diff --git a/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab2c6881783e76eadc0622f3f4f5687dcb76851d --- /dev/null +++ b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch @@ -0,0 +1,60 @@ +From 68bda971bb8b666a009331455fcedb4e18d837a4 Mon Sep 17 00:00:00 2001 +From: Jia Tan +Date: Mon, 28 Aug 2023 21:31:25 +0800 +Subject: [PATCH] liblzma: Add overflow check for Unpadded size in + lzma_index_append(). + +This was not a security bug since there was no path to overflow +UINT64_MAX in lzma_index_append() or when it calls index_file_size(). +The bug was discovered by a failing assert() in vli_ceil4() when called +from index_file_size() when unpadded_sum (the sum of the compressed size +of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX. + +Previously, the unpadded_size parameter was checked to be not greater +than UNPADDED_SIZE_MAX, but no check was done once compressed_base was +added. + +This could not have caused an integer overflow in index_file_size() when +called by lzma_index_append(). The calculation for file_size breaks down +into the sum of: + +- Compressed base from all previous Streams +- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and + footer) +- stream_padding (can be set by lzma_index_stream_padding()) +- Compressed base from the current Stream +- Unpadded size (parameter to lzma_index_append()) + +The sum of everything except for Unpadded size must be less than +LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions +that can set these values including lzma_index_stream_padding(), +lzma_index_append(), and lzma_index_cat(). The maximum value for +Unpadded size is enforced by lzma_index_append() to be less than or +equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since +LZMA_VLI_MAX is half of UINT64_MAX. + +Thanks to Joona Kannisto for reporting this. +--- + src/liblzma/common/index.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index a41e8f3..8c8ad46 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -656,6 +656,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + const uint32_t index_list_size_add = lzma_vli_size(unpadded_size) + + lzma_vli_size(uncompressed_size); + ++ // Check that the new unpadded sum will not overflow. This is ++ // checked again in index_file_size(), but the unpadded sum is ++ // passed to vli_ceil4() which expects a valid lzma_vli value. ++ if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX) ++ return LZMA_DATA_ERROR; ++ + // Check that the file size will stay within limits. + if (index_file_size(s->node.compressed_base, + compressed_base + unpadded_size, s->record_count + 1, +-- +2.23.0 + diff --git a/xz.spec b/xz.spec index 8b04edd8181d578d3d93821e54beed3813cd441d..08d44c845755e2b430e648a0b6adf6b6eb54b0f1 100644 --- a/xz.spec +++ b/xz.spec @@ -1,6 +1,6 @@ Name: xz Version: 5.2.5 -Release: 3 +Release: 4 Summary: A free general-purpose data compreession software with LZMA2 algorithm License: Public Domain, LGPLv2.1 and GPLv2+ URL: http://tukaani.org/xz @@ -9,6 +9,7 @@ Source1: colorxzgrep.sh Source2: colorxzgrep.csh Patch6000: backport-CVE-2022-1271.patch +Patch6001: backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch BuildRequires: perl-interpreter gcc @@ -111,6 +112,12 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check %{_mandir}/de/man1/*xz* %changelog +* Wed May 22 2024 kouwenqi - 5.2.5-4 +- Type:enhancement +- CVE:NA +- SUG:NA +- DESC:Add overflow check for Unpadded size in lzma_index_append + * Fri Sep 23 2022 wangjiang - 5.2.5-3 - Type:enhancement - CVE:NA