gnu: libarchive: Remove graft for 3.3.3.

* gnu/packages/patches/libarchive-CVE-2017-14166.patch,
gnu/packages/patches/libarchive-CVE-2017-14502.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/backup.scm (libarchive): Update to 3.3.3.
[source](patches): Adjust for 3.3.3.
[replacement]: Remove field.
(libarchive-3.3.3): Remove variable.
This commit is contained in:
Marius Bakke 2019-02-07 21:31:23 +01:00
parent 027250f1a6
commit a5be549e39
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
4 changed files with 5 additions and 108 deletions

View File

@ -943,8 +943,6 @@ dist_patch_DATA = \
%D%/packages/patches/liba52-link-with-libm.patch \ %D%/packages/patches/liba52-link-with-libm.patch \
%D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-set-soname.patch \
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
%D%/packages/patches/libarchive-CVE-2017-14166.patch \
%D%/packages/patches/libarchive-CVE-2017-14502.patch \
%D%/packages/patches/libarchive-CVE-2018-1000877.patch \ %D%/packages/patches/libarchive-CVE-2018-1000877.patch \
%D%/packages/patches/libarchive-CVE-2018-1000878.patch \ %D%/packages/patches/libarchive-CVE-2018-1000878.patch \
%D%/packages/patches/libarchive-CVE-2018-1000880.patch \ %D%/packages/patches/libarchive-CVE-2018-1000880.patch \

View File

@ -197,18 +197,18 @@ backups (called chunks) to allow easy burning to CD/DVD.")
(define-public libarchive (define-public libarchive
(package (package
(name "libarchive") (name "libarchive")
(replacement libarchive-3.3.3) (version "3.3.3")
(version "3.3.2")
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
(uri (string-append "https://libarchive.org/downloads/libarchive-" (uri (string-append "https://libarchive.org/downloads/libarchive-"
version ".tar.gz")) version ".tar.gz"))
(patches (search-patches "libarchive-CVE-2017-14166.patch" (patches (search-patches "libarchive-CVE-2018-1000877.patch"
"libarchive-CVE-2017-14502.patch")) "libarchive-CVE-2018-1000878.patch"
"libarchive-CVE-2018-1000880.patch"))
(sha256 (sha256
(base32 (base32
"1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))) "0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(inputs (inputs
`(("zlib" ,zlib) `(("zlib" ,zlib)
@ -274,22 +274,6 @@ archive. In particular, note that there is currently no built-in support for
random access nor for in-place modification.") random access nor for in-place modification.")
(license license:bsd-2))) (license license:bsd-2)))
(define-public libarchive-3.3.3
(package
(inherit libarchive)
(version "3.3.3")
(source
(origin
(method url-fetch)
(uri (string-append "https://libarchive.org/downloads/libarchive-"
version ".tar.gz"))
(patches (search-patches "libarchive-CVE-2018-1000877.patch"
"libarchive-CVE-2018-1000878.patch"
"libarchive-CVE-2018-1000880.patch"))
(sha256
(base32
"0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms"))))))
(define-public rdup (define-public rdup
(package (package
(name "rdup") (name "rdup")

View File

@ -1,45 +0,0 @@
Fix CVE-2017-14166:
https://github.com/libarchive/libarchive/issues/935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
Patch copied from upstream source repository:
https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@bec.de>
Date: Tue, 5 Sep 2017 18:12:19 +0200
Subject: [PATCH] Do something sensible for empty strings to make fuzzers
happy.
---
libarchive/archive_read_support_format_xar.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
index 7a22beb9d..93eeacc5e 100644
--- a/libarchive/archive_read_support_format_xar.c
+++ b/libarchive/archive_read_support_format_xar.c
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
uint64_t l;
int digit;
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
digit = *p - '0';
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
{
int64_t l;
int digit;
-
+
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
while (char_cnt-- > 0) {
if (*p >= '0' && *p <= '7')

View File

@ -1,40 +0,0 @@
Fix CVE-2017-14502:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
Patch copied from upstream source repository:
https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@bec.de>
Date: Sat, 9 Sep 2017 17:47:32 +0200
Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
archives.
Reported-By: OSS-Fuzz issue 573
---
libarchive/archive_read_support_format_rar.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index cbb14c32..751de697 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
return (ARCHIVE_FATAL);
}
filename[filename_size++] = '\0';
- filename[filename_size++] = '\0';
+ /*
+ * Do not increment filename_size here as the computations below
+ * add the space for the terminating NUL explicitly.
+ */
+ filename[filename_size] = '\0';
/* Decoded unicode form is UTF-16BE, so we have to update a string
* conversion object for it. */
--
2.15.1