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > @@ -0,0 +1,183 @@ > +Description: Fix handling of symbolic link ACLs > + Published as CVE-2021-23177 > +Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad > +Bug-Debian: https://bugs.debian.org/1001986 > +Author: Martin Matuska <martin@matuska.org> > +Last-Updated: 2021-12-20 > + > +CVE: CVE-2021-23177 > +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] > +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> > + > +--- a/libarchive/archive_disk_acl_freebsd.c > ++++ b/libarchive/archive_disk_acl_freebsd.c > +@@ -319,7 +319,7 @@ > + > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + int acl_type = 0; > +@@ -364,6 +364,13 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { > ++ errno = EINVAL; > ++ archive_set_error(a, errno, > ++ "Cannot set default ACL on non-directory"); > ++ return (ARCHIVE_WARN); > ++ } > ++ > + acl = acl_init(entries); > + if (acl == (acl_t)NULL) { > + archive_set_error(a, errno, > +@@ -542,7 +549,10 @@ > + else if (acl_set_link_np(name, acl_type, acl) != 0) > + #else > + /* FreeBSD older than 8.0 */ > +- else if (acl_set_file(name, acl_type, acl) != 0) > ++ else if (S_ISLNK(mode)) { > ++ /* acl_set_file() follows symbolic links, skip */ > ++ ret = ARCHIVE_OK; > ++ } else if (acl_set_file(name, acl_type, acl) != 0) > + #endif > + { > + if (errno == EOPNOTSUPP) { > +@@ -677,14 +687,14 @@ > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); > + if (ret != ARCHIVE_OK) > + return (ret); > + } > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); > + > + /* Simultaneous POSIX.1e and NFSv4 is not supported */ > +@@ -693,7 +703,7 @@ > + #if ARCHIVE_ACL_FREEBSD_NFS4 > + else if ((archive_acl_types(abstract_acl) & > + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); > + } > + #endif > +--- a/libarchive/archive_disk_acl_linux.c > ++++ b/libarchive/archive_disk_acl_linux.c > +@@ -343,6 +343,11 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Linux does not support RichACLs on symbolic links */ > ++ return (ARCHIVE_OK); > ++ } > ++ > + richacl = richacl_alloc(entries); > + if (richacl == NULL) { > + archive_set_error(a, errno, > +@@ -455,7 +460,7 @@ > + #if ARCHIVE_ACL_LIBACL > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + int acl_type = 0; > +@@ -488,6 +493,18 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Linux does not support ACLs on symbolic links */ > ++ return (ARCHIVE_OK); > ++ } > ++ > ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { > ++ errno = EINVAL; > ++ archive_set_error(a, errno, > ++ "Cannot set default ACL on non-directory"); > ++ return (ARCHIVE_WARN); > ++ } > ++ > + acl = acl_init(entries); > + if (acl == (acl_t)NULL) { > + archive_set_error(a, errno, > +@@ -727,14 +744,14 @@ > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); > + if (ret != ARCHIVE_OK) > + return (ret); > + } > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); > + } > + #endif /* ARCHIVE_ACL_LIBACL */ > +--- a/libarchive/archive_disk_acl_sunos.c > ++++ b/libarchive/archive_disk_acl_sunos.c > +@@ -443,7 +443,7 @@ > + > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + aclent_t *aclent; > +@@ -467,7 +467,6 @@ > + if (entries == 0) > + return (ARCHIVE_OK); > + > +- > + switch (ae_requested_type) { > + case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: > + cmd = SETACL; > +@@ -492,6 +491,12 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Skip ACLs on symbolic links */ > ++ ret = ARCHIVE_OK; > ++ goto exit_free; > ++ } > ++ > + e = 0; > + > + while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, > +@@ -801,7 +806,7 @@ > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + /* Solaris writes POSIX.1e access and default ACLs together */ > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); > + > + /* Simultaneous POSIX.1e and NFSv4 is not supported */ > +@@ -810,7 +815,7 @@ > + #if ARCHIVE_ACL_SUNOS_NFS4 > + else if ((archive_acl_types(abstract_acl) & > + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); > + } > + #endif > diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > index b7426a1be8..d8ed80686b 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > @@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > file://CVE-2021-36976-1.patch \ > file://CVE-2021-36976-2.patch \ > file://CVE-2021-36976-3.patch \ > + file://CVE-2021-23177.patch \ > " > > SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170314): https://lists.openembedded.org/g/openembedded-core/message/170314 > Mute This Topic: https://lists.openembedded.org/mt/93477934/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I have tested this and it seems the patch is working fine. I'm attaching the patch file as an attachment, please use this and let me know if that works. It seems like something went wrong during sending using kpit email ID and currently using my gmail account I am facing the issues so I cannot send using gamil account. Also, attaching logs of do_patch task. Thanks, Best Regards, Ranjitsinh Rathod Technical Leader | | KPIT Technologies Ltd. Cellphone: +91-84606 92403
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch new file mode 100644 index 0000000000..555c7a47f7 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch @@ -0,0 +1,183 @@ +Description: Fix handling of symbolic link ACLs + Published as CVE-2021-23177 +Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad +Bug-Debian: https://bugs.debian.org/1001986 +Author: Martin Matuska <martin@matuska.org> +Last-Updated: 2021-12-20 + +CVE: CVE-2021-23177 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- a/libarchive/archive_disk_acl_freebsd.c ++++ b/libarchive/archive_disk_acl_freebsd.c +@@ -319,7 +319,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -364,6 +364,13 @@ + return (ARCHIVE_FAILED); + } + ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -542,7 +549,10 @@ + else if (acl_set_link_np(name, acl_type, acl) != 0) + #else + /* FreeBSD older than 8.0 */ +- else if (acl_set_file(name, acl_type, acl) != 0) ++ else if (S_ISLNK(mode)) { ++ /* acl_set_file() follows symbolic links, skip */ ++ ret = ARCHIVE_OK; ++ } else if (acl_set_file(name, acl_type, acl) != 0) + #endif + { + if (errno == EOPNOTSUPP) { +@@ -677,14 +687,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -693,7 +703,7 @@ + #if ARCHIVE_ACL_FREEBSD_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif +--- a/libarchive/archive_disk_acl_linux.c ++++ b/libarchive/archive_disk_acl_linux.c +@@ -343,6 +343,11 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support RichACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ + richacl = richacl_alloc(entries); + if (richacl == NULL) { + archive_set_error(a, errno, +@@ -455,7 +460,7 @@ + #if ARCHIVE_ACL_LIBACL + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -488,6 +493,18 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support ACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -727,14 +744,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + } + #endif /* ARCHIVE_ACL_LIBACL */ +--- a/libarchive/archive_disk_acl_sunos.c ++++ b/libarchive/archive_disk_acl_sunos.c +@@ -443,7 +443,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + aclent_t *aclent; +@@ -467,7 +467,6 @@ + if (entries == 0) + return (ARCHIVE_OK); + +- + switch (ae_requested_type) { + case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: + cmd = SETACL; +@@ -492,6 +491,12 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Skip ACLs on symbolic links */ ++ ret = ARCHIVE_OK; ++ goto exit_free; ++ } ++ + e = 0; + + while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, +@@ -801,7 +806,7 @@ + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + /* Solaris writes POSIX.1e access and default ACLs together */ +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -810,7 +815,7 @@ + #if ARCHIVE_ACL_SUNOS_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index b7426a1be8..d8ed80686b 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb @@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2021-36976-1.patch \ file://CVE-2021-36976-2.patch \ file://CVE-2021-36976-3.patch \ + file://CVE-2021-23177.patch \ " SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
Add patch to fix CVE-2021-23177 issue for libarchive Link: http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> --- .../libarchive/CVE-2021-23177.patch | 183 ++++++++++++++++++ .../libarchive/libarchive_3.4.2.bb | 1 + 2 files changed, 184 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.