From patchwork Mon Jan 6 19:53:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pierre-Jean Texier X-Patchwork-Id: 1218436 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=koncepto.io Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=koncepto.io header.i=@koncepto.io header.b="omcl1aUJ"; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47s5lv6yqvz9sNH for ; Tue, 7 Jan 2020 06:53:15 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 59CD286475; Mon, 6 Jan 2020 19:53:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsPq34CkXYuU; Mon, 6 Jan 2020 19:53:12 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id AA47586440; Mon, 6 Jan 2020 19:53:12 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 2AF0B1BF321 for ; Mon, 6 Jan 2020 19:53:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 2214D86CC0 for ; Mon, 6 Jan 2020 19:53:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ESR9KmZ97hp for ; Mon, 6 Jan 2020 19:53:10 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from koncepto.io (koncepto.io [195.154.119.111]) by whitealder.osuosl.org (Postfix) with ESMTPS id D5CE4863D9 for ; Mon, 6 Jan 2020 19:53:09 +0000 (UTC) Received: from menoah.home (lfbn-bor-1-974-38.w90-120.abo.wanadoo.fr [90.120.168.38]) by koncepto.io (Postfix) with ESMTPSA id 87AEE60262; Mon, 6 Jan 2020 20:53:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=koncepto.io; s=default; t=1578340388; bh=31jLOP2ndc1VzQHIIlhxalFvJKnJ3KVMxSsFAztVFds=; h=From:To:Cc:Subject:Date:From; b=omcl1aUJsi+VfaEaFAfkXiK9Bz/uzYzgs3UiYCqPfLVXjDxPNxfHJeG8CVnRgzxAi tzn7RGcZN7ykylhY+nw0st1qA4LsHbPEVjW6q6ZVpdop3jB5k32/6bdq9kJXlyOsFl xpirSYjPVlIhyl7N+Y8p33PDWLqd3/aZ+kCnpZ3oeNq6yJr9af+s6GWHYU/adQAQi1 +6ZmAMJcTwlO8rM2iNK9zT8z7h7e0h8UJIsdJkYlxiNRrE29ePdG4sP4sxE9U9pYn4 TV8AKEVjfqIHB4o4hCSiZrEv0GvBqwUV1dlxLlBGGbmevJBu+EIYB7RHhICC5ny8rC mUm70xqV9HnDg== From: Pierre-Jean Texier To: buildroot@buildroot.org Date: Mon, 6 Jan 2020 20:53:07 +0100 Message-Id: <1578340387-11194-1-git-send-email-pjtexier@koncepto.io> X-Mailer: git-send-email 2.7.4 Subject: [Buildroot] [PATCH] libarchive: security bump to version 3.4.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pierre-Jean Texier MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security vulnerabilities: - CVE-2019-19221: In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call. For example, bsdtar crashes via a crafted archive. And adds various security fixes. For details, see : https://github.com/libarchive/libarchive/releases/tag/v3.4.1 Also remove upstreamed patch. Signed-off-by: Pierre-Jean Texier --- .../0001-Unbreak-compilation-without-zlib.patch | 167 --------------------- package/libarchive/libarchive.hash | 4 +- package/libarchive/libarchive.mk | 2 +- 3 files changed, 3 insertions(+), 170 deletions(-) delete mode 100644 package/libarchive/0001-Unbreak-compilation-without-zlib.patch diff --git a/package/libarchive/0001-Unbreak-compilation-without-zlib.patch b/package/libarchive/0001-Unbreak-compilation-without-zlib.patch deleted file mode 100644 index b4da520..0000000 --- a/package/libarchive/0001-Unbreak-compilation-without-zlib.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 64333cef68d7bcc67bef6ecf177fbeaa549b9139 Mon Sep 17 00:00:00 2001 -From: Martin Matuska -Date: Sat, 29 Jun 2019 00:20:58 +0200 -Subject: [PATCH] Unbreak compilation without zlib - -Fixes #1214 - -Signed-off-by: Baruch Siach ---- -Upstream status: commit 64333cef68d7 - - libarchive/archive_read_support_filter_gzip.c | 54 ++++++++++++------- - libarchive/test/test_read_format_raw.c | 4 ++ - 2 files changed, 39 insertions(+), 19 deletions(-) - -diff --git a/libarchive/archive_read_support_filter_gzip.c b/libarchive/archive_read_support_filter_gzip.c -index 458b6f729164..9fa9e2b0ddb8 100644 ---- a/libarchive/archive_read_support_filter_gzip.c -+++ b/libarchive/archive_read_support_filter_gzip.c -@@ -131,12 +131,20 @@ archive_read_support_filter_gzip(struct archive *_a) - */ - static ssize_t - peek_at_header(struct archive_read_filter *filter, int *pbits, -- struct private_data *state) -+#ifdef HAVE_ZLIB_H -+ struct private_data *state -+#else -+ void *state -+#endif -+ ) - { - const unsigned char *p; - ssize_t avail, len; - int bits = 0; - int header_flags; -+#ifndef HAVE_ZLIB_H -+ (void)state; /* UNUSED */ -+#endif - - /* Start by looking at the first ten bytes of the header, which - * is all fixed layout. */ -@@ -153,8 +161,10 @@ peek_at_header(struct archive_read_filter *filter, int *pbits, - bits += 3; - header_flags = p[3]; - /* Bytes 4-7 are mod time in little endian. */ -+#ifdef HAVE_ZLIB_H - if (state) - state->mtime = archive_le32dec(p + 4); -+#endif - /* Byte 8 is deflate flags. */ - /* XXXX TODO: return deflate flags back to consume_header for use - in initializing the decompressor. */ -@@ -171,7 +181,9 @@ peek_at_header(struct archive_read_filter *filter, int *pbits, - - /* Null-terminated optional filename. */ - if (header_flags & 8) { -+#ifdef HAVE_ZLIB_H - ssize_t file_start = len; -+#endif - do { - ++len; - if (avail < len) -@@ -181,11 +193,13 @@ peek_at_header(struct archive_read_filter *filter, int *pbits, - return (0); - } while (p[len - 1] != 0); - -+#ifdef HAVE_ZLIB_H - if (state) { - /* Reset the name in case of repeat header reads. */ - free(state->name); - state->name = strdup((const char *)&p[file_start]); - } -+#endif - } - - /* Null-terminated optional comment. */ -@@ -236,24 +250,6 @@ gzip_bidder_bid(struct archive_read_filter_bidder *self, - return (0); - } - --static int --gzip_read_header(struct archive_read_filter *self, struct archive_entry *entry) --{ -- struct private_data *state; -- -- state = (struct private_data *)self->data; -- -- /* A mtime of 0 is considered invalid/missing. */ -- if (state->mtime != 0) -- archive_entry_set_mtime(entry, state->mtime, 0); -- -- /* If the name is available, extract it. */ -- if (state->name) -- archive_entry_set_pathname(entry, state->name); -- -- return (ARCHIVE_OK); --} -- - #ifndef HAVE_ZLIB_H - - /* -@@ -277,6 +273,24 @@ gzip_bidder_init(struct archive_read_filter *self) - - #else - -+static int -+gzip_read_header(struct archive_read_filter *self, struct archive_entry *entry) -+{ -+ struct private_data *state; -+ -+ state = (struct private_data *)self->data; -+ -+ /* A mtime of 0 is considered invalid/missing. */ -+ if (state->mtime != 0) -+ archive_entry_set_mtime(entry, state->mtime, 0); -+ -+ /* If the name is available, extract it. */ -+ if (state->name) -+ archive_entry_set_pathname(entry, state->name); -+ -+ return (ARCHIVE_OK); -+} -+ - /* - * Initialize the filter object. - */ -@@ -306,7 +320,9 @@ gzip_bidder_init(struct archive_read_filter *self) - self->read = gzip_filter_read; - self->skip = NULL; /* not supported */ - self->close = gzip_filter_close; -+#ifdef HAVE_ZLIB_H - self->read_header = gzip_read_header; -+#endif - - state->in_stream = 0; /* We're not actually within a stream yet. */ - -diff --git a/libarchive/test/test_read_format_raw.c b/libarchive/test/test_read_format_raw.c -index 0dac8bfbab4a..3961723b48a1 100644 ---- a/libarchive/test/test_read_format_raw.c -+++ b/libarchive/test/test_read_format_raw.c -@@ -36,7 +36,9 @@ DEFINE_TEST(test_read_format_raw) - const char *reffile1 = "test_read_format_raw.data"; - const char *reffile2 = "test_read_format_raw.data.Z"; - const char *reffile3 = "test_read_format_raw.bufr"; -+#ifdef HAVE_ZLIB_H - const char *reffile4 = "test_read_format_raw.data.gz"; -+#endif - - /* First, try pulling data out of an uninterpretable file. */ - extract_reference_file(reffile1); -@@ -119,6 +121,7 @@ DEFINE_TEST(test_read_format_raw) - assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); - assertEqualInt(ARCHIVE_OK, archive_read_free(a)); - -+#ifdef HAVE_ZLIB_H - /* Fourth, try with gzip which has metadata. */ - extract_reference_file(reffile4); - assert((a = archive_read_new()) != NULL); -@@ -144,4 +147,5 @@ DEFINE_TEST(test_read_format_raw) - assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); - assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); - assertEqualInt(ARCHIVE_OK, archive_read_free(a)); -+#endif - } --- -2.20.1 - diff --git a/package/libarchive/libarchive.hash b/package/libarchive/libarchive.hash index 04c5777..b01d636 100644 --- a/package/libarchive/libarchive.hash +++ b/package/libarchive/libarchive.hash @@ -1,4 +1,4 @@ -# From https://www.libarchive.de/downloads/libarchive-3.4.0.tar.gz.sums.txt -sha256 8643d50ed40c759f5412a3af4e353cffbce4fdf3b5cf321cb72cacf06b2d825e libarchive-3.4.0.tar.gz +# From https://www.libarchive.de/downloads/sha256sums +sha256 fcf87f3ad8db2e4f74f32526dee62dd1fb9894782b0a503a89c9d7a70a235191 libarchive-3.4.1.tar.gz # Locally computed: sha256 e1e3d4ba9d0b0ccba333b5f5539f7c6c9a3ef3d57a96cd165d2c45eaa1cd026d COPYING diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk index ccda183..e256b72 100644 --- a/package/libarchive/libarchive.mk +++ b/package/libarchive/libarchive.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBARCHIVE_VERSION = 3.4.0 +LIBARCHIVE_VERSION = 3.4.1 LIBARCHIVE_SITE = https://www.libarchive.de/downloads LIBARCHIVE_INSTALL_STAGING = YES LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0