guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: libarchive: Fix CVE-2016-1541.


From: Leo Famulari
Subject: 01/01: gnu: libarchive: Fix CVE-2016-1541.
Date: Thu, 12 May 2016 01:38:23 +0000 (UTC)

lfam pushed a commit to branch master
in repository guix.

commit e7806e6caad62e0bea6790271ac8db37f5168750
Author: Leo Famulari <address@hidden>
Date:   Tue May 10 16:15:06 2016 -0400

    gnu: libarchive: Fix CVE-2016-1541.
    
    * gnu/packages/backup.scm (libarchive)[replacement]: New field.
    (libarchive/fixed): New variable.
    * gnu/packages/patches/libarchive-CVE-2016-1541.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                       |    1 +
 gnu/packages/backup.scm                            |    9 +++
 .../patches/libarchive-CVE-2016-1541.patch         |   67 ++++++++++++++++++++
 3 files changed, 77 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 5462b43..871174b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -573,6 +573,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/liba52-use-mtune-not-mcpu.patch         \
   gnu/packages/patches/libarchive-bsdtar-test.patch            \
   gnu/packages/patches/libarchive-CVE-2013-0211.patch          \
+  gnu/packages/patches/libarchive-CVE-2016-1541.patch          \
   gnu/packages/patches/libarchive-fix-lzo-test-case.patch      \
   gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
   gnu/packages/patches/libbonobo-activation-test-race.patch    \
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index a7b48f1..917bee7 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -136,6 +136,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.1.2")
     (source
      (origin
@@ -193,6 +194,14 @@ archive.  In particular, note that there is currently no 
built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
+(define libarchive/fixed
+  (package
+    (inherit libarchive)
+    (source (origin
+              (inherit (package-source libarchive))
+              (patches (cons (search-patch "libarchive-CVE-2016-1541.patch")
+                             (origin-patches (package-source libarchive))))))))
+
 (define-public rdup
   (package
     (name "rdup")
diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch 
b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
new file mode 100644
index 0000000..6ac8773
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
@@ -0,0 +1,67 @@
+Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata)
+
+Taken from upstream source repository:
+https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
+
+When reading OS X metadata entries in Zip archives that were stored
+without compression, libarchive would use the uncompressed entry size
+to allocate a buffer but would use the compressed entry size to limit
+the amount of data copied into that buffer.  Since the compressed
+and uncompressed sizes are provided by data in the archive itself,
+an attacker could manipulate these values to write data beyond
+the end of the allocated buffer.
+
+This fix provides three new checks to guard against such
+manipulation and to make libarchive generally more robust when
+handling this type of entry:
+ 1. If an OS X metadata entry is stored without compression,
+    abort the entire archive if the compressed and uncompressed
+    data sizes do not match.
+ 2. When sanity-checking the size of an OS X metadata entry,
+    abort this entry if either the compressed or uncompressed
+    size is larger than 4MB.
+ 3. When copying data into the allocated buffer, check the copy
+    size against both the compressed entry size and uncompressed
+    entry size.
+---
+ libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_zip.c 
b/libarchive/archive_read_support_format_zip.c
+index 0f8262c..0a0be96 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct 
archive_entry *entry,
+ 
+       switch(rsrc->compression) {
+       case 0:  /* No compression. */
++              if (rsrc->uncompressed_size != rsrc->compressed_size) {
++                      archive_set_error(&a->archive, 
ARCHIVE_ERRNO_FILE_FORMAT,
++                          "Malformed OS X metadata entry: inconsistent size");
++                      return (ARCHIVE_FATAL);
++              }
+ #ifdef HAVE_ZLIB_H
+       case 8: /* Deflate compression. */
+ #endif
+@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct 
archive_entry *entry,
+                   (intmax_t)rsrc->uncompressed_size);
+               return (ARCHIVE_WARN);
+       }
++      if (rsrc->compressed_size > (4 * 1024 * 1024)) {
++              archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                  "Mac metadata is too large: %jd > 4M bytes",
++                  (intmax_t)rsrc->compressed_size);
++              return (ARCHIVE_WARN);
++      }
+ 
+       metadata = malloc((size_t)rsrc->uncompressed_size);
+       if (metadata == NULL) {
+@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct 
archive_entry *entry,
+                       bytes_avail = remaining_bytes;
+               switch(rsrc->compression) {
+               case 0:  /* No compression. */
++                      if ((size_t)bytes_avail > metadata_bytes)
++                              bytes_avail = metadata_bytes;
+                       memcpy(mp, p, bytes_avail);
+                       bytes_used = (size_t)bytes_avail;
+                       metadata_bytes -= bytes_used;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]