Hello community, here is the log from the commit of package libarchive for openSUSE:Factory checked in at 2017-09-09 20:23:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libarchive (Old) and /work/SRC/openSUSE:Factory/.libarchive.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libarchive" Sat Sep 9 20:23:28 2017 rev:29 rq:521894 version:3.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libarchive/libarchive.changes 2017-04-25 08:57:57.245075992 +0200 +++ /work/SRC/openSUSE:Factory/.libarchive.new/libarchive.changes 2017-09-09 20:23:36.730807049 +0200 @@ -1,0 +2,7 @@ +Thu Sep 7 07:05:15 UTC 2017 - [email protected] + +- update to version 3.3.2 + * NFSv4 ACL support for Linux (librichacl) +- fix-CVE-2017-14166.patch (boo#1057514) + +------------------------------------------------------------------- Old: ---- libarchive-3.3.1.tar.gz New: ---- fix-CVE-2017-14166.patch libarchive-3.3.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libarchive.spec ++++++ --- /var/tmp/diff_new_pack.Ygy0tV/_old 2017-09-09 20:23:38.190601286 +0200 +++ /var/tmp/diff_new_pack.Ygy0tV/_new 2017-09-09 20:23:38.194600722 +0200 @@ -33,7 +33,7 @@ %define libname libarchive%{somajor} Name: libarchive -Version: 3.3.1 +Version: 3.3.2 Release: 0 Summary: Creates and reads several different streaming archive formats License: BSD-2-Clause @@ -41,6 +41,7 @@ Url: http://www.libarchive.org/ Source0: http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz Source1: baselibs.conf +Patch1: fix-CVE-2017-14166.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libacl-devel BuildRequires: libbz2-devel @@ -161,6 +162,7 @@ %prep %setup -q +%patch1 -p1 %build %if !0%{?skip_autoreconf} ++++++ fix-CVE-2017-14166.patch ++++++ commit fa7438a0ff4033e4741c807394a9af6207940d71 Author: Joerg Sonnenberger <[email protected]> Date: Tue Sep 5 18:12:19 2017 +0200 Do something sensible for empty strings to make fuzzers happy. diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c index 7a22beb9..93eeacc5 100644 --- a/libarchive/archive_read_support_format_xar.c +++ b/libarchive/archive_read_support_format_xar.c @@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) uint64_t l; int digit; + if (char_cnt == 0) + return (0); + l = 0; digit = *p - '0'; while (digit >= 0 && digit < 10 && char_cnt-- > 0) { @@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) { int64_t l; int digit; - + + if (char_cnt == 0) + return (0); + l = 0; while (char_cnt-- > 0) { if (*p >= '0' && *p <= '7') ++++++ libarchive-3.3.1.tar.gz -> libarchive-3.3.2.tar.gz ++++++ ++++ 31528 lines of diff (skipped)
