On Mon, Sep 5, 2022 at 3:06 AM Ranjitsinh Rathod via lists.openembedded.org <[email protected]> wrote: > > Add patch to fix CVE-2021-23177 issue for libarchive > Link: > http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz
Fails to build with this patch: NOTE: Applying patch 'CVE-2021-23177.patch' (../meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch) ERROR: Applying patch 'CVE-2021-23177.patch' on target directory 'TOPDIR/tmp/work/x86_64-linux/libarchive-native/3.4.2-r0/libarchive-3.4.2' Command Error: 'quilt --quiltrc TOPDIR/tmp/work/x86_64-linux/libarchive-native/3.4.2-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2021-23177.patch patching file libarchive/archive_disk_acl_freebsd.c Hunk #1 succeeded at 319 with fuzz 1. Hunk #2 FAILED at 364. Hunk #3 FAILED at 542. Hunk #4 FAILED at 677. Hunk #5 FAILED at 693. 4 out of 5 hunks FAILED -- rejects in file libarchive/archive_disk_acl_freebsd.c patching file libarchive/archive_disk_acl_linux.c Hunk #1 FAILED at 343. Hunk #2 succeeded at 455 with fuzz 1. Hunk #3 FAILED at 488. Hunk #4 FAILED at 727. 3 out of 4 hunks FAILED -- rejects in file libarchive/archive_disk_acl_linux.c patching file libarchive/archive_disk_acl_sunos.c Hunk #1 succeeded at 443 with fuzz 1. Hunk #2 FAILED at 467. Hunk #3 FAILED at 492. Hunk #4 FAILED at 801. Hunk #5 FAILED at 810. 4 out of 5 hunks FAILED -- rejects in file libarchive/archive_disk_acl_sunos.c Patch CVE-2021-23177.patch does not apply (enforce with -f) DEBUG: Python function patch_do_patch finished DEBUG: Python function do_patch finished I'm going to drop both patches in the series and await a v2. Steve > Signed-off-by: Ranjitsinh Rathod <[email protected]> > --- > .../libarchive/CVE-2021-23177.patch | 183 ++++++++++++++++++ > .../libarchive/libarchive_3.4.2.bb | 1 + > 2 files changed, 184 insertions(+) > create mode 100644 > meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > > diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > new file mode 100644 > index 0000000000..555c7a47f7 > --- /dev/null > +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch > @@ -0,0 +1,183 @@ > +Description: Fix handling of symbolic link ACLs > + Published as CVE-2021-23177 > +Origin: upstream, > https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad > +Bug-Debian: https://bugs.debian.org/1001986 > +Author: Martin Matuska <[email protected]> > +Last-Updated: 2021-12-20 > + > +CVE: CVE-2021-23177 > +Upstream-Status: Backport > [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] > +Signed-off-by: Ranjitsinh Rathod <[email protected]> > + > +--- a/libarchive/archive_disk_acl_freebsd.c > ++++ b/libarchive/archive_disk_acl_freebsd.c > +@@ -319,7 +319,7 @@ > + > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + int acl_type = 0; > +@@ -364,6 +364,13 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { > ++ errno = EINVAL; > ++ archive_set_error(a, errno, > ++ "Cannot set default ACL on non-directory"); > ++ return (ARCHIVE_WARN); > ++ } > ++ > + acl = acl_init(entries); > + if (acl == (acl_t)NULL) { > + archive_set_error(a, errno, > +@@ -542,7 +549,10 @@ > + else if (acl_set_link_np(name, acl_type, acl) != 0) > + #else > + /* FreeBSD older than 8.0 */ > +- else if (acl_set_file(name, acl_type, acl) != 0) > ++ else if (S_ISLNK(mode)) { > ++ /* acl_set_file() follows symbolic links, skip */ > ++ ret = ARCHIVE_OK; > ++ } else if (acl_set_file(name, acl_type, acl) != 0) > + #endif > + { > + if (errno == EOPNOTSUPP) { > +@@ -677,14 +687,14 @@ > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); > + if (ret != ARCHIVE_OK) > + return (ret); > + } > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); > + > + /* Simultaneous POSIX.1e and NFSv4 is not supported */ > +@@ -693,7 +703,7 @@ > + #if ARCHIVE_ACL_FREEBSD_NFS4 > + else if ((archive_acl_types(abstract_acl) & > + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); > + } > + #endif > +--- a/libarchive/archive_disk_acl_linux.c > ++++ b/libarchive/archive_disk_acl_linux.c > +@@ -343,6 +343,11 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Linux does not support RichACLs on symbolic links */ > ++ return (ARCHIVE_OK); > ++ } > ++ > + richacl = richacl_alloc(entries); > + if (richacl == NULL) { > + archive_set_error(a, errno, > +@@ -455,7 +460,7 @@ > + #if ARCHIVE_ACL_LIBACL > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + int acl_type = 0; > +@@ -488,6 +493,18 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Linux does not support ACLs on symbolic links */ > ++ return (ARCHIVE_OK); > ++ } > ++ > ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { > ++ errno = EINVAL; > ++ archive_set_error(a, errno, > ++ "Cannot set default ACL on non-directory"); > ++ return (ARCHIVE_WARN); > ++ } > ++ > + acl = acl_init(entries); > + if (acl == (acl_t)NULL) { > + archive_set_error(a, errno, > +@@ -727,14 +744,14 @@ > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); > + if (ret != ARCHIVE_OK) > + return (ret); > + } > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); > + } > + #endif /* ARCHIVE_ACL_LIBACL */ > +--- a/libarchive/archive_disk_acl_sunos.c > ++++ b/libarchive/archive_disk_acl_sunos.c > +@@ -443,7 +443,7 @@ > + > + static int > + set_acl(struct archive *a, int fd, const char *name, > +- struct archive_acl *abstract_acl, > ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, > + int ae_requested_type, const char *tname) > + { > + aclent_t *aclent; > +@@ -467,7 +467,6 @@ > + if (entries == 0) > + return (ARCHIVE_OK); > + > +- > + switch (ae_requested_type) { > + case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: > + cmd = SETACL; > +@@ -492,6 +491,12 @@ > + return (ARCHIVE_FAILED); > + } > + > ++ if (S_ISLNK(mode)) { > ++ /* Skip ACLs on symbolic links */ > ++ ret = ARCHIVE_OK; > ++ goto exit_free; > ++ } > ++ > + e = 0; > + > + while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, > +@@ -801,7 +806,7 @@ > + if ((archive_acl_types(abstract_acl) > + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { > + /* Solaris writes POSIX.1e access and default ACLs together */ > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); > + > + /* Simultaneous POSIX.1e and NFSv4 is not supported */ > +@@ -810,7 +815,7 @@ > + #if ARCHIVE_ACL_SUNOS_NFS4 > + else if ((archive_acl_types(abstract_acl) & > + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { > +- ret = set_acl(a, fd, name, abstract_acl, > ++ ret = set_acl(a, fd, name, abstract_acl, mode, > + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); > + } > + #endif > diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > index b7426a1be8..d8ed80686b 100644 > --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb > @@ -36,6 +36,7 @@ SRC_URI = > "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > file://CVE-2021-36976-1.patch \ > file://CVE-2021-36976-2.patch \ > file://CVE-2021-36976-3.patch \ > + file://CVE-2021-23177.patch \ > " > > SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170367): https://lists.openembedded.org/g/openembedded-core/message/170367 Mute This Topic: https://lists.openembedded.org/mt/93477934/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
