diff options
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch')
| -rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch new file mode 100644 index 0000000000..0e1549f229 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch @@ -0,0 +1,93 @@ +From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001 +From: Grzegorz Antoniak <ga@anadoxin.org> +Date: Sat, 13 Feb 2021 10:13:22 +0100 +Subject: [PATCH] RAR5 reader: add more checks for invalid extraction + parameters + +Some specially crafted files declare invalid extraction parameters that +can confuse the RAR5 reader. + +One of the arguments is the declared window size parameter that the +archive file can declare for each file stored in the archive. Some +crafted files declare window size equal to 0, which is clearly wrong. + +This commit adds additional safety checks decreasing the tolerance of +the RAR5 format. + +This commit also contains OSSFuzz sample #30459. +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_rar5.c | 10 ++++++++++ + libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++ + ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++ + 4 files changed, 37 insertions(+) + create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7] +CVE: CVE-2021-36976 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- libarchive-3.4.2.orig/Makefile.am ++++ libarchive-3.4.2/Makefile.am +@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ + libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ ++ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \ + libarchive/test/test_read_format_raw.bufr.uu \ + libarchive/test/test_read_format_raw.data.gz.uu \ + libarchive/test/test_read_format_raw.data.Z.uu \ +--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c ++++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c +@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc + rar->cstate.initialized = 1; + } + ++ /* Don't allow extraction if window_size is invalid. */ ++ if(rar->cstate.window_size == 0) { ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_FILE_FORMAT, ++ "Invalid window size declaration in this file"); ++ ++ /* This should never happen in valid files. */ ++ return ARCHIVE_FATAL; ++ } ++ + if(rar->cstate.all_filters_applied == 1) { + /* We use while(1) here, but standard case allows for just 1 + * iteration. The loop will iterate if process_block() didn't +--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c ++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c +@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode + + EPILOGUE(); + } ++ ++DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file) ++{ ++ /* oss fuzz 30459 */ ++ ++ char buf[4096]; ++ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar"); ++ ++ /* This file is damaged, so those functions should return failure. ++ * Additionally, SIGSEGV shouldn't be raised during execution ++ * of those functions. */ ++ ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, sizeof(buf))) {} ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, sizeof(buf))) {} ++ ++ EPILOGUE(); ++} +--- /dev/null ++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu +@@ -0,0 +1,7 @@ ++begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar ++M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@ ++M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@ ++M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+ ++5$"`OX2`@[.SL[.S_("`@("`@("`@ ++` ++end |