packages/libarchive
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-36976

Browse Source
This commit is contained in:
yangcheng1203 2021-10-14 11:41:56 +08:00
parent 6ba6d2b029
commit 593efec69a
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
backport-CVE-2021-36976.patch Normal file
View File

@ -0,0 +1,57 @@
From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Sat, 28 Aug 2021 11:58:00 +0000
Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob
The size_t data type on 32 bit systems is smaller than int64_t. Check
the int64_t value before casting to size_t. If the value is too large
then stop operation instead of continuing operation with truncated
value.
---
libarchive/archive_read_support_format_tar.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index 96d8101..7290df0 100644
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
struct archive_entry *entry, const void *h, size_t *unconsumed)
{
int64_t size;
+ size_t msize;
const void *data;
const char *p, *name;
const wchar_t *wp, *wname;
@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
/* Read the body as a Mac OS metadata blob. */
size = archive_entry_size(entry);
+ msize = (size_t)size;
+ if (size < 0 || (uintmax_t)msize != (uintmax_t)size) {
+ *unconsumed = 0;
+ return (ARCHIVE_FATAL);
+ }
/*
* TODO: Look beyond the body here to peek at the next header.
@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
* Q: Is the above idea really possible? Even
* when there are GNU or pax extension entries?
*/
- data = __archive_read_ahead(a, (size_t)size, NULL);
+ data = __archive_read_ahead(a, msize, NULL);
if (data == NULL) {
*unconsumed = 0;
return (ARCHIVE_FATAL);
}
- archive_entry_copy_mac_metadata(entry, data, (size_t)size);
- *unconsumed = (size_t)((size + 511) & ~ 511);
+ archive_entry_copy_mac_metadata(entry, data, msize);
+ *unconsumed = (msize + 511) & ~ 511;
tar_flush_unconsumed(a, unconsumed);
return (tar_read_header(a, tar, entry, unconsumed));
}
--
2.27.0

9
libarchive.spec
View File

@ -2,7 +2,7 @@
Name: libarchive
Version: 3.5.1
Release: 1
Release: 2
Summary: Multi-format archive and compression library
License: BSD
@ -17,6 +17,7 @@ Provides: bsdtar bsdcpio bsdcat
Obsoletes: bsdtar bsdcpio bsdcat
Patch6001: libarchive-uninitialized-value.patch
Patch6002: backport-CVE-2021-36976.patch
%description
%{name} is an open-source BSD-licensed C programming library that
@ -147,6 +148,12 @@ run_testsuite
%{_mandir}/man5/*
%changelog
* Thu Oct 14 2021 yangcheng <yagcheng87@huawei.com> - 3.5.1-2
- Type:CVE
- ID:CVE-2021-36976
- SUG:NA
- DESC:fix CVE-2021-36976
* Fri Jan 29 2021 zhanzhimin <zhanzhimin@huawei.com> - 3.5.1-1
- Upgrade to version 3.5.1