kumquat-buildroot/package/libarchive/0004-Reject-LHA-archive-entries-with-negative-size.patch
Baruch Siach 760fbe789c libarchive: add upstream security patches
Add patches for the following security issues:

CVE-2017-14501 - An out-of-bounds read flaw exists in parse_file_info in
archive_read_support_format_iso9660.c when extracting a specially
crafted iso9660 iso file.

CVE-2017-14502 - Off-by-one error for UTF-16 names in RAR archives,
leading to an out-of-bounds read in archive_read_format_rar_read_header.

CVE-2017-14503 - Out-of-bounds read within lha_read_data_none() in
archive_read_support_format_lha.c when extracting a specially crafted
lha archive.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-08-08 16:19:28 +02:00

33 lines
1.0 KiB
Diff

From 2c8c83b9731ff822fad6cc8c670ea5519c366a14 Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@bec.de>
Date: Thu, 19 Jul 2018 21:14:53 +0200
Subject: [PATCH] Reject LHA archive entries with negative size.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit 2c8c83b9731
libarchive/archive_read_support_format_lha.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index b8ef4ae10ece..95c99bb1f31e 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -701,6 +701,12 @@ archive_read_format_lha_read_header(struct archive_read *a,
* Prepare variables used to read a file content.
*/
lha->entry_bytes_remaining = lha->compsize;
+ if (lha->entry_bytes_remaining < 0) {
+ archive_set_error(&a->archive,
+ ARCHIVE_ERRNO_FILE_FORMAT,
+ "Invalid LHa entry size");
+ return (ARCHIVE_FATAL);
+ }
lha->entry_offset = 0;
lha->entry_crc_calculated = 0;
--
2.18.0