diff --git a/backport-CVE-2021-36976.patch b/backport-CVE-2021-36976.patch deleted file mode 100644 index d5ee964c126792e79d96a1e4d9888db8f628066b..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-36976.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001 -From: Samanta Navarro -Date: Sat, 28 Aug 2021 11:58:00 +0000 -Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob - -The size_t data type on 32 bit systems is smaller than int64_t. Check -the int64_t value before casting to size_t. If the value is too large -then stop operation instead of continuing operation with truncated -value. ---- - libarchive/archive_read_support_format_tar.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c -index 96d8101..7290df0 100644 ---- a/libarchive/archive_read_support_format_tar.c -+++ b/libarchive/archive_read_support_format_tar.c -@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, - struct archive_entry *entry, const void *h, size_t *unconsumed) - { - int64_t size; -+ size_t msize; - const void *data; - const char *p, *name; - const wchar_t *wp, *wname; -@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, - - /* Read the body as a Mac OS metadata blob. */ - size = archive_entry_size(entry); -+ msize = (size_t)size; -+ if (size < 0 || (uintmax_t)msize != (uintmax_t)size) { -+ *unconsumed = 0; -+ return (ARCHIVE_FATAL); -+ } - - /* - * TODO: Look beyond the body here to peek at the next header. -@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar, - * Q: Is the above idea really possible? Even - * when there are GNU or pax extension entries? - */ -- data = __archive_read_ahead(a, (size_t)size, NULL); -+ data = __archive_read_ahead(a, msize, NULL); - if (data == NULL) { - *unconsumed = 0; - return (ARCHIVE_FATAL); - } -- archive_entry_copy_mac_metadata(entry, data, (size_t)size); -- *unconsumed = (size_t)((size + 511) & ~ 511); -+ archive_entry_copy_mac_metadata(entry, data, msize); -+ *unconsumed = (msize + 511) & ~ 511; - tar_flush_unconsumed(a, unconsumed); - return (tar_read_header(a, tar, entry, unconsumed)); - } --- -2.27.0 - diff --git a/backport-libarchive-3.5.2-symlink-fix.patch b/backport-libarchive-3.5.2-symlink-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ce10f52828a87eef8ac9ca4ba4e35360265f6b9 --- /dev/null +++ b/backport-libarchive-3.5.2-symlink-fix.patch @@ -0,0 +1,193 @@ +commit 8a1bd5c18e896f0411a991240ce0d772bb02c840 +Author: Martin Matuska +Date: Fri Aug 27 10:56:28 2021 +0200 + + Fix following symlinks when processing the fixup list + + The previous fix in b41daecb5 was incomplete. Fixup entries are + given the original path without calling cleanup_pathname(). + To make sure we don't follow a symlink, we must strip trailing + slashes from the path. + + The fixup entries are always directories. Make sure we try to modify + only directories by providing O_DIRECTORY to open() (if supported) + and if it fails to check directory via lstat(). + + Fixes #1566 + +diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +index fcd733af..aadc5871 100644 +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -2462,6 +2462,7 @@ _archive_write_disk_close(struct archive *_a) + struct archive_write_disk *a = (struct archive_write_disk *)_a; + struct fixup_entry *next, *p; + struct stat st; ++ char *c; + int fd, ret; + + archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, +@@ -2475,24 +2476,49 @@ _archive_write_disk_close(struct archive *_a) + while (p != NULL) { + fd = -1; + a->pst = NULL; /* Mark stat cache as out-of-date. */ +- if (p->fixup & +- (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { +- fd = open(p->name, +- O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); ++ ++ /* We must strip trailing slashes from the path to avoid ++ dereferencing symbolic links to directories */ ++ c = p->name; ++ while (*c != '\0') ++ c++; ++ while (c != p->name && *(c - 1) == '/') { ++ c--; ++ *c = '\0'; ++ } ++ ++ if (p->fixup == 0) ++ goto skip_fixup_entry; ++ else { ++ fd = open(p->name, O_BINARY | O_NOFOLLOW | O_RDONLY ++#if defined(O_DIRECTORY) ++ | O_DIRECTORY ++#endif ++ | O_CLOEXEC); ++ /* ++ ` * If we don't support O_DIRECTORY, ++ * or open() has failed, we must stat() ++ * to verify that we are opening a directory ++ */ ++#if defined(O_DIRECTORY) + if (fd == -1) { +- /* If we cannot lstat, skip entry */ +- if (lstat(p->name, &st) != 0) ++ if (lstat(p->name, &st) != 0 || ++ !S_ISDIR(st.st_mode)) { + goto skip_fixup_entry; +- /* +- * If we deal with a symbolic link, mark +- * it in the fixup mode to ensure no +- * modifications are made to its target. +- */ +- if (S_ISLNK(st.st_mode)) { +- p->mode &= ~S_IFMT; +- p->mode |= S_IFLNK; + } + } ++#else ++#if HAVE_FSTAT ++ if (fd > 0 && ( ++ fstat(fd, &st) != 0 || !S_ISDIR(st.st_mode))) { ++ goto skip_fixup_entry; ++ } else ++#endif ++ if (lstat(p->name, &st) != 0 || ++ !S_ISDIR(st.st_mode)) { ++ goto skip_fixup_entry; ++ } ++#endif + } + if (p->fixup & TODO_TIMES) { + set_times(a, fd, p->mode, p->name, +@@ -2504,14 +2530,13 @@ _archive_write_disk_close(struct archive *_a) + if (p->fixup & TODO_MODE_BASE) { + #ifdef HAVE_FCHMOD + if (fd >= 0) +- fchmod(fd, p->mode); ++ fchmod(fd, p->mode & 07777); + else + #endif + #ifdef HAVE_LCHMOD +- lchmod(p->name, p->mode); ++ lchmod(p->name, p->mode & 07777); + #else +- if (!S_ISLNK(p->mode)) +- chmod(p->name, p->mode); ++ chmod(p->name, p->mode & 07777); + #endif + } + if (p->fixup & TODO_ACLS) +@@ -2664,7 +2689,6 @@ new_fixup(struct archive_write_disk *a, const char *pathname) + fe->next = a->fixup_list; + a->fixup_list = fe; + fe->fixup = 0; +- fe->mode = 0; + fe->name = strdup(pathname); + return (fe); + } +diff --git a/libarchive/test/test_write_disk_fixup.c b/libarchive/test/test_write_disk_fixup.c +index c399c984..b83b7307 100644 +--- a/libarchive/test/test_write_disk_fixup.c ++++ b/libarchive/test/test_write_disk_fixup.c +@@ -47,26 +47,50 @@ DEFINE_TEST(test_write_disk_fixup) + /* + * Create a file + */ +- assertMakeFile("victim", 0600, "a"); ++ assertMakeFile("file", 0600, "a"); ++ ++ /* ++ * Create a directory ++ */ ++ assertMakeDir("dir", 0700); + + /* + * Create a directory and a symlink with the same name + */ + +- /* Directory: dir */ ++ /* Directory: dir1 */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir1/"); ++ archive_entry_set_mode(ae, AE_IFDIR | 0555); ++ assertEqualIntA(ad, 0, archive_write_header(ad, ae)); ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ /* Directory: dir2 */ + assert((ae = archive_entry_new()) != NULL); +- archive_entry_copy_pathname(ae, "dir"); +- archive_entry_set_mode(ae, AE_IFDIR | 0606); ++ archive_entry_copy_pathname(ae, "dir2/"); ++ archive_entry_set_mode(ae, AE_IFDIR | 0555); + assertEqualIntA(ad, 0, archive_write_header(ad, ae)); + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); + archive_entry_free(ae); + +- /* Symbolic Link: dir -> foo */ ++ /* Symbolic Link: dir1 -> dir */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir1"); ++ archive_entry_set_mode(ae, AE_IFLNK | 0777); ++ archive_entry_set_size(ae, 0); ++ archive_entry_copy_symlink(ae, "dir"); ++ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); ++ if (r >= ARCHIVE_WARN) ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ /* Symbolic Link: dir2 -> file */ + assert((ae = archive_entry_new()) != NULL); +- archive_entry_copy_pathname(ae, "dir"); ++ archive_entry_copy_pathname(ae, "dir2"); + archive_entry_set_mode(ae, AE_IFLNK | 0777); + archive_entry_set_size(ae, 0); +- archive_entry_copy_symlink(ae, "victim"); ++ archive_entry_copy_symlink(ae, "file"); + assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); + if (r >= ARCHIVE_WARN) + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); +@@ -75,7 +99,9 @@ DEFINE_TEST(test_write_disk_fixup) + assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); + + /* Test the entries on disk. */ +- assertIsSymlink("dir", "victim", 