Fix CVE-2018-1000880: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 https://github.com/libarchive/libarchive/pull/1105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880 https://security-tracker.debian.org/tracker/CVE-2018-1000880 Patch copied from upstream source repository: https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70b5f8168b5680 From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Tue, 4 Dec 2018 16:33:42 +1100 Subject: [PATCH] warc: consume data once read The warc decoder only used read ahead, it wouldn't actually consume data that had previously been printed. This means that if you specify an invalid content length, it will just reprint the same data over and over and over again until it hits the desired length. This means that a WARC resource with e.g. Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 but only a few hundred bytes of data, causes a quasi-infinite loop. Consume data in subsequent calls to _warc_read. Found with an AFL + afl-rb + qsym setup. --- libarchive/archive_read_support_format_warc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c index e8753853..e8fc8428 100644 --- a/libarchive/archive_read_support_format_warc.c +++ b/libarchive/archive_read_support_format_warc.c @@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) return (ARCHIVE_EOF); } + if (w->unconsumed) { + __archive_read_consume(a, w->unconsumed); + w->unconsumed = 0U; + } + rab = __archive_read_ahead(a, 1U, &nrd); if (nrd < 0) { *bsz = 0U; -- 2.20.1 e='submit' value='search'/>
path: root/COPYING
over'>
AgeCommit message (Expand)Author
AgeCommit message (Expand)Author
2018-07-13guix package: Use relative symlinks to generations....Ludovic Courtès
2018-06-06tests: Adjust 'guix package' test to "python2" name....Ludovic Courtès
2018-03-31guix package: Add '--allow-collisions'....Ludovic Courtès
2018-02-27guix package: '--search' no longer shows superseded packages....Ludovic Courtès
2017-11-11tests: Adjust to new unbound-variable error message....Ludovic Courtès
2017-06-26guix package: 'guix package -r PKG -u' does not upgrade PKG....Ludovic Courtès
2017-01-11guix package: Fix version and output for 'guix package -i /gnu/store/…'....Ludovic Courtès
2016-05-27guix package: Inherit the transformed version number....Ludovic Courtès
2016-03-02utils: Use '@' for separating package names and version numbers....Mathieu Lirzin
2016-03-02tests: Disable grafts by default....Ludovic Courtès
2016-01-05guix package: Allow multiple '--search' flags....Ludovic Courtès
2015-12-30guix build: Augment %PATCH-PATH when -L is passed....Ludovic Courtès