From d76572fa89094119ce284d698957680b461a887b Mon Sep 17 00:00:00 2001 From: adisbladis Date: Tue, 31 Oct 2017 02:17:02 +0800 Subject: [PATCH] libarchive: Fixes for CVE-2017-14166 and CVE-2017-14502 --- .../libraries/libarchive/CVE-2017-14166.patch | 36 +++++++++++++++++++ .../libraries/libarchive/CVE-2017-14502.patch | 28 +++++++++++++++ .../libraries/libarchive/default.nix | 5 +++ 3 files changed, 69 insertions(+) create mode 100644 pkgs/development/libraries/libarchive/CVE-2017-14166.patch create mode 100644 pkgs/development/libraries/libarchive/CVE-2017-14502.patch diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14166.patch b/pkgs/development/libraries/libarchive/CVE-2017-14166.patch new file mode 100644 index 000000000000..b729ae41e0ad --- /dev/null +++ b/pkgs/development/libraries/libarchive/CVE-2017-14166.patch @@ -0,0 +1,36 @@ +From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: [PATCH] Do something sensible for empty strings to make fuzzers + happy. + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9d..93eeacc5e 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14502.patch b/pkgs/development/libraries/libarchive/CVE-2017-14502.patch new file mode 100644 index 000000000000..dad8a93a8a81 --- /dev/null +++ b/pkgs/development/libraries/libarchive/CVE-2017-14502.patch @@ -0,0 +1,28 @@ +From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Sat, 9 Sep 2017 17:47:32 +0200 +Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR + archives. + +Reported-By: OSS-Fuzz issue 573 +--- + libarchive/archive_read_support_format_rar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index cbb14c32d..751de6979 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry, + return (ARCHIVE_FATAL); + } + filename[filename_size++] = '\0'; +- filename[filename_size++] = '\0'; ++ /* ++ * Do not increment filename_size here as the computations below ++ * add the space for the terminating NUL explicitly. ++ */ ++ filename[filename_size] = '\0'; + + /* Decoded unicode form is UTF-16BE, so we have to update a string + * conversion object for it. */ diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix index fb1faf8d1b1b..e0242802fd34 100644 --- a/pkgs/development/libraries/libarchive/default.nix +++ b/pkgs/development/libraries/libarchive/default.nix @@ -17,6 +17,11 @@ stdenv.mkDerivation rec { sha256 = "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"; }; + patches = [ + ./CVE-2017-14166.patch + ./CVE-2017-14502.patch + ]; + outputs = [ "out" "lib" "dev" ]; nativeBuildInputs = [ pkgconfig ];