Package: libarchive / 3.1.2-11+deb8u3

Metadata

Package Version Patches format
libarchive 3.1.2-11+deb8u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
examples.patch | (download)

examples/minitar/minitar.c | 3 3 + 0 - 0 !
examples/untar.c | 1 0 + 1 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 add autopkgtest support.
examples offset type.patch | (download)

examples/minitar/minitar.c | 2 1 + 1 - 0 !
examples/untar.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix offset data type in examples.
mtree filename length fix.patch | (download)

libarchive/archive_write_set_format_mtree.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 patch to fix filename length calculation when writing mtree archives.
fix lzo test case.patch | (download)

libarchive/test/test_write_filter_lzop.c | 17 9 + 8 - 0 !
1 file changed, 9 insertions(+), 8 deletions(-)

 this patch fixes test cases for lzo write support in various
 architectures, such as armhf. Writing a certain amount of files would
 cause the LZO compressor level 9 to produce a bigger archive than the
 default compressor level.
Initialize buff to all zeros.patch | (download)

libarchive/test/test_archive_write_add_filter_by_name.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 initialize buff to all zeros.
 From 1016793be6f7ff9f451a60c997c356ea83759562 Mon Sep 17 00:00:00 2001
Allow the option to use no 2nd stage compression wit.patch | (download)

libarchive/archive_write_add_filter_lrzip.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 allow the option to use no 2nd stage compression with
 lrzip. From 21b21bc874f31b1379c2c4feb944970ce4459d5c Mon Sep 17 00:00:00 2001
Fix test_archive_write_add_filter_by_name_lrzip test.patch | (download)

libarchive/test/test_archive_write_add_filter_by_name.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 fix test_archive_write_add_filter_by_name_lrzip test
 case. There's some bug in lrzip where small files
 cannot use 2nd stage compression. See
 http://ck-hack.blogspot.com/2012/03/lrzip-0612.html?showComment=1337356929450#c3154145708572533571
 From d767d7904781794442938df6b0dd29c8da325e03 Mon Sep 17 00:00:00 2001
fix CVE 2013 0211.patch | (download)

libarchive/archive_write.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 fix cve-2013-0211: read buffer overflow on 64-bit systems
Do not overwrite file size if the local file header .patch | (download)

libarchive/archive_read_support_format_zip.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 do not overwrite file size if the local file header has valid file
 size. This allows us to extract index.xml from Apple iWork '09 format files.


Add ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option.patch | (download)

cpio/bsdcpio.1 | 3 2 + 1 - 0 !
cpio/cpio.c | 2 2 + 0 - 0 !
libarchive/archive.h | 2 2 + 0 - 0 !
libarchive/archive_write_disk.3 | 3 3 + 0 - 0 !
libarchive/archive_write_disk_posix.c | 14 11 + 3 - 0 !
libarchive/test/test_write_disk_secure.c | 23 23 + 0 - 0 !
6 files changed, 43 insertions(+), 4 deletions(-)

 add archive_extract_secure_noabsolutepaths option

This fixes a directory traversal in the cpio tool.

Issue 656 Fix CVE 2016 1541 VU 862384.patch | (download)

libarchive/archive_read_support_format_zip.c | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 [patch] issue #656:  fix cve-2016-1541, vu#862384

When reading OS X metadata entries in Zip archives that were stored
without compression, libarchive would use the uncompressed entry size
to allocate a buffer but would use the compressed entry size to limit
the amount of data copied into that buffer.  Since the compressed
and uncompressed sizes are provided by data in the archive itself,
an attacker could manipulate these values to write data beyond
the end of the allocated buffer.

This fix provides three new checks to guard against such
manipulation and to make libarchive generally more robust when
handling this type of entry:
 1. If an OS X metadata entry is stored without compression,
    abort the entire archive if the compressed and uncompressed
    data sizes do not match.
 2. When sanity-checking the size of an OS X metadata entry,
    abort this entry if either the compressed or uncompressed
    size is larger than 4MB.
 3. When copying data into the allocated buffer, check the copy
    size against both the compressed entry size and uncompressed
    entry size.

