Control: tags 859456 + patch Control: tags 859456 + pending Control: tags 861609 + pending Control: tags 874539 + pending
Dear maintainer, I've prepared an NMU for libarchive (versioned as 3.2.2-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libarchive-3.2.2/debian/changelog libarchive-3.2.2/debian/changelog --- libarchive-3.2.2/debian/changelog 2017-04-03 22:20:05.000000000 +0200 +++ libarchive-3.2.2/debian/changelog 2017-09-09 09:09:35.000000000 +0200 @@ -1,3 +1,16 @@ +libarchive (3.2.2-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * archive_strncat_l(): allocate and do not convert if length == 0 + (CVE-2016-10209) (Closes: #859456) + * Reread the CAB header skipping the self-extracting binary code + (CVE-2016-10349, CVE-2016-10350) (Closes: #861609) + * Do something sensible for empty strings to make fuzzers happy + (CVE-2017-14166) + Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 09 Sep 2017 09:09:35 +0200 + libarchive (3.2.2-2) unstable; urgency=medium * Disable tests (Closes: #859455) diff -Nru libarchive-3.2.2/debian/patches/Do-something-sensible-for-empty-strings-to-make-fuzz.patch libarchive-3.2.2/debian/patches/Do-something-sensible-for-empty-strings-to-make-fuzz.patch --- libarchive-3.2.2/debian/patches/Do-something-sensible-for-empty-strings-to-make-fuzz.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.2.2/debian/patches/Do-something-sensible-for-empty-strings-to-make-fuzz.patch 2017-09-09 09:09:35.000000000 +0200 @@ -0,0 +1,41 @@ +From: Joerg Sonnenberger <jo...@bec.de> +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: Do something sensible for empty strings to make fuzzers happy. +Origin: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 +Bug-Debian: https://bugs.debian.org/874539 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14166 +Bug: https://github.com/libarchive/libarchive/issues/935 + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9..93eeacc5 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') +-- +2.14.1 + diff -Nru libarchive-3.2.2/debian/patches/Reread-the-CAB-header-skipping-the-self-extracting-b.patch libarchive-3.2.2/debian/patches/Reread-the-CAB-header-skipping-the-self-extracting-b.patch --- libarchive-3.2.2/debian/patches/Reread-the-CAB-header-skipping-the-self-extracting-b.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.2.2/debian/patches/Reread-the-CAB-header-skipping-the-self-extracting-b.patch 2017-09-09 09:09:35.000000000 +0200 @@ -0,0 +1,39 @@ +From: Joerg Sonnenberger <jo...@bec.de> +Date: Thu, 1 Dec 2016 19:56:43 +0100 +Subject: Reread the CAB header skipping the self-extracting binary code. +Origin: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 +Bug-Debian: https://bugs.debian.org/861609 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10349 +Bug: https://github.com/libarchive/libarchive/issues/834 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10350 +Bug: https://github.com/libarchive/libarchive/issues/835 + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15 as found +by the "OSS-Fuzz" project. +--- + libarchive/archive_read_support_format_cab.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_read_support_format_cab.c b/libarchive/archive_read_support_format_cab.c +index fc70684a..099f4a83 100644 +--- a/libarchive/archive_read_support_format_cab.c ++++ b/libarchive/archive_read_support_format_cab.c +@@ -645,12 +645,13 @@ cab_read_header(struct archive_read *a) + cab = (struct cab *)(a->format->data); + if (cab->found_header == 0 && + p[0] == 'M' && p[1] == 'Z') { +- /* This is an executable? Must be self-extracting... */ ++ /* This is an executable? Must be self-extracting... */ + err = cab_skip_sfx(a); + if (err < ARCHIVE_WARN) + return (err); + +- if ((p = __archive_read_ahead(a, sizeof(*p), NULL)) == NULL) ++ /* Re-read header after processing the SFX. */ ++ if ((p = __archive_read_ahead(a, 42, NULL)) == NULL) + return (truncated_error(a)); + } + +-- +2.14.1 + diff -Nru libarchive-3.2.2/debian/patches/archive_strncat_l-allocate-and-do-not-convert-if-len.patch libarchive-3.2.2/debian/patches/archive_strncat_l-allocate-and-do-not-convert-if-len.patch --- libarchive-3.2.2/debian/patches/archive_strncat_l-allocate-and-do-not-convert-if-len.patch 1970-01-01 01:00:00.000000000 +0100 +++ libarchive-3.2.2/debian/patches/archive_strncat_l-allocate-and-do-not-convert-if-len.patch 2017-09-09 09:09:35.000000000 +0200 @@ -0,0 +1,64 @@ +From: Martin Matuska <mar...@matuska.org> +Date: Mon, 26 Dec 2016 22:23:24 +0100 +Subject: archive_strncat_l(): allocate and do not convert if length == 0 +Origin: https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0 +Bug-Debian: https://bugs.debian.org/859456 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10209 +Bug: https://github.com/libarchive/libarchive/issues/842 + +This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set +aes_set = AES_SET_MBS with aes_mbs.s == NULL. + +Resolves possible null-pointer dereference reported by OSS-Fuzz. + +Reported-By: OSS-Fuzz issue 286 +--- + libarchive/archive_string.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c +index 645570b2..bbb1e458 100644 +--- a/libarchive/archive_string.c ++++ b/libarchive/archive_string.c +@@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n, + struct archive_string_conv *sc) + { + const void *s; +- size_t length; ++ size_t length = 0; + int i, r = 0, r2; + ++ if (_p != NULL && n > 0) { ++ if (sc != NULL && (sc->flag & SCONV_FROM_UTF16)) ++ length = utf16nbytes(_p, n); ++ else ++ length = mbsnbytes(_p, n); ++ } ++ + /* We must allocate memory even if there is no data for conversion + * or copy. This simulates archive_string_append behavior. */ +- if (_p == NULL || n == 0) { ++ if (length == 0) { + int tn = 1; + if (sc != NULL && (sc->flag & SCONV_TO_UTF16)) + tn = 2; +@@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n, + * If sc is NULL, we just make a copy. + */ + if (sc == NULL) { +- length = mbsnbytes(_p, n); + if (archive_string_append(as, _p, length) == NULL) + return (-1);/* No memory */ + return (0); + } + +- if (sc->flag & SCONV_FROM_UTF16) +- length = utf16nbytes(_p, n); +- else +- length = mbsnbytes(_p, n); + s = _p; + i = 0; + if (sc->nconverter > 1) { +-- +2.14.1 + diff -Nru libarchive-3.2.2/debian/patches/series libarchive-3.2.2/debian/patches/series --- libarchive-3.2.2/debian/patches/series 2017-04-03 22:20:05.000000000 +0200 +++ libarchive-3.2.2/debian/patches/series 2017-09-09 09:09:35.000000000 +0200 @@ -1 +1,4 @@ Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch +archive_strncat_l-allocate-and-do-not-convert-if-len.patch +Reread-the-CAB-header-skipping-the-self-extracting-b.patch +Do-something-sensible-for-empty-strings-to-make-fuzz.patch