diff --git a/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch new file mode 100644 index 0000000000000000000000000000000000000000..11a241ddb136dae532ab15acd59703f92be1fd5c --- /dev/null +++ b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch @@ -0,0 +1,60 @@ +From 68bda971bb8b666a009331455fcedb4e18d837a4 Mon Sep 17 00:00:00 2001 +From: Jia Tan +Date: Mon, 28 Aug 2023 21:31:25 +0800 +Subject: [PATCH] liblzma: Add overflow check for Unpadded size in + lzma_index_append(). + +This was not a security bug since there was no path to overflow +UINT64_MAX in lzma_index_append() or when it calls index_file_size(). +The bug was discovered by a failing assert() in vli_ceil4() when called +from index_file_size() when unpadded_sum (the sum of the compressed size +of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX. + +Previously, the unpadded_size parameter was checked to be not greater +than UNPADDED_SIZE_MAX, but no check was done once compressed_base was +added. + +This could not have caused an integer overflow in index_file_size() when +called by lzma_index_append(). The calculation for file_size breaks down +into the sum of: + +- Compressed base from all previous Streams +- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and + footer) +- stream_padding (can be set by lzma_index_stream_padding()) +- Compressed base from the current Stream +- Unpadded size (parameter to lzma_index_append()) + +The sum of everything except for Unpadded size must be less than +LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions +that can set these values including lzma_index_stream_padding(), +lzma_index_append(), and lzma_index_cat(). The maximum value for +Unpadded size is enforced by lzma_index_append() to be less than or +equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since +LZMA_VLI_MAX is half of UINT64_MAX. + +Thanks to Joona Kannisto for reporting this. +--- + src/liblzma/common/index.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 97cc9f95..8a35f439 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -661,6 +661,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX) + return LZMA_DATA_ERROR; + ++ // Check that the new unpadded sum will not overflow. This is ++ // checked again in index_file_size(), but the unpadded sum is ++ // passed to vli_ceil4() which expects a valid lzma_vli value. ++ if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX) ++ return LZMA_DATA_ERROR; ++ + // Check that the file size will stay within limits. + if (index_file_size(s->node.compressed_base, + compressed_base + unpadded_size, s->record_count + 1, +-- +2.23.0 + diff --git a/xz.spec b/xz.spec index 19ad9caa2a3e4c5950a6dccd4dad96133bd8074f..388216384527c36af56b87caafdea2398f478bcf 100644 --- a/xz.spec +++ b/xz.spec @@ -1,12 +1,13 @@ Name: xz Version: 5.4.4 -Release: 1 +Release: 2 Summary: A free general-purpose data compreession software with LZMA2 algorithm License: GPL-3.0-only URL: http://tukaani.org/xz Source0: http://tukaani.org/%{name}/%{name}-%{version}.tar.xz Source1: colorxzgrep.sh Source2: colorxzgrep.csh +Patch0: backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch BuildRequires: perl-interpreter gcc @@ -114,6 +115,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %{_mandir}/pt_BR/man1/* %changelog +* Tue Apr 30 2024 kouwenqi - 5.4.4-2 +- liblzma: Add overflow check for Unpadded size in lzma_index_append + * Fri Aug 4 2023 dillon chen - 5.4.4-1 - update version to 5.4.4