gnu: libarchive: Update to 3.2.0.

* gnu/packages/patches/libarchive-CVE-2013-0211.patch,
gnu/packages/patches/libarchive-CVE-2016-1541.patch,
gnu/packages/patches/libarchive-bsdtar-test.patch,
gnu/packages/patches/libarchive-fix-lzo-test-case.patch,
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/backup.scm (libarchive): Update to 3.2.0.
[source]: Remove deleted patches.
[replacement]: Remove.
(libarchive/fixed): Remove variable.
This commit is contained in:
Leo Famulari 2016-05-13 02:23:38 -04:00
parent eb74eb4199
commit 4fa05a8198
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
7 changed files with 2 additions and 284 deletions

View File

@ -561,11 +561,6 @@ dist_patch_DATA = \
gnu/packages/patches/liba52-link-with-libm.patch \
gnu/packages/patches/liba52-set-soname.patch \
gnu/packages/patches/liba52-use-mtune-not-mcpu.patch \
gnu/packages/patches/libarchive-bsdtar-test.patch \
gnu/packages/patches/libarchive-CVE-2013-0211.patch \
gnu/packages/patches/libarchive-CVE-2016-1541.patch \
gnu/packages/patches/libarchive-fix-lzo-test-case.patch \
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
gnu/packages/patches/libbonobo-activation-test-race.patch \
gnu/packages/patches/libcanberra-sound-theme-freedesktop.patch \
gnu/packages/patches/libcmis-fix-test-onedrive.patch \

View File

@ -136,8 +136,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
(define-public libarchive
(package
(name "libarchive")
(replacement libarchive/fixed)
(version "3.1.2")
(version "3.2.0")
(source
(origin
(method url-fetch)
@ -145,12 +144,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
version ".tar.gz"))
(sha256
(base32
"0pixqnrcf35dnqgv0lp7qlcw7k13620qkhgxr288v7p4iz6ym1zb"))
(patches
(search-patches "libarchive-mtree-filename-length-fix.patch"
"libarchive-fix-lzo-test-case.patch"
"libarchive-CVE-2013-0211.patch"
"libarchive-bsdtar-test.patch"))))
"11xabdpmvdmcdkidigmqh4ymhra95lr7ipcys4hdq0gzf7ylbkkv"))))
(build-system gnu-build-system)
;; TODO: Add -L/path/to/nettle in libarchive.pc.
(inputs
@ -194,14 +188,6 @@ archive. In particular, note that there is currently no built-in support for
random access nor for in-place modification.")
(license license:bsd-2)))
(define libarchive/fixed
(package
(inherit libarchive)
(source (origin
(inherit (package-source libarchive))
(patches (cons (search-patch "libarchive-CVE-2016-1541.patch")
(origin-patches (package-source libarchive))))))))
(define-public rdup
(package
(name "rdup")

View File

@ -1,21 +0,0 @@
Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
Origin: upstream
Bug-Debian: http://bugs.debian.org/703957
Forwarded: not-needed
--- libarchive-3.0.4.orig/libarchive/archive_write.c
+++ libarchive-3.0.4/libarchive/archive_write.c
@@ -665,8 +665,13 @@ static ssize_t
_archive_write_data(struct archive *_a, const void *buff, size_t s)
{
struct archive_write *a = (struct archive_write *)_a;
+ const size_t max_write = INT_MAX;
+
archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
ARCHIVE_STATE_DATA, "archive_write_data");
+ /* In particular, this catches attempts to pass negative values. */
+ if (s > max_write)
+ s = max_write;
archive_clear_error(&a->archive);
return ((a->format_write_data)(a, buff, s));
}