CVE 2015 8916.patch | (download)

tar/read.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] issues 396, 397: ignore entries with empty filenames.

Bugs in the rar and cab readers lead to returning entries
with empty filenames.  Make bsdtar resistant to this.

Of course, we should also fix the rar and cab
readers to handle these cases correctly and either
return correctly-populated entries or fail cleanly.

CVE 2015 8919.patch | (download)

libarchive/archive_read_support_format_lha.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch] issue 402: failed to recognize empty dir name in lha/lzh file

When parsing a directory name, we checked for the name
length being zero, but not for the first byte being a
null byte.  Add a similar check for the file case.

CVE 2015 8920.patch | (download)

libarchive/archive_read_support_format_ar.c | 21 14 + 7 - 0 !
1 file changed, 14 insertions(+), 7 deletions(-)

 [patch] issue 403: buffer underflow parsing 'ar' header

While pruning trailing text from ar filenames, we did not
check for an empty filename.  This results in reading the byte
before the filename on the stack.

While here, change a number of ar format issues from WARN to FATAL.
It's better to abort on a damaged file than risk reading garbage.
No doubt, this will require additional tuning in the future.

CVE 2015 8921.patch | (download)

libarchive/archive_entry.c | 20 14 + 6 - 0 !
1 file changed, 14 insertions(+), 6 deletions(-)

 fix read past end of string parsing
CVE 2015 8922.patch | (download)

Makefile.am | 3 3 + 0 - 0 !
libarchive/archive_read_support_format_7zip.c | 9 9 + 0 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_format_7zip_malformed.7z.uu | 5 5 + 0 - 0 !
libarchive/test/test_read_format_7zip_malformed.c | 67 67 + 0 - 0 !
libarchive/test/test_read_format_7zip_malformed2.7z.uu | 5 5 + 0 - 0 !
6 files changed, 90 insertions(+)

 [patch] issue 405: segfault on malformed 7z archive

Reject a couple of nonsensical cases.

CVE 2015 8923.patch | (download)

Makefile.am | 2 2 + 0 - 0 !
libarchive/archive_read_support_format_zip.c | 4 2 + 2 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_format_zip_malformed.c | 61 61 + 0 - 0 !
libarchive/test/test_read_format_zip_malformed1.zip.uu | 5 5 + 0 - 0 !
5 files changed, 71 insertions(+), 2 deletions(-)

 [patch] issue 406: segfault on malformed zip archive

Issue here was reading a size field as a signed number
and then using that as an offset.  Fixed by correctly
masking the size value to an unsigned result.

Includes test based on the archive provided in the issue report.

CVE 2015 8924.patch | (download)

libarchive/archive_read_support_format_tar.c | 20 8 + 12 - 0 !
1 file changed, 8 insertions(+), 12 deletions(-)

 [patch] issue 407: tar reader tries to examine last character of an
 empty filename

Of interest:  While working on this, I noted that we have
an existing test for tar files with empty filenames.
That test asserts that the correct behavior here is for the
format handler to return the entry with the empty filename
and a status of ARCHIVE_OK.  Clients need to be robust against
empty filenames.

CVE 2015 8925.patch | (download)

libarchive/archive_read_support_format_mtree.c | 56 27 + 29 - 0 !
libarchive/test/test_read_format_mtree.c | 6 5 + 1 - 0 !
libarchive/test/test_read_format_mtree.mtree.uu | 20 11 + 9 - 0 !
3 files changed, 43 insertions(+), 39 deletions(-)

 [patch] issue 408: fix escaped newline parsing


CVE 2015 8926.patch | (download)

libarchive/archive_read_support_format_rar.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] issue 410: segfault on invalid rar archive

Libarchive's API passes a void ** which is set by the format
to the address of the entry data that was just read.

