diff options
author | Leo Famulari <leo@famulari.name> | 2016-10-02 15:58:06 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-10-03 16:52:28 -0400 |
commit | b38e97e03b92d54524953949934884828a1683c1 (patch) | |
tree | fde3b2a9c2c85a51a501ea92b785e7852fd4c102 /gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch | |
parent | 85358aef8e80d810405916f571816bd028c245b8 (diff) | |
download | guix-b38e97e03b92d54524953949934884828a1683c1.tar guix-b38e97e03b92d54524953949934884828a1683c1.tar.gz |
gnu: libarchive: Fix several security issues.
* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-7zip-heap-overflow.patch,
gnu/packages/patches/libarchive-fix-symlink-check.patch,
gnu/packages/patches/libarchive-fix-filesystem-attacks.patch,
gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch')
-rw-r--r-- | gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch new file mode 100644 index 0000000000..0e70ac90ce --- /dev/null +++ b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch @@ -0,0 +1,44 @@ +Fixes this buffer overflow: +https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a + +Patch copied from upstream source repository: +https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a + +From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Sun, 21 Aug 2016 10:51:43 -0700 +Subject: [PATCH] Issue #767: Buffer overflow printing a filename + +The safe_fprintf function attempts to ensure clean output for an +arbitrary sequence of bytes by doing a trial conversion of the +multibyte characters to wide characters -- if the resulting wide +character is printable then we pass through the corresponding bytes +unaltered, otherwise, we convert them to C-style ASCII escapes. + +The stack trace in Issue #767 suggest that the 20-byte buffer +was getting overflowed trying to format a non-printable multibyte +character. This should only happen if there is a valid multibyte +character of more than 5 bytes that was unprintable. (Each byte +would get expanded to a four-charcter octal-style escape of the form +"\123" resulting in >20 characters for the >5 byte multibyte character.) + +I've not been able to reproduce this, but have expanded the conversion +buffer to 128 bytes on the belief that no multibyte character set +has a single character of more than 32 bytes. +--- + tar/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tar/util.c b/tar/util.c +index 9ff22f2..2b4aebe 100644 +--- a/tar/util.c ++++ b/tar/util.c +@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...) + } + + /* If our output buffer is full, dump it and keep going. */ +- if (i > (sizeof(outbuff) - 20)) { ++ if (i > (sizeof(outbuff) - 128)) { + outbuff[i] = '\0'; + fprintf(f, "%s", outbuff); + i = 0; |