[zeus] libarchive: CVE-2020-21674
Submitted by Li Wang on Oct. 19, 2020, 8:57 a.m.
|
Patch ID: 177449
Details
Commit Message
a/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
b/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
new file mode 100644
@@ -0,0 +1,57 @@
+From 4f085eea879e2be745f4d9bf57e8513ae48157f4 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.org>
+Date: Sat, 28 Dec 2019 22:58:08 +0100
+Subject: [PATCH] Fix a possible heap-buffer-overflow in
+ archive_string_append_from_wcs()
+
+When we grow the archive_string buffer, we have to make sure it fits
+at least one maximum-sized multibyte character in the current locale
+and the null character.
+
+Fixes #1298
+
+Upstream-Status: Backport
+CVE: CVE-2020-21674
+[https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libarchive/archive_string.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 063f0f2..91ad9ce 100644
+--- a/libarchive/archive_string.c
++++ b/libarchive/archive_string.c
+@@ -75,6 +75,9 @@ __FBSDID("$FreeBSD:
head/lib/libarchive/archive_string.c 201095 2009-12-28 02:33
+ #define wmemmove(a,b,i) (wchar_t *)memmove((a), (b), (i) *
sizeof(wchar_t))
+ #endif
+
++#undef max
++#define max(a, b) ((a)>(b)?(a):(b))
++
+ struct archive_string_conv {
+ struct archive_string_conv *next;
+ char *from_charset;
+@@ -804,7 +807,8 @@ archive_string_append_from_wcs(struct
archive_string *as,
+ as->s[as->length] = '\0';
+ /* Re-allocate buffer for MBS. */
+ if (archive_string_ensure(as,
+- as->length + len * 2 + 1) == NULL)
++ as->length + max(len * 2,
++ (size_t)MB_CUR_MAX) + 1) == NULL)
+ return (-1);
+ p = as->s + as->length;
+ end = as->s + as->buffer_length - MB_CUR_MAX -1;
+@@ -3446,7 +3450,8 @@ strncat_from_utf8_libarchive2(struct
archive_string *as,
+ as->length = p - as->s;
+ /* Re-allocate buffer for MBS. */
+ if (archive_string_ensure(as,
+- as->length + len * 2 + 1) == NULL)
++ as->length + max(len * 2,
++ (size_t)MB_CUR_MAX) + 1) == NULL)
+ return (-1);
+ p = as->s + as->length;
+ end = as->s + as->buffer_length - MB_CUR_MAX -1;
+--
+2.17.1
+
b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -34,6 +34,7 @@ EXTRA_OECONF += "--enable-largefile"
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2019-19221.patch \
file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \
+ file://CVE-2020-21674.patch \
"
SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"
Backport CVE patch from the upstream: https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4 Signed-off-by: Li Wang <li.wang@windriver.com> --- .../libarchive/CVE-2020-21674.patch | 57 +++++++++++++++++++ .../libarchive/libarchive_3.4.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#143576): https://lists.openembedded.org/g/openembedded-core/message/143576 Mute This Topic: https://lists.openembedded.org/mt/77654210/1003190 Group Owner: openembedded-core+owner@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mhalstead@linuxfoundation.org] -=-=-=-=-=-=-=-=-=-=-=-