In one particular case, the RAR decompression logic uses a
non-NULL value here to indicate that the internal 128k decompression
buffer has been filled.  But the RAR code took no steps to ensure
that the value was set NULL on entry.  As a result, a crafted RAR
file can trick libarchive into returning to the caller a 128k block
of data starting at whatever value was previously in the caller's
variable.

The fix is simply to set *buff = NULL on entry to the RAR
decompression logic.

CVE 2015 8928.patch | (download)

libarchive/archive_read_support_format_mtree.c | 53 29 + 24 - 0 !
1 file changed, 29 insertions(+), 24 deletions(-)

 [patch] issue 550:  fix out-of-bounds read in mtree.

The mtree parser scanned from the end of the string to identify
the filename when the filename is the last element of the line.
If the filename was the entire line, the logic would scan back
to before the start of the string.

The revised logic scans from the beginning of the string
and remembers the last separator position to locate the
trailing filename.

CVE 2015 8930.patch | (download)

libarchive/archive_read_support_format_iso9660.c | 43 34 + 9 - 0 !
1 file changed, 34 insertions(+), 9 deletions(-)

 fix segfault via dir loop in malformed iso
CVE 2015 8931.patch | (download)

libarchive/archive_read_support_format_mtree.c | 47 25 + 22 - 0 !
1 file changed, 25 insertions(+), 22 deletions(-)

 fix integer overflow parsing time values
CVE 2015 8932.patch | (download)

Makefile.am | 1 1 + 0 - 0 !
libarchive/archive_read_support_filter_compress.c | 21 15 + 6 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_filter_compress.c | 80 80 + 0 - 0 !
4 files changed, 97 insertions(+), 6 deletions(-)

 fix crash via invalid compressed data
CVE 2015 8933.patch | (download)

libarchive/archive_read_support_format_tar.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] issue #582: reject sparse blocks with negative size or
 offset, detect overflow when tracking sparse blocks


CVE 2015 8934.patch | (download)

Makefile.am | 1 1 + 0 - 0 !
libarchive/archive_read_support_format_rar.c | 12 8 + 4 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_format_rar_invalid1.c | 44 44 + 0 - 0 !
libarchive/test/test_read_format_rar_invalid1.rar.uu | 5 5 + 0 - 0 !
5 files changed, 59 insertions(+), 4 deletions(-)

 [patch] issue 521:  properly check reading from lzss decompression
 buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prior code could be tricked into trying to copy data
from beyond the end of the internal decompression buffer.

Thanks to Hanno Bck for his ongoing fuzz-testing work with libarchive.

CVE 2016 4300.patch | (download)

libarchive/archive_read_support_format_7zip.c | 34 21 + 13 - 0 !
1 file changed, 21 insertions(+), 13 deletions(-)

 fix overflow reading 7-zip with large number of substreams
CVE 2016 4302.patch | (download)

libarchive/archive_ppmd7.c | 5 5 + 0 - 0 !
libarchive/archive_read_support_format_rar.c | 6 6 + 0 - 0 !
2 files changed, 11 insertions(+)

 fix crash via rar files with zero dictionary size
CVE 2016 4809.patch | (download)

libarchive/archive_read_support_format_cpio.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch] reject cpio symlinks that exceed 1mb


CVE 2016 5844.patch | (download)

libarchive/archive_read_support_format_iso9660.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] issue 717:  fix integer overflow when computing location of
 volume descriptor

The multiplication here defaulted to 'int' but calculations
of file positions should always use int64_t.  A simple cast
suffices to fix this since the base location is always 32 bits
for ISO, so multiplying by the sector size will never overflow
a 64-bit integer.

