[zeus] libarchive: CVE-2020-21674

Submitted by Li Wang on Oct. 19, 2020, 8:57 a.m. | Patch ID: 177449

Details

Message ID cbdaf5a8-7b27-5289-3687-4fb826a85ea4@windriver.com
State New
Headers show

Commit Message

Li Wang Oct. 19, 2020, 8:57 a.m.
Backport CVE patch from the upstream:
https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4

Signed-off-by: Li Wang <li.wang@windriver.com>

---
  .../libarchive/CVE-2020-21674.patch           | 57 +++++++++++++++++++
  .../libarchive/libarchive_3.4.0.bb            |  1 +
  2 files changed, 58 insertions(+)
  create mode 100644 
meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch

-- 
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#143576): https://lists.openembedded.org/g/openembedded-core/message/143576
Mute This Topic: https://lists.openembedded.org/mt/77654210/1003190
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mhalstead@linuxfoundation.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patch hide | download patch | download mbox

diff --git 
a/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch 
b/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
new file mode 100644
index 0000000000..63b2a543bd
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
@@ -0,0 +1,57 @@ 
+From 4f085eea879e2be745f4d9bf57e8513ae48157f4 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.org>
+Date: Sat, 28 Dec 2019 22:58:08 +0100
+Subject: [PATCH] Fix a possible heap-buffer-overflow in
+ archive_string_append_from_wcs()
+
+When we grow the archive_string buffer, we have to make sure it fits
+at least one maximum-sized multibyte character in the current locale
+and the null character.
+
+Fixes #1298
+
+Upstream-Status: Backport
+CVE: CVE-2020-21674
+[https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libarchive/archive_string.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 063f0f2..91ad9ce 100644
+--- a/libarchive/archive_string.c
++++ b/libarchive/archive_string.c
+@@ -75,6 +75,9 @@ __FBSDID("$FreeBSD: 
head/lib/libarchive/archive_string.c 201095 2009-12-28 02:33
+ #define wmemmove(a,b,i)  (wchar_t *)memmove((a), (b), (i) * 
sizeof(wchar_t))
+ #endif
+
++#undef max
++#define max(a, b)       ((a)>(b)?(a):(b))
++
+ struct archive_string_conv {
+     struct archive_string_conv    *next;
+     char                *from_charset;
+@@ -804,7 +807,8 @@ archive_string_append_from_wcs(struct 
archive_string *as,
+             as->s[as->length] = '\0';
+             /* Re-allocate buffer for MBS. */
+             if (archive_string_ensure(as,
+-                as->length + len * 2 + 1) == NULL)
++                as->length + max(len * 2,
++                (size_t)MB_CUR_MAX) + 1) == NULL)
+                 return (-1);
+             p = as->s + as->length;
+             end = as->s + as->buffer_length - MB_CUR_MAX -1;
+@@ -3446,7 +3450,8 @@ strncat_from_utf8_libarchive2(struct 
archive_string *as,
+             as->length = p - as->s;
+             /* Re-allocate buffer for MBS. */
+             if (archive_string_ensure(as,
+-                as->length + len * 2 + 1) == NULL)
++                as->length + max(len * 2,
++                (size_t)MB_CUR_MAX) + 1) == NULL)
+                 return (-1);
+             p = as->s + as->length;
+             end = as->s + as->buffer_length - MB_CUR_MAX -1;
+--
+2.17.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb 
b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
index db45ccf654..e8d93bf0f9 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -34,6 +34,7 @@  EXTRA_OECONF += "--enable-largefile"
  SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
             file://CVE-2019-19221.patch \
file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \
+           file://CVE-2020-21674.patch \
  "

  SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"