aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-10-02 15:58:06 -0400
committerLeo Famulari <leo@famulari.name>2016-10-03 16:52:28 -0400
commitb38e97e03b92d54524953949934884828a1683c1 (patch)
treefde3b2a9c2c85a51a501ea92b785e7852fd4c102 /gnu/packages/patches/libarchive-7zip-heap-overflow.patch
parent85358aef8e80d810405916f571816bd028c245b8 (diff)
downloadguix-b38e97e03b92d54524953949934884828a1683c1.tar.gz
guix-b38e97e03b92d54524953949934884828a1683c1.zip
gnu: libarchive: Fix several security issues.
* gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, gnu/packages/patches/libarchive-fix-symlink-check.patch, gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/libarchive-7zip-heap-overflow.patch')
-rw-r--r--gnu/packages/patches/libarchive-7zip-heap-overflow.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
new file mode 100644
index 0000000000..bef628f0a8
--- /dev/null
+++ b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
@@ -0,0 +1,77 @@
+Fix buffer overflow reading 7Zip files:
+
+https://github.com/libarchive/libarchive/issues/761
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
+
+From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 18 Sep 2016 18:14:58 -0700
+Subject: [PATCH] Issue 761: Heap overflow reading corrupted 7Zip files
+
+The sample file that demonstrated this had multiple 'EmptyStream'
+attributes. The first one ended up being used to calculate
+certain statistics, then was overwritten by the second which
+was incompatible with those statistics.
+
+The fix here is to reject any header with multiple EmptyStream
+attributes. While here, also reject headers with multiple
+EmptyFile, AntiFile, Name, or Attributes markers.
+---
+ libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index 1dfe52b..c0a536c 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+
+ switch (type) {
+ case kEmptyStream:
++ if (h->emptyStreamBools != NULL)
++ return (-1);
+ h->emptyStreamBools = calloc((size_t)zip->numFiles,
+ sizeof(*h->emptyStreamBools));
+ if (h->emptyStreamBools == NULL)
+@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ return (-1);
+ break;
+ }
++ if (h->emptyFileBools != NULL)
++ return (-1);
+ h->emptyFileBools = calloc(empty_streams,
+ sizeof(*h->emptyFileBools));
+ if (h->emptyFileBools == NULL)
+@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ return (-1);
+ break;
+ }
++ if (h->antiBools != NULL)
++ return (-1);
+ h->antiBools = calloc(empty_streams,
+ sizeof(*h->antiBools));
+ if (h->antiBools == NULL)
+@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ if ((ll & 1) || ll < zip->numFiles * 4)
+ return (-1);
+
++ if (zip->entry_names != NULL)
++ return (-1);
+ zip->entry_names = malloc(ll);
+ if (zip->entry_names == NULL)
+ return (-1);
+@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ if ((p = header_bytes(a, 2)) == NULL)
+ return (-1);
+ allAreDefined = *p;
++ if (h->attrBools != NULL)
++ return (-1);
+ h->attrBools = calloc((size_t)zip->numFiles,
+ sizeof(*h->attrBools));
+ if (h->attrBools == NULL)
+--
+2.10.0
+