| Message ID | 20220411124024.3574402-1-davide.gardenal@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | [master,v2] libarchive: backport patch to fix CVE-2022-26280 | expand |
Hi Davide, Any reason for not updating to 3.6.1 since it includes this patch (from the changelog info at least)? Cheers, Quentin On 4/11/22 14:40, Davide Gardenal wrote: > Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> > --- > Update v2: > Change title from [meta-oe] to [oe-core] > --- > .../libarchive/CVE-2022-26280.patch | 31 +++++++++++++++++++ > .../libarchive/libarchive_3.6.0.bb | 4 ++- > 2 files changed, 34 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch > > diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch > new file mode 100644 > index 0000000000..c322e12274 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch > @@ -0,0 +1,31 @@ > +From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001 > +From: Tim Kientzle <kientzle@acm.org> > +Date: Thu, 24 Mar 2022 10:35:00 +0100 > +Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in > + zipx_lzma_alone_init() > + > +Fixes #1672 > + > +CVE: CVE-2022-26280 > + > +Upstream-Status: Backport > +https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_libarchive_libarchive_commit_cfaa28168a07ea4a53276b63068f94fce37d6aff&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=Fu-Kk2GhLiSc9o3rjHQaH-u-51djGq7bKAdxUIMTRuo&e= > + > +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> > +--- > + libarchive/archive_read_support_format_zip.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c > +index 38ada70b5..9d6c900b2 100644 > +--- a/libarchive/archive_read_support_format_zip.c > ++++ b/libarchive/archive_read_support_format_zip.c > +@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip) > + */ > + > + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ > +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { > ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { > + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, > + "Truncated lzma data"); > + return (ARCHIVE_FATAL); > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.0.bb b/meta/recipes-extended/libarchive/libarchive_3.6.0.bb > index f078c8ad03..16d6e2af2d 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.6.0.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.0.bb > @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," > > EXTRA_OECONF += "--enable-largefile" > > -SRC_URI = "https://urldefense.proofpoint.com/v2/url?u=http-3A__libarchive.org_downloads_libarchive-2D-24-257BPV-257D.tar.gz&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=qjkmUgOa7iMTBMJje9R2Ea_YQJUs8P7nFC_iHFYKT4A&e= " > +SRC_URI = "https://urldefense.proofpoint.com/v2/url?u=http-3A__libarchive.org_downloads_libarchive-2D-24-257BPV-257D.tar.gz&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=qjkmUgOa7iMTBMJje9R2Ea_YQJUs8P7nFC_iHFYKT4A&e= \ > + file://CVE-2022-26280.patch" > + > UPSTREAM_CHECK_URI = "https://urldefense.proofpoint.com/v2/url?u=http-3A__libarchive.org_&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=fBf6Ji0vNBD7Q-LH4pCiZVZki3Hx8oz4ZOsBhe3yQIw&e= " > > SRC_URI[sha256sum] = "a36613695ffa2905fdedc997b6df04a3006ccfd71d747a339b78aa8412c3d852" > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164221): https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openembedded.org_g_openembedded-2Dcore_message_164221&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=C2HDNGm3Nhpg08e9mK5dvm1CHFrZ3LopM1nwfz4za-0&e= > Mute This Topic: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openembedded.org_mt_90393740_6293953&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=KwzSKWGpvbMW5RH0CtWdnumfo-O6uHjsm9F0XYF1pY8&e= > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.openembedded.org_g_openembedded-2Dcore_unsub&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=gRPxVzB4EMk0PAljAspLUdHOoj0XBl1hDKvUE0nQ4-ZYFhgn62aUm-XFsQqztA9x&s=5WNChSXLwAWbWMGzrgajQQoWiwUoCItgd4Y9YnD-J5g&e= [quentin.schulz@theobroma-systems.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Mon, Apr 11, 2022 at 6:01 AM Davide Gardenal <davidegarde2000@gmail.com> wrote: > > Hi Quentin, > > I just missed the release so I'm going to send a v3 patch now, thanks! This patch is perhaps still valid for kirkstone. For upgrading to 3.6.1 I already sent a patch yesterday [1] [1] https://lists.openembedded.org/g/openembedded-core/message/164210 > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164223): https://lists.openembedded.org/g/openembedded-core/message/164223 > Mute This Topic: https://lists.openembedded.org/mt/90393740/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch new file mode 100644 index 0000000000..c322e12274 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch @@ -0,0 +1,31 @@ +From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Thu, 24 Mar 2022 10:35:00 +0100 +Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in + zipx_lzma_alone_init() + +Fixes #1672 + +CVE: CVE-2022-26280 + +Upstream-Status: Backport +https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + libarchive/archive_read_support_format_zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 38ada70b5..9d6c900b2 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip) + */ + + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Truncated lzma data"); + return (ARCHIVE_FATAL); diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.0.bb b/meta/recipes-extended/libarchive/libarchive_3.6.0.bb index f078c8ad03..16d6e2af2d 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.0.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.0.bb @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," EXTRA_OECONF += "--enable-largefile" -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ + file://CVE-2022-26280.patch" + UPSTREAM_CHECK_URI = "http://libarchive.org/" SRC_URI[sha256sum] = "a36613695ffa2905fdedc997b6df04a3006ccfd71d747a339b78aa8412c3d852"
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> --- Update v2: Change title from [meta-oe] to [oe-core] --- .../libarchive/CVE-2022-26280.patch | 31 +++++++++++++++++++ .../libarchive/libarchive_3.6.0.bb | 4 ++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch