~alpine/aports

v3.4: main/libarchive: security upgrade to 3.2.2 - fixes #6792 v1 PROPOSED

Sergei Lukin: 1
 main/libarchive: security upgrade to 3.2.2 - fixes #6792

 2 files changed, 35 insertions(+), 4 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1144/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH v3.4] main/libarchive: security upgrade to 3.2.2 - fixes #6792 Export this patch

CVE-2017-5601: Out of bounds read in lha_read_file_header_1() function
---
3.2.2 is a security release
https://github.com/libarchive/libarchive/blob/master/NEWS#L8

 main/libarchive/APKBUILD            | 15 +++++++++++----
 main/libarchive/CVE-2017-5601.patch | 24 ++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 main/libarchive/CVE-2017-5601.patch

diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index 937b1ec..c9271db 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -1,6 +1,7 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libarchive
pkgver=3.2.1
pkgver=3.2.2
pkgrel=0
pkgdesc="library that can create and read several streaming archive formats"
url="http://libarchive.googlecode.com/"
@@ -11,6 +12,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
makedepends="zlib-dev bzip2-dev xz-dev acl-dev openssl-dev expat-dev"
depends_dev="$makedepends"
source="http://www.libarchive.org/downloads/libarchive-$pkgver.tar.gz
	CVE-2017-5601.patch
	"

_builddir="$srcdir"/$pkgname-$pkgver
@@ -25,6 +27,8 @@ _builddir="$srcdir"/$pkgname-$pkgver
#    - CVE-2016-4809
#    - CVE-2016-5844
#    - CVE-2016-6250
#  3.2.2-r0:
#    - CVE-2017-5601

prepare() {
	cd "$_builddir"
@@ -57,6 +61,9 @@ tools() {
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

md5sums="afa257047d1941a565216edbf0171e72  libarchive-3.2.1.tar.gz"
sha256sums="72ee1a4e3fd534525f13a0ba1aa7b05b203d186e0c6072a8a4738649d0b3cfd2  libarchive-3.2.1.tar.gz"
sha512sums="a5d43cb0bf36b687fabfbc874e7adc1fa94c563e7f073e107db8d4e79e8d0d8146cb985809f8115fbb882fc2d8a2a477d0a7364e93e6df62f292bb5e9865ec5c  libarchive-3.2.1.tar.gz"
md5sums="1ec00b7dcaf969dd2a5712f85f23c764  libarchive-3.2.2.tar.gz
f9bf727dad55bc4c639e4fe12c456d8f  CVE-2017-5601.patch"
sha256sums="691c194ee132d1f0f7a42541f091db811bc2e56f7107e9121be2bc8c04f1060f  libarchive-3.2.2.tar.gz
300c119e85a49615e2ed34521de77fa8202d1db39bb861998b3e71148c1adcdc  CVE-2017-5601.patch"
sha512sums="a67920c37d49cf9478032d77fc4fa21827cebb96e9b83d9ecb8466328834052e4ab3d3a9bc4e2edf405d6cb14ffd648c9fa100b578257f6e5842c99bbea558a7  libarchive-3.2.2.tar.gz
a00839e72fa7ccbdbde4b8b5a8e04f96d6eabcaa2d0150393c8273e4855b09d18cbec6fb1e4551d0d1bbc0439e1f41d5341539a0de8a97f821a5281a7bac8494  CVE-2017-5601.patch"
diff --git a/main/libarchive/CVE-2017-5601.patch b/main/libarchive/CVE-2017-5601.patch
new file mode 100644
index 0000000..44d5e17
--- /dev/null
+++ b/main/libarchive/CVE-2017-5601.patch
@@ -0,0 +1,24 @@
Source:
https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9

commit 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9
Author: Martin Matuska <martin@matuska.org>
Date:   Thu Jan 19 22:00:18 2017 +0100

    Fail with negative lha->compsize in lha_read_file_header_1()
    Fixes a heap buffer overflow reported in Secunia SA74169

diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index 52a5531b..d77a7c2e 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha)
 	/* Get a real compressed file size. */
 	lha->compsize -= extdsize - 2;
 
+	if (lha->compsize < 0)
+		goto invalid;	/* Invalid compressed file size */
+
 	if (sum_calculated != headersum) {
 		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
 		    "LHa header sum error");
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---