Re: [kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227 -- and langdale !
On Tue, Dec 6, 2022 at 1:59 PM Randy MacLeod wrote: > > On 2022-12-06 17:16, Joe Slater wrote: > > Import a patch from libarchive applied after release 3.6.1. > > Thanks Joe. > > Steve, > > This should apply to langdale as well. "Should" :-) It doesn't apply cleanly due to: https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/langdale-nut=339055f5abc30ea5dc26184c94a2da39ed46a22f But I'll tweak the patch and see what happens on the autobuilder. Steve > > > > Signed-off-by: Joe Slater > > --- > > .../libarchive/cve-2022-36227.patch | 48 +++ > > .../libarchive/libarchive_3.6.1.bb| 4 +- > > 2 files changed, 51 insertions(+), 1 deletion(-) > > create mode 100644 > > meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > > > diff --git > > a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > new file mode 100644 > > index 00..4d13bf6492 > > --- /dev/null > > +++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > @@ -0,0 +1,48 @@ > > +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001 > > +From: obiwac > > +Date: Fri, 22 Jul 2022 22:41:10 +0200 > > +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754) > > + > > +--- > > + libarchive/archive_write.c | 8 > > + 1 file changed, 8 insertions(+) > > + > > +--- > > +CVE: CVE-2022-36227 > > + > > +Source-Repo: https://github.com/libarchive/libarchive.git > > + > > +Upstream-Status: Backport [bff38efe8c... unmodified] > > + > > +Signed-off-by: Joe Slater > > + > > +--- > > +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c > > +index 66592e82..27626b54 100644 > > +--- a/libarchive/archive_write.c > > b/libarchive/archive_write.c > > +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a) > > + struct archive_write_filter *f; > > + > > + f = calloc(1, sizeof(*f)); > > ++ > > ++if (f == NULL) > > ++return (NULL); > > ++ > > + f->archive = _a; > > + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; > > + if (a->filter_first == NULL) > > +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void > > *client_data, > > + a->client_data = client_data; > > + > > + client_filter = __archive_write_allocate_filter(_a); > > ++ > > ++if (client_filter == NULL) > > ++return (ARCHIVE_FATAL); > > ++ > > + client_filter->open = archive_write_client_open; > > + client_filter->write = archive_write_client_write; > > + client_filter->close = archive_write_client_close; > > +-- > > +2.38.1 > > + > > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > index c795b41628..8213940ad3 100644 > > --- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," > > > > EXTRA_OECONF += "--enable-largefile" > > > > -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz; > > +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > > + file://cve-2022-36227.patch" > > + > > UPSTREAM_CHECK_URI = "http://libarchive.org/; > > > > SRC_URI[sha256sum] = > > "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2" > > > -- > # Randy MacLeod > # Wind River Linux > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174337): https://lists.openembedded.org/g/openembedded-core/message/174337 Mute This Topic: https://lists.openembedded.org/mt/95506216/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227 -- and langdale !
On 2022-12-06 17:16, Joe Slater wrote: Import a patch from libarchive applied after release 3.6.1. Thanks Joe. Steve, This should apply to langdale as well. ../Randy Signed-off-by: Joe Slater --- .../libarchive/cve-2022-36227.patch | 48 +++ .../libarchive/libarchive_3.6.1.bb| 4 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch diff --git a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch new file mode 100644 index 00..4d13bf6492 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch @@ -0,0 +1,48 @@ +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001 +From: obiwac +Date: Fri, 22 Jul 2022 22:41:10 +0200 +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754) + +--- + libarchive/archive_write.c | 8 + 1 file changed, 8 insertions(+) + +--- +CVE: CVE-2022-36227 + +Source-Repo: https://github.com/libarchive/libarchive.git + +Upstream-Status: Backport [bff38efe8c... unmodified] + +Signed-off-by: Joe Slater + +--- +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index 66592e82..27626b54 100644 +--- a/libarchive/archive_write.c b/libarchive/archive_write.c +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a) + struct archive_write_filter *f; + + f = calloc(1, sizeof(*f)); ++ ++ if (f == NULL) ++ return (NULL); ++ + f->archive = _a; + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; + if (a->filter_first == NULL) +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data, + a->client_data = client_data; + + client_filter = __archive_write_allocate_filter(_a); ++ ++ if (client_filter == NULL) ++ return (ARCHIVE_FATAL); ++ + client_filter->open = archive_write_client_open; + client_filter->write = archive_write_client_write; + client_filter->close = archive_write_client_close; +-- +2.38.1 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb index c795b41628..8213940ad3 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," EXTRA_OECONF += "--enable-largefile" -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz; +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ + file://cve-2022-36227.patch" + UPSTREAM_CHECK_URI = "http://libarchive.org/; SRC_URI[sha256sum] = "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2" -- # Randy MacLeod # Wind River Linux -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174336): https://lists.openembedded.org/g/openembedded-core/message/174336 Mute This Topic: https://lists.openembedded.org/mt/95506216/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227
Import a patch from libarchive applied after release 3.6.1. Signed-off-by: Joe Slater --- .../libarchive/cve-2022-36227.patch | 48 +++ .../libarchive/libarchive_3.6.1.bb| 4 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch diff --git a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch new file mode 100644 index 00..4d13bf6492 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch @@ -0,0 +1,48 @@ +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001 +From: obiwac +Date: Fri, 22 Jul 2022 22:41:10 +0200 +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754) + +--- + libarchive/archive_write.c | 8 + 1 file changed, 8 insertions(+) + +--- +CVE: CVE-2022-36227 + +Source-Repo: https://github.com/libarchive/libarchive.git + +Upstream-Status: Backport [bff38efe8c... unmodified] + +Signed-off-by: Joe Slater + +--- +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index 66592e82..27626b54 100644 +--- a/libarchive/archive_write.c b/libarchive/archive_write.c +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a) + struct archive_write_filter *f; + + f = calloc(1, sizeof(*f)); ++ ++ if (f == NULL) ++ return (NULL); ++ + f->archive = _a; + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; + if (a->filter_first == NULL) +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data, + a->client_data = client_data; + + client_filter = __archive_write_allocate_filter(_a); ++ ++ if (client_filter == NULL) ++ return (ARCHIVE_FATAL); ++ + client_filter->open = archive_write_client_open; + client_filter->write = archive_write_client_write; + client_filter->close = archive_write_client_close; +-- +2.38.1 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb index c795b41628..8213940ad3 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," EXTRA_OECONF += "--enable-largefile" -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz; +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ + file://cve-2022-36227.patch" + UPSTREAM_CHECK_URI = "http://libarchive.org/; SRC_URI[sha256sum] = "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2" -- 2.38.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174333): https://lists.openembedded.org/g/openembedded-core/message/174333 Mute This Topic: https://lists.openembedded.org/mt/95504330/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-