diff options
author | Ross Burton <ross.burton@intel.com> | 2019-03-05 16:30:02 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-05 22:42:58 +0000 |
commit | ea251020304b9c18f31c39de867a47311b1bb46c (patch) | |
tree | 9219722cf31d053de30075a04ec6778be9fa2080 /meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch | |
parent | cf6a32debcde5bfde94126c3b4200800d672e605 (diff) | |
download | openembedded-core-contrib-ea251020304b9c18f31c39de867a47311b1bb46c.tar.gz |
libarchive: integrate security fixes
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch new file mode 100644 index 0000000000..bc264a1242 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch @@ -0,0 +1,44 @@ +CVE: CVE-2018-1000880 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 4 Dec 2018 16:33:42 +1100 +Subject: [PATCH] warc: consume data once read + +The warc decoder only used read ahead, it wouldn't actually consume +data that had previously been printed. This means that if you specify +an invalid content length, it will just reprint the same data over +and over and over again until it hits the desired length. + +This means that a WARC resource with e.g. +Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 +but only a few hundred bytes of data, causes a quasi-infinite loop. + +Consume data in subsequent calls to _warc_read. + +Found with an AFL + afl-rb + qsym setup. +--- + libarchive/archive_read_support_format_warc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index e8753853..e8fc8428 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) + return (ARCHIVE_EOF); + } + ++ if (w->unconsumed) { ++ __archive_read_consume(a, w->unconsumed); ++ w->unconsumed = 0U; ++ } ++ + rab = __archive_read_ahead(a, 1U, &nrd); + if (nrd < 0) { + *bsz = 0U; +-- +2.20.0 + |