From fddf8b736afbf2d3efe9ae586abad617ab14ce18 Mon Sep 17 00:00:00 2001 From: yangcheng1203 Date: Thu, 14 Oct 2021 11:21:48 +0800 Subject: [PATCH] fix CVE-2021-36976 --- backport-CVE-2021-36976.patch | 57 +++++++++++++++++++++++++++++++++++ libarchive.spec | 9 +++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-36976.patch diff --git a/backport-CVE-2021-36976.patch b/backport-CVE-2021-36976.patch new file mode 100644 index 0000000..d5ee964 --- /dev/null +++ b/backport-CVE-2021-36976.patch @@ -0,0 +1,57 @@ +From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro +Date: Sat, 28 Aug 2021 11:58:00 +0000 +Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob + +The size_t data type on 32 bit systems is smaller than int64_t. Check +the int64_t value before casting to size_t. If the value is too large +then stop operation instead of continuing operation with truncated +value. +--- + libarchive/archive_read_support_format_tar.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c +index 96d8101..7290df0 100644 +--- a/libarchive/archive_read_support_format_tar.c ++++ b/libarchive/archive_read_support_format_tar.c +@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, + struct archive_entry *entry, const void *h, size_t *unconsumed) + { + int64_t size; ++ size_t msize; + const void *data; + const char *p, *name; + const wchar_t *wp, *wname; +@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, + + /* Read the body as a Mac OS metadata blob. */ + size = archive_entry_size(entry); ++ msize = (size_t)size; ++ if (size < 0 || (uintmax_t)msize != (uintmax_t)size) { ++ *unconsumed = 0; ++ return (ARCHIVE_FATAL); ++ } + + /* + * TODO: Look beyond the body here to peek at the next header. +@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, + * Q: Is the above idea really possible? Even + * when there are GNU or pax extension entries? + */ +- data = __archive_read_ahead(a, (size_t)size, NULL); ++ data = __archive_read_ahead(a, msize, NULL); + if (data == NULL) { + *unconsumed = 0; + return (ARCHIVE_FATAL); + } +- archive_entry_copy_mac_metadata(entry, data, (size_t)size); +- *unconsumed = (size_t)((size + 511) & ~ 511); ++ archive_entry_copy_mac_metadata(entry, data, msize); ++ *unconsumed = (msize + 511) & ~ 511; + tar_flush_unconsumed(a, unconsumed); + return (tar_read_header(a, tar, entry, unconsumed)); + } +-- +2.27.0 + diff --git a/libarchive.spec b/libarchive.spec index c472ec7..5df3197 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.4.3 -Release: 2 +Release: 3 Summary: Multi-format archive and compression library License: BSD @@ -19,6 +19,7 @@ Obsoletes: bsdtar bsdcpio bsdcat Patch6001: libarchive-uninitialized-value.patch Patch6002: libarchive-3.4.3-lchmod-support-check.patch Patch6003: libarchive-3.4.3-avoid-stack-overflow.patch +Patch6004: backport-CVE-2021-36976.patch %description %{name} is an open-source BSD-licensed C programming library that @@ -149,6 +150,12 @@ run_testsuite %{_mandir}/man5/* %changelog +* Thu Oct 14 2021 yangcheng - 3.4.3-3 +- Type:CVE +- ID:CVE-2021-36976 +- SUG:NA +- DESC:fix CVE-2021-36976 + * Fri Aug 21 2020 yanan - 3.4.3-2 - Type:bugfix - ID:NA -- Gitee