diff options
author | Leo Famulari <leo@famulari.name> | 2016-10-02 15:58:06 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-10-03 16:52:28 -0400 |
commit | b38e97e03b92d54524953949934884828a1683c1 (patch) | |
tree | fde3b2a9c2c85a51a501ea92b785e7852fd4c102 /gnu/packages/patches/libarchive-fix-symlink-check.patch | |
parent | 85358aef8e80d810405916f571816bd028c245b8 (diff) | |
download | guix-b38e97e03b92d54524953949934884828a1683c1.tar guix-b38e97e03b92d54524953949934884828a1683c1.tar.gz |
gnu: libarchive: Fix several security issues.
* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-7zip-heap-overflow.patch,
gnu/packages/patches/libarchive-fix-symlink-check.patch,
gnu/packages/patches/libarchive-fix-filesystem-attacks.patch,
gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/libarchive-fix-symlink-check.patch')
-rw-r--r-- | gnu/packages/patches/libarchive-fix-symlink-check.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch new file mode 100644 index 0000000000..f042c31a84 --- /dev/null +++ b/gnu/packages/patches/libarchive-fix-symlink-check.patch @@ -0,0 +1,60 @@ +Make sure to check for symlinks even if the pathname is very long: + +https://github.com/libarchive/libarchive/issues/744 + +Patch copied from upstream repository: + +https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a + +From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Sun, 21 Aug 2016 17:11:45 -0700 +Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very + long pathnames + +Because check_symlinks is handled separately from the deep-directory +support, very long pathnames cause problems. Previously, the code +ignored most failures to lstat() a path component. In particular, +this led to check_symlinks always passing for very long paths, which +in turn provides a way to evade the symlink checks in the sandboxing +code. + +We now fail on unrecognized lstat() failures, which plugs this +hole at the cost of disabling deep directory support when the +user requests sandboxing. + +TODO: This probably cannot be completely fixed without +entirely reimplementing the deep directory support to +integrate the symlink checks. I want to reimplement the +deep directory hanlding someday anyway; openat() and +related system calls now provide a much cleaner way to +handle deep directories than the chdir approach used by this +code. +--- + libarchive/archive_write_disk_posix.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +index 39ee3b6..8f0421e 100644 +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a) + r = lstat(a->name, &st); + if (r != 0) { + /* We've hit a dir that doesn't exist; stop now. */ +- if (errno == ENOENT) ++ if (errno == ENOENT) { + break; ++ } else { ++ /* Note: This effectively disables deep directory ++ * support when security checks are enabled. ++ * Otherwise, very long pathnames that trigger ++ * an error here could evade the sandbox. ++ * TODO: We could do better, but it would probably ++ * require merging the symlink checks with the ++ * deep-directory editing. */ ++ return (ARCHIVE_FAILED); ++ } + } else if (S_ISLNK(st.st_mode)) { + if (c == '\0') { + /* |