Re: [kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227 -- and langdale !
On Tue, Dec 6, 2022 at 1:59 PM Randy MacLeod
wrote:
>
> On 2022-12-06 17:16, Joe Slater wrote:
> > Import a patch from libarchive applied after release 3.6.1.
>
> Thanks Joe.
>
> Steve,
>
> This should apply to langdale as well.
"Should" :-)
It doesn't apply cleanly due to:
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/langdale-nut=339055f5abc30ea5dc26184c94a2da39ed46a22f
But I'll tweak the patch and see what happens on the autobuilder.
Steve
> >
> > Signed-off-by: Joe Slater
> > ---
> > .../libarchive/cve-2022-36227.patch | 48 +++
> > .../libarchive/libarchive_3.6.1.bb| 4 +-
> > 2 files changed, 51 insertions(+), 1 deletion(-)
> > create mode 100644
> > meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
> >
> > diff --git
> > a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
> > b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
> > new file mode 100644
> > index 00..4d13bf6492
> > --- /dev/null
> > +++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
> > @@ -0,0 +1,48 @@
> > +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
> > +From: obiwac
> > +Date: Fri, 22 Jul 2022 22:41:10 +0200
> > +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
> > +
> > +---
> > + libarchive/archive_write.c | 8
> > + 1 file changed, 8 insertions(+)
> > +
> > +---
> > +CVE: CVE-2022-36227
> > +
> > +Source-Repo: https://github.com/libarchive/libarchive.git
> > +
> > +Upstream-Status: Backport [bff38efe8c... unmodified]
> > +
> > +Signed-off-by: Joe Slater
> > +
> > +---
> > +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
> > +index 66592e82..27626b54 100644
> > +--- a/libarchive/archive_write.c
> > b/libarchive/archive_write.c
> > +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
> > + struct archive_write_filter *f;
> > +
> > + f = calloc(1, sizeof(*f));
> > ++
> > ++if (f == NULL)
> > ++return (NULL);
> > ++
> > + f->archive = _a;
> > + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
> > + if (a->filter_first == NULL)
> > +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void
> > *client_data,
> > + a->client_data = client_data;
> > +
> > + client_filter = __archive_write_allocate_filter(_a);
> > ++
> > ++if (client_filter == NULL)
> > ++return (ARCHIVE_FATAL);
> > ++
> > + client_filter->open = archive_write_client_open;
> > + client_filter->write = archive_write_client_write;
> > + client_filter->close = archive_write_client_close;
> > +--
> > +2.38.1
> > +
> > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
> > b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
> > index c795b41628..8213940ad3 100644
> > --- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
> > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
> > @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
> >
> > EXTRA_OECONF += "--enable-largefile"
> >
> > -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
> > +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
> > + file://cve-2022-36227.patch"
> > +
> > UPSTREAM_CHECK_URI = "http://libarchive.org/;
> >
> > SRC_URI[sha256sum] =
> > "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2"
>
>
> --
> # Randy MacLeod
> # Wind River Linux
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174337):
https://lists.openembedded.org/g/openembedded-core/message/174337
Mute This Topic: https://lists.openembedded.org/mt/95506216/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227 -- and langdale !
On 2022-12-06 17:16, Joe Slater wrote:
Import a patch from libarchive applied after release 3.6.1.
Thanks Joe.
Steve,
This should apply to langdale as well.
../Randy
Signed-off-by: Joe Slater
---
.../libarchive/cve-2022-36227.patch | 48 +++
.../libarchive/libarchive_3.6.1.bb| 4 +-
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
new file mode 100644
index 00..4d13bf6492
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
@@ -0,0 +1,48 @@
+From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
+From: obiwac
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
+
+---
+ libarchive/archive_write.c | 8
+ 1 file changed, 8 insertions(+)
+
+---
+CVE: CVE-2022-36227
+
+Source-Repo: https://github.com/libarchive/libarchive.git
+
+Upstream-Status: Backport [bff38efe8c... unmodified]
+
+Signed-off-by: Joe Slater
+
+---
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 66592e82..27626b54 100644
+--- a/libarchive/archive_write.c
b/libarchive/archive_write.c
+@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ struct archive_write_filter *f;
+
+ f = calloc(1, sizeof(*f));
++
++ if (f == NULL)
++ return (NULL);
++
+ f->archive = _a;
+ f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ if (a->filter_first == NULL)
+@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data,
+ a->client_data = client_data;
+
+ client_filter = __archive_write_allocate_filter(_a);
++
++ if (client_filter == NULL)
++ return (ARCHIVE_FATAL);
++
+ client_filter->open = archive_write_client_open;
+ client_filter->write = archive_write_client_write;
+ client_filter->close = archive_write_client_close;
+--
+2.38.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
index c795b41628..8213940ad3 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
@@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
EXTRA_OECONF += "--enable-largefile"
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+ file://cve-2022-36227.patch"
+
UPSTREAM_CHECK_URI = "http://libarchive.org/;
SRC_URI[sha256sum] = "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2"
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174336):
https://lists.openembedded.org/g/openembedded-core/message/174336
Mute This Topic: https://lists.openembedded.org/mt/95506216/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[kirkstone][oe-core][PATCH 1/1] libarchive: fix CVE-2022-36227
Import a patch from libarchive applied after release 3.6.1.
Signed-off-by: Joe Slater
---
.../libarchive/cve-2022-36227.patch | 48 +++
.../libarchive/libarchive_3.6.1.bb| 4 +-
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
new file mode 100644
index 00..4d13bf6492
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch
@@ -0,0 +1,48 @@
+From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
+From: obiwac
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
+
+---
+ libarchive/archive_write.c | 8
+ 1 file changed, 8 insertions(+)
+
+---
+CVE: CVE-2022-36227
+
+Source-Repo: https://github.com/libarchive/libarchive.git
+
+Upstream-Status: Backport [bff38efe8c... unmodified]
+
+Signed-off-by: Joe Slater
+
+---
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 66592e82..27626b54 100644
+--- a/libarchive/archive_write.c
b/libarchive/archive_write.c
+@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ struct archive_write_filter *f;
+
+ f = calloc(1, sizeof(*f));
++
++ if (f == NULL)
++ return (NULL);
++
+ f->archive = _a;
+ f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ if (a->filter_first == NULL)
+@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data,
+ a->client_data = client_data;
+
+ client_filter = __archive_write_allocate_filter(_a);
++
++ if (client_filter == NULL)
++ return (ARCHIVE_FATAL);
++
+ client_filter->open = archive_write_client_open;
+ client_filter->write = archive_write_client_write;
+ client_filter->close = archive_write_client_close;
+--
+2.38.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
index c795b41628..8213940ad3 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb
@@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
EXTRA_OECONF += "--enable-largefile"
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz;
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+ file://cve-2022-36227.patch"
+
UPSTREAM_CHECK_URI = "http://libarchive.org/;
SRC_URI[sha256sum] =
"c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2"
--
2.38.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174333):
https://lists.openembedded.org/g/openembedded-core/message/174333
Mute This Topic: https://lists.openembedded.org/mt/95504330/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
