LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13691 Commits
1 Branch
46 MiB
Tree: a152d9b875
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a152d9b875'
${ noResults }
openwrt-packages-dist/libs/libarchive/patches/104-CVE-2019-1000019.patch

55 lines
2.8 KiB
Raw Normal View History

libarchive: patch security issues Fixes CVE-2019-1000019 CVE-2019-1000020 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
6 years ago
 
  1. From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001
  2. From: Daniel Axtens <dja@axtens.net>
  3. Date: Tue, 1 Jan 2019 16:01:40 +1100
  4. Subject: [PATCH] 7zip: fix crash when parsing certain archives
  5. 

  6. Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
  7. would sometimes fail to return at least 'minimum' bytes. This can cause
  8. the crc32() invocation in header_bytes to read off into invalid memory.
  9. 

  10. A specially crafted archive can use this to cause a crash.
  11. 

  12. An ASAN trace is below, but ASAN is not required - an uninstrumented
  13. binary will also crash.
  14. 

  15. ==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)

  16. ==7719==The signal is caused by a READ memory access.

  17.     #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
  18.     #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
  19.     #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
  20.     #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
  21.     #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
  22.     #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
  23.     #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
  24.     #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
  25.     #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
  26.     #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
  27.     #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
  28.     #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
  29.     #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
  30. 

  31. This was primarly done with afl and FairFuzz. Some early corpus entries
  32. may have been generated by qsym.
  33. ---

  34.  libarchive/archive_read_support_format_7zip.c | 8 +-------
  35.  1 file changed, 1 insertion(+), 7 deletions(-)
  36. 

  37. diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c

  38. index bccbf8966..b6d1505d3 100644

  39. --- a/libarchive/archive_read_support_format_7zip.c

  40. +++ b/libarchive/archive_read_support_format_7zip.c

  41. @@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,

  42.  	if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
  43.  		/* Copy mode. */
  44.  
  45. -		/*

  46. -		 * Note: '1' here is a performance optimization.

  47. -		 * Recall that the decompression layer returns a count of

  48. -		 * available bytes; asking for more than that forces the

  49. -		 * decompressor to combine reads by copying data.

  50. -		 */

  51. -		*buff = __archive_read_ahead(a, 1, &bytes_avail);

  52. +		*buff = __archive_read_ahead(a, minimum, &bytes_avail);

  53.  		if (bytes_avail <= 0) {
  54.  			archive_set_error(&a->archive,
  55.  			    ARCHIVE_ERRNO_FILE_FORMAT,