CVE 2016 7166 Fix a potential crash issue discovered by Alexander .patch | (download)

Makefile.am | 2 2 + 0 - 0 !
libarchive/archive_read.c | 7 5 + 2 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_too_many_filters.c | 45 45 + 0 - 0 !
libarchive/test/test_read_too_many_filters.gz.uu | 15 15 + 0 - 0 !
5 files changed, 68 insertions(+), 2 deletions(-)

 [patch] fix a potential crash issue discovered by alexander
 Cherepanov:

It seems bsdtar automatically handles stacked compression. This is a
nice feature but it could be problematic when it's completely
unlimited.  Most clearly it's illustrated with quines:

$ curl -sRO http://www.maximumcompression.com/selfgz.gz
$ (ulimit -v 10000000 && bsdtar -tvf selfgz.gz)
bsdtar: Error opening archive: Can't allocate data for gzip decompression

Without ulimit, bsdtar will eat all available memory. This could also
be a problem for other applications using libarchive.

Clarify the limit on number of filters.patch | (download)

libarchive/archive_read.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch] clarify the limit on number of filters


CVE 2016 6250 Issue 711 Be more careful about verifying filename l.patch | (download)

libarchive/archive_write_set_format_iso9660.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 [patch] issue 711:  be more careful about verifying filename lengths
 when writing ISO9660 archives

* Don't cast size_t to int, since this can lead to overflow
  on machines where sizeof(int) < sizeof(size_t)
* Check a + b > limit by writing it as
    a > limit || b > limit || a + b > limit
  to avoid problems when a + b wraps around.

CVE 2016 5418/Test cases for Github Issue 744 745 and 746.patch | (download)

Makefile.am | 3 3 + 0 - 0 !
libarchive/test/CMakeLists.txt | 3 3 + 0 - 0 !
libarchive/test/main.c | 25 25 + 0 - 0 !
libarchive/test/test.h | 3 3 + 0 - 0 !
libarchive/test/test_write_disk_secure744.c | 95 95 + 0 - 0 !
libarchive/test/test_write_disk_secure745.c | 76 76 + 0 - 0 !
libarchive/test/test_write_disk_secure746.c | 125 125 + 0 - 0 !
7 files changed, 330 insertions(+)

 [patch] test cases for github issue #744, #745, and #746.


CVE 2016 5418/Fix the test cases for Issue 745 and Issue 746.patch | (download)

libarchive/test/test_write_disk_secure745.c | 5 4 + 1 - 0 !
libarchive/test/test_write_disk_secure746.c | 16 10 + 6 - 0 !
2 files changed, 14 insertions(+), 7 deletions(-)

 [patch] fix the test cases for issue #745 and issue #746

Thanks to Doran Moppert for pointing out the inconsistencies here.

CVE 2016 5418/Issue 744 part of Issue 743 Enforce sandbox with ver.patch | (download)

libarchive/archive_write_disk_posix.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 [patch] issue #744 (part of issue #743): enforce sandbox with very
 long pathnames

Because check_symlinks is handled separately from the deep-directory
support, very long pathnames cause problems.  Previously, the code
ignored most failures to lstat() a path component.  In particular,
this led to check_symlinks always passing for very long paths, which
in turn provides a way to evade the symlink checks in the sandboxing
code.

We now fail on unrecognized lstat() failures, which plugs this
hole at the cost of disabling deep directory support when the
user requests sandboxing.

TODO:  This probably cannot be completely fixed without
entirely reimplementing the deep directory support to
integrate the symlink checks.  I want to reimplement the
deep directory hanlding someday anyway; openat() and
related system calls now provide a much cleaner way to
handle deep directories than the chdir approach used by this
code.

CVE 2016 5418/Fixes for Issue 745 and Issue 746 from Doran Moppert.patch | (download)

libarchive/archive_write_disk_posix.c | 292 229 + 63 - 0 !
1 file changed, 229 insertions(+), 63 deletions(-)

 [patch] fixes for issue #745 and issue #746 from doran moppert.