View File

@ -1,67 +0,0 @@
Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata)
Taken from upstream source repository:
https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
When reading OS X metadata entries in Zip archives that were stored
without compression, libarchive would use the uncompressed entry size
to allocate a buffer but would use the compressed entry size to limit
the amount of data copied into that buffer. Since the compressed
and uncompressed sizes are provided by data in the archive itself,
an attacker could manipulate these values to write data beyond
the end of the allocated buffer.
This fix provides three new checks to guard against such
manipulation and to make libarchive generally more robust when
handling this type of entry:
1. If an OS X metadata entry is stored without compression,
abort the entire archive if the compressed and uncompressed
data sizes do not match.
2. When sanity-checking the size of an OS X metadata entry,
abort this entry if either the compressed or uncompressed
size is larger than 4MB.
3. When copying data into the allocated buffer, check the copy
size against both the compressed entry size and uncompressed
entry size.
---
libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index 0f8262c..0a0be96 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
switch(rsrc->compression) {
case 0: /* No compression. */
+ if (rsrc->uncompressed_size != rsrc->compressed_size) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Malformed OS X metadata entry: inconsistent size");
+ return (ARCHIVE_FATAL);
+ }
#ifdef HAVE_ZLIB_H
case 8: /* Deflate compression. */
#endif
@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
(intmax_t)rsrc->uncompressed_size);
return (ARCHIVE_WARN);
}
+ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Mac metadata is too large: %jd > 4M bytes",
+ (intmax_t)rsrc->compressed_size);
+ return (ARCHIVE_WARN);
+ }
metadata = malloc((size_t)rsrc->uncompressed_size);
if (metadata == NULL) {
@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
bytes_avail = remaining_bytes;
switch(rsrc->compression) {
case 0: /* No compression. */
+ if ((size_t)bytes_avail > metadata_bytes)
+ bytes_avail = metadata_bytes;
memcpy(mp, p, bytes_avail);
bytes_used = (size_t)bytes_avail;
metadata_bytes -= bytes_used;

View File

@ -1,74 +0,0 @@
commit b539b2e597b566fe3c4b49cb61c9eef83e5e052d
Author: Pavel Raiskup <praiskup@redhat.com>
Date: Thu Jun 27 16:01:30 2013 +0200
Use ustar format in the test_option_b test
.. because the ustar archive does not store SELinux context. As the default
format for bsdtar is "restricted pax" (trying to store xattrs and other
things by default), the test failed on Fedora because our files have by
default SELinux context set. This results in additional data in tested
archive ~> and the test failed because the archive was unexpectedly big:
tar/test/test_option_b.c:41: File archive1.tar has size 3072, expected 2048
Reviewed by Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
diff --git a/tar/test/test_option_b.c b/tar/test/test_option_b.c
index be2ae65..6fea474 100644
--- a/tar/test/test_option_b.c
+++ b/tar/test/test_option_b.c
@@ -25,8 +25,14 @@
#include "test.h"
__FBSDID("$FreeBSD$");
+#define USTAR_OPT " --format=ustar"
+
DEFINE_TEST(test_option_b)
{
+ char *testprog_ustar = malloc(strlen(testprog) + sizeof(USTAR_OPT) + 1);
+ strcpy(testprog_ustar, testprog);
+ strcat(testprog_ustar, USTAR_OPT);
+
assertMakeFile("file1", 0644, "file1");
if (systemf("cat file1 > test_cat.out 2> test_cat.err") != 0) {
skipping("Platform doesn't have cat");
@@ -36,7 +42,7 @@ DEFINE_TEST(test_option_b)
/*
* Bsdtar does not pad if the output is going directly to a disk file.
*/
- assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog));
+ assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog_ustar));
failure("bsdtar does not pad archives written directly to regular files");
assertFileSize("archive1.tar", 2048);
assertEmptyFile("test1.out");
@@ -46,24 +52,24 @@ DEFINE_TEST(test_option_b)
* Bsdtar does pad to the block size if the output is going to a socket.
*/
/* Default is -b 20 */
- assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog));
+ assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog_ustar));
failure("bsdtar does pad archives written to pipes");
assertFileSize("archive2.tar", 10240);
assertEmptyFile("test2.err");
- assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog));
+ assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog_ustar));
assertFileSize("archive3.tar", 10240);
assertEmptyFile("test3.err");
- assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog));
+ assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog_ustar));
assertFileSize("archive4.tar", 5120);
assertEmptyFile("test4.err");
- assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog));
+ assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog_ustar));
assertFileSize("archive5.tar", 2048);
assertEmptyFile("test5.err");
- assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog));
+ assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog_ustar));
assertFileSize("archive6.tar", 4194304);
assertEmptyFile("test6.err");