0); +- assertFileMode("victim", 0600); ++ assertIsSymlink("dir1", "dir", 0); ++ assertIsSymlink("dir2", "file", 0); ++ assertFileMode("dir", 0700); ++ assertFileMode("file", 0600); + #endif + } diff --git a/libarchive-3.5.1.tar.gz b/libarchive-3.5.2.tar.gz similarity index 48% rename from libarchive-3.5.1.tar.gz rename to libarchive-3.5.2.tar.gz index 592a5ffb19868203a85cce7ce5e7726241ef30f1..1f64647ac0132d05ea0a30cbe605dfdcbc6c2480 100644 Binary files a/libarchive-3.5.1.tar.gz and b/libarchive-3.5.2.tar.gz differ diff --git a/libarchive-uninitialized-value.patch b/libarchive-uninitialized-value.patch deleted file mode 100644 index 262c390c0ff3ab32b34e1bc69e290770ae21b1db..0000000000000000000000000000000000000000 --- a/libarchive-uninitialized-value.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1ab606af27d6b3fa07a638b7f04efadbc8ef75b4 Mon Sep 17 00:00:00 2001 -From: zhangnaru -Date: Tue, 28 Jul 2020 15:05:03 +0800 -Subject: [PATCH] libarchive-uninitialized-value - ---- - libarchive/filter_fork_posix.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libarchive/filter_fork_posix.c b/libarchive/filter_fork_posix.c -index ac255c4..62085a7 100644 ---- a/libarchive/filter_fork_posix.c -+++ b/libarchive/filter_fork_posix.c -@@ -76,7 +76,7 @@ int - __archive_create_child(const char *cmd, int *child_stdin, int *child_stdout, - pid_t *out_child) - { -- pid_t child; -+ pid_t child = -1; - int stdin_pipe[2], stdout_pipe[2], tmp; - #if HAVE_POSIX_SPAWNP - posix_spawn_file_actions_t actions; --- -2.23.0 - diff --git a/libarchive.spec b/libarchive.spec index 46140500e78f2c49f670c0920a051f35f5997a3f..1620c9f82b974048f873c470cb2e64deb524fac8 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,8 +1,8 @@ %bcond_with check Name: libarchive -Version: 3.5.1 -Release: 2 +Version: 3.5.2 +Release: 1 Summary: Multi-format archive and compression library License: BSD @@ -13,11 +13,7 @@ BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel BuildRequires: openssl-devel libxml2-devel lz4-devel automake libzstd-devel -Provides: bsdtar bsdcpio bsdcat -Obsoletes: bsdtar bsdcpio bsdcat - -Patch6001: libarchive-uninitialized-value.patch -Patch6002: backport-CVE-2021-36976.patch +Patch6000: backport-libarchive-3.5.2-symlink-fix.patch %description %{name} is an open-source BSD-licensed C programming library that @@ -36,6 +32,33 @@ applications that want to make use of %{name}. %package_help +%package -n bsdtar +Summary: Manipulate tape archives +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n bsdtar +The bsdtar package contains standalone bsdtar utility split off regular +libarchive packages. + + +%package -n bsdcpio +Summary: Copy files to and from archives +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n bsdcpio +The bsdcpio package contains standalone bsdcpio utility split off regular +libarchive packages. + + +%package -n bsdcat +Summary: Expand files to standard output +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n bsdcat +The bsdcat program typically takes a filename as an argument or reads standard +input when used in a pipe. In both cases decompressed data it written to +standard output. + %prep %autosetup -n %{name}-%{version} -p1 @@ -129,9 +152,6 @@ run_testsuite %{!?_licensedir:%global license %%doc} %license COPYING %{_libdir}/%{name}.so.13* -%{_bindir}/bsdtar -%{_bindir}/bsdcpio -%{_bindir}/bsdcat %files devel %defattr(-,root,root) @@ -147,7 +167,28 @@ run_testsuite %{_mandir}/man3/* %{_mandir}/man5/* +%files -n bsdtar +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc NEWS README.md +%{_bindir}/bsdtar + +%files -n bsdcpio +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc NEWS README.md +%{_bindir}/bsdcpio + +%files -n bsdcat +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc NEWS README.md +%{_bindir}/bsdcat + %changelog +* Fri Nov 26 2021 xingxing - 3.5.2-1 +- Upgrade to version 3.5.2 + * Thu Oct 14 2021 yangcheng - 3.5.1-2 - Type:CVE - ID:CVE-2021-36976