This doesn't apply to master, can you rebase. Ross
On 27 September 2017 at 05:25, Zhixiong Chi <[email protected]> wrote: > read_header in archive_read_support_format_rar.c suffers from an > off-by-one error for UTF-16 names in RAR archives, leading to an > out-of-bounds read in archive_read_format_rar_read_header. > Backport the patch from > https://github.com/libarchive/libarchive/commit > commit 5562545b5562f6d12a4ef991fae158bf4ccf92b6 > > CVE: CVE-2017-14502 > > Signed-off-by: Zhixiong Chi <[email protected]> > --- > .../libarchive/libarchive/CVE-2017-14502.patch | 35 > ++++++++++++++++++++++ > .../libarchive/libarchive_3.3.2.bb | 1 + > 2 files changed, 36 insertions(+) > create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE- > 2017-14502.patch > > diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14502.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14502.patch > new file mode 100644 > index 0000000..442c671 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14502.patch > @@ -0,0 +1,35 @@ > +From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 > +From: Joerg Sonnenberger <[email protected]> > +Date: Sat, 9 Sep 2017 17:47:32 +0200 > +Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR > + archives. > + > +Reported-By: OSS-Fuzz issue 573 > + > +CVE: CVE-2017-14502 > + > +Upstream-Status: Backport > +--- > + libarchive/archive_read_support_format_rar.c | 6 +++++- > + 1 file changed, 5 insertions(+), 1 deletion(-) > + > +diff --git a/libarchive/archive_read_support_format_rar.c > b/libarchive/archive_read_support_format_rar.c > +index cbb14c3..751de69 100644 > +--- a/libarchive/archive_read_support_format_rar.c > ++++ b/libarchive/archive_read_support_format_rar.c > +@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct > archive_entry *entry, > + return (ARCHIVE_FATAL); > + } > + filename[filename_size++] = '\0'; > +- filename[filename_size++] = '\0'; > ++ /* > ++ * Do not increment filename_size here as the computations below > ++ * add the space for the terminating NUL explicitly. > ++ */ > ++ filename[filename_size] = '\0'; > + > + /* Decoded unicode form is UTF-16BE, so we have to update a string > + * conversion object for it. */ > +-- > +1.9.1 > + > diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb > b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb > index 5c3895e..0196eb3 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb > @@ -32,6 +32,7 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4," > EXTRA_OECONF += "--enable-largefile" > > SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > + file://CVE-2017-14502.patch \ > " > > SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27" > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core >
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
