Hello community, here is the log from the commit of package libarchive for openSUSE:Factory checked in at 2019-02-08 13:47:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libarchive (Old) and /work/SRC/openSUSE:Factory/.libarchive.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libarchive" Fri Feb 8 13:47:20 2019 rev:33 rq:671920 version:3.3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libarchive/libarchive.changes 2019-01-11 13:59:54.188137427 +0100 +++ /work/SRC/openSUSE:Factory/.libarchive.new.28833/libarchive.changes 2019-02-08 13:47:23.846798028 +0100 @@ -1,0 +2,7 @@ +Tue Feb 5 15:16:08 UTC 2019 - Adrian Schröter <[email protected]> + +- Added patches: + * CVE-2019-1000019.patch Fixes 7zip crash (boo#1124341) + * CVE-2019-1000020.patch ISO9660 infinite loop fixed (boo#1124342) + +------------------------------------------------------------------- New: ---- CVE-2019-1000019.patch CVE-2019-1000020.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libarchive.spec ++++++ --- /var/tmp/diff_new_pack.rr7201/_old 2019-02-08 13:47:25.034797658 +0100 +++ /var/tmp/diff_new_pack.rr7201/_new 2019-02-08 13:47:25.038797657 +0100 @@ -43,6 +43,8 @@ Patch1: CVE-2018-1000878.patch Patch2: CVE-2018-1000879.patch Patch3: CVE-2018-1000880.patch +Patch4: CVE-2019-1000019.patch +Patch5: CVE-2019-1000020.patch BuildRequires: libacl-devel BuildRequires: libbz2-devel BuildRequires: libtool @@ -164,6 +166,8 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %if !0%{?skip_autoreconf} ++++++ CVE-2018-1000879.patch ++++++ --- /var/tmp/diff_new_pack.rr7201/_old 2019-02-08 13:47:25.074797646 +0100 +++ /var/tmp/diff_new_pack.rr7201/_new 2019-02-08 13:47:25.074797646 +0100 @@ -25,11 +25,11 @@ libarchive/archive_acl.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c -index 512beee1f..7beeee86e 100644 ---- a/libarchive/archive_acl.c -+++ b/libarchive/archive_acl.c -@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, +Index: libarchive-3.3.3/libarchive/archive_acl.c +=================================================================== +--- libarchive-3.3.3.orig/libarchive/archive_acl.c ++++ libarchive-3.3.3/libarchive/archive_acl.c +@@ -1707,6 +1707,11 @@ archive_acl_from_text_l(struct archive_a st = field[n].start + 1; len = field[n].end - field[n].start; ++++++ CVE-2019-1000019.patch ++++++ commit 65a23f5dbee4497064e9bb467f81138a62b0dae1 Author: Daniel Axtens <[email protected]> Date: Tue Jan 1 16:01:40 2019 +1100 7zip: fix crash when parsing certain archives Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data() would sometimes fail to return at least 'minimum' bytes. This can cause the crc32() invocation in header_bytes to read off into invalid memory. A specially crafted archive can use this to cause a crash. An ASAN trace is below, but ASAN is not required - an uninstrumented binary will also crash. ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0) ==7719==The signal is caused by a READ memory access. #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c) #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb) #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156) #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134) #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690) #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7) #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63) #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd) #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f) #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be) #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb) #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09) This was primarly done with afl and FairFuzz. Some early corpus entries may have been generated by qsym. diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c index bccbf896..b6d1505d 100644 --- a/libarchive/archive_read_support_format_7zip.c +++ b/libarchive/archive_read_support_format_7zip.c @@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size, if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) { /* Copy mode. */ - /* - * Note: '1' here is a performance optimization. - * Recall that the decompression layer returns a count of - * available bytes; asking for more than that forces the - * decompressor to combine reads by copying data. - */ - *buff = __archive_read_ahead(a, 1, &bytes_avail); + *buff = __archive_read_ahead(a, minimum, &bytes_avail); if (bytes_avail <= 0) { archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++++++ CVE-2019-1000020.patch ++++++ commit 8312eaa576014cd9b965012af51bc1f967b12423 Author: Daniel Axtens <[email protected]> Date: Tue Jan 1 17:10:49 2019 +1100 iso9660: Fail when expected Rockridge extensions is missing A corrupted or malicious ISO9660 image can cause read_CE() to loop forever. read_CE() calls parse_rockridge(), expecting a Rockridge extension to be read. However, parse_rockridge() is structured as a while loop starting with a sanity check, and if the sanity check fails before the loop has run, the function returns ARCHIVE_OK without advancing the position in the file. This causes read_CE() to retry indefinitely. Make parse_rockridge() return ARCHIVE_WARN if it didn't read an extension. As someone with no real knowledge of the format, this seems more apt than ARCHIVE_FATAL, but both the call-sites escalate it to a fatal error immediately anyway. Found with a combination of AFL, afl-rb (FairFuzz) and qsym. diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c index 28acfefb..bad8f1df 100644 --- a/libarchive/archive_read_support_format_iso9660.c +++ b/libarchive/archive_read_support_format_iso9660.c @@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file, const unsigned char *p, const unsigned char *end) { struct iso9660 *iso9660; + int entry_seen = 0; iso9660 = (struct iso9660 *)(a->format->data); @@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file, } p += p[2]; + entry_seen = 1; + } + + if (entry_seen) + return (ARCHIVE_OK); + else { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Tried to parse Rockridge extensions, but none found"); + return (ARCHIVE_WARN); } - return (ARCHIVE_OK); } static int