View File

@ -1,83 +0,0 @@
Description: This patch fixes test cases for LZO write support in various
architectures, such as armhf. Writing a certain amount of files would
cause the LZO compressor level 9 to produce a bigger archive than the
default compressor level.
Author: Andres Mejia <amejia@debian.org>
--- a/libarchive/test/test_write_filter_lzop.c
+++ b/libarchive/test/test_write_filter_lzop.c
@@ -39,7 +39,7 @@
size_t buffsize, datasize;
char path[16];
size_t used1, used2;
- int i, r, use_prog = 0;
+ int i, r, use_prog = 0, filecount;
assert((a = archive_write_new()) != NULL);
r = archive_write_add_filter_lzop(a);
@@ -58,9 +58,10 @@
datasize = 10000;
assert(NULL != (data = (char *)calloc(1, datasize)));
+ filecount = 10;
/*
- * Write a 100 files and read them all back.
+ * Write a filecount files and read them all back.
*/
assert((a = archive_write_new()) != NULL);
assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a));
@@ -77,7 +78,7 @@
assert((ae = archive_entry_new()) != NULL);
archive_entry_set_filetype(ae, AE_IFREG);
archive_entry_set_size(ae, datasize);
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
archive_entry_copy_pathname(ae, path);
assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae));
@@ -97,7 +98,7 @@
} else {
assertEqualIntA(a, ARCHIVE_OK,
archive_read_open_memory(a, buff, used1));
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
if (!assertEqualInt(ARCHIVE_OK,
archive_read_next_header(a, &ae)))
@@ -133,7 +134,7 @@
archive_write_set_options(a, "lzop:compression-level=9"));
assertEqualIntA(a, ARCHIVE_OK,
archive_write_open_memory(a, buff, buffsize, &used2));
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
assert((ae = archive_entry_new()) != NULL);
archive_entry_copy_pathname(ae, path);
@@ -161,7 +162,7 @@
archive_read_support_filter_all(a));
assertEqualIntA(a, ARCHIVE_OK,
archive_read_open_memory(a, buff, used2));
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
if (!assertEqualInt(ARCHIVE_OK,
archive_read_next_header(a, &ae)))
@@ -186,7 +187,7 @@
archive_write_set_filter_option(a, NULL, "compression-level", "1"));
assertEqualIntA(a, ARCHIVE_OK,
archive_write_open_memory(a, buff, buffsize, &used2));
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
assert((ae = archive_entry_new()) != NULL);
archive_entry_copy_pathname(ae, path);
@@ -216,7 +217,7 @@
} else {
assertEqualIntA(a, ARCHIVE_OK,
archive_read_open_memory(a, buff, used2));
- for (i = 0; i < 100; i++) {
+ for (i = 0; i < filecount; i++) {
sprintf(path, "file%03d", i);
if (!assertEqualInt(ARCHIVE_OK,
archive_read_next_header(a, &ae)))

View File

@ -1,18 +0,0 @@
Description: Patch to fix filename length calculation when writing mtree archives.
Author: Dave Reisner <dreisner@archlinux.org>
Origin: upstream
--- a/libarchive/archive_write_set_format_mtree.c
+++ b/libarchive/archive_write_set_format_mtree.c
@@ -1855,9 +1855,9 @@
return (ret);
}
- /* Make a basename from dirname and slash */
+ /* Make a basename from file->parentdir.s and slash */
*slash = '\0';
- file->parentdir.length = slash - dirname;
+ file->parentdir.length = slash - file->parentdir.s;
archive_strcpy(&(file->basename), slash + 1);
return (ret);
}