* [OE-core][zeus][PATCH] libarchive: CVE-2020-21674
@ 2020-10-19 8:57 Li Wang
0 siblings, 0 replies; only message in thread
From: Li Wang @ 2020-10-19 8:57 UTC (permalink / raw)
To: openembedded-core
Backport CVE patch from the upstream:
https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4
Signed-off-by: Li Wang <li.wang@windriver.com>
---
.../libarchive/CVE-2020-21674.patch | 57 +++++++++++++++++++
.../libarchive/libarchive_3.4.0.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644
meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
diff --git
a/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
b/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
new file mode 100644
index 0000000000..63b2a543bd
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2020-21674.patch
@@ -0,0 +1,57 @@
+From 4f085eea879e2be745f4d9bf57e8513ae48157f4 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.org>
+Date: Sat, 28 Dec 2019 22:58:08 +0100
+Subject: [PATCH] Fix a possible heap-buffer-overflow in
+ archive_string_append_from_wcs()
+
+When we grow the archive_string buffer, we have to make sure it fits
+at least one maximum-sized multibyte character in the current locale
+and the null character.
+
+Fixes #1298
+
+Upstream-Status: Backport
+CVE: CVE-2020-21674
+[https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libarchive/archive_string.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 063f0f2..91ad9ce 100644
+--- a/libarchive/archive_string.c
++++ b/libarchive/archive_string.c
+@@ -75,6 +75,9 @@ __FBSDID("$FreeBSD:
head/lib/libarchive/archive_string.c 201095 2009-12-28 02:33
+ #define wmemmove(a,b,i) (wchar_t *)memmove((a), (b), (i) *
sizeof(wchar_t))
+ #endif
+
++#undef max
++#define max(a, b) ((a)>(b)?(a):(b))
++
+ struct archive_string_conv {
+ struct archive_string_conv *next;
+ char *from_charset;
+@@ -804,7 +807,8 @@ archive_string_append_from_wcs(struct
archive_string *as,
+ as->s[as->length] = '\0';
+ /* Re-allocate buffer for MBS. */
+ if (archive_string_ensure(as,
+- as->length + len * 2 + 1) == NULL)
++ as->length + max(len * 2,
++ (size_t)MB_CUR_MAX) + 1) == NULL)
+ return (-1);
+ p = as->s + as->length;
+ end = as->s + as->buffer_length - MB_CUR_MAX -1;
+@@ -3446,7 +3450,8 @@ strncat_from_utf8_libarchive2(struct
archive_string *as,
+ as->length = p - as->s;
+ /* Re-allocate buffer for MBS. */
+ if (archive_string_ensure(as,
+- as->length + len * 2 + 1) == NULL)
++ as->length + max(len * 2,
++ (size_t)MB_CUR_MAX) + 1) == NULL)
+ return (-1);
+ p = as->s + as->length;
+ end = as->s + as->buffer_length - MB_CUR_MAX -1;
+--
+2.17.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
index db45ccf654..e8d93bf0f9 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -34,6 +34,7 @@ EXTRA_OECONF += "--enable-largefile"
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2019-19221.patch \
file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \
+ file://CVE-2020-21674.patch \
"
SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-10-19 8:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-19 8:57 [OE-core][zeus][PATCH] libarchive: CVE-2020-21674 Li Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox