diff options
Diffstat (limited to 'main/libarchive')
| -rw-r--r-- | main/libarchive/APKBUILD | 15 | ||||
| -rw-r--r-- | main/libarchive/CVE-2017-14166.patch | 36 |
2 files changed, 46 insertions, 5 deletions
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD index 8893ac00de1..fdd9a72671d 100644 --- a/main/libarchive/APKBUILD +++ b/main/libarchive/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libarchive pkgver=3.2.2 -pkgrel=0 +pkgrel=1 pkgdesc="library that can create and read several streaming archive formats" url="http://libarchive.googlecode.com/" arch="all" @@ -13,7 +13,7 @@ makedepends="zlib-dev bzip2-dev xz-dev acl-dev openssl-dev expat-dev" depends_dev="$makedepends" source="http://www.libarchive.org/downloads/libarchive-$pkgver.tar.gz CVE-2017-5601.patch - " + CVE-2017-14166.patch" _builddir="$srcdir"/$pkgname-$pkgver @@ -28,6 +28,8 @@ _builddir="$srcdir"/$pkgname-$pkgver # - CVE-2016-7166 # 3.2.2-r0: # - CVE-2017-5601 +# 3.2.2-r1: +# - CVE-2017-14166 prepare() { cd "$_builddir" @@ -61,8 +63,11 @@ tools() { } md5sums="1ec00b7dcaf969dd2a5712f85f23c764 libarchive-3.2.2.tar.gz -f9bf727dad55bc4c639e4fe12c456d8f CVE-2017-5601.patch" +f9bf727dad55bc4c639e4fe12c456d8f CVE-2017-5601.patch +f5dc039605c8c349da58f396c83816e9 CVE-2017-14166.patch" sha256sums="691c194ee132d1f0f7a42541f091db811bc2e56f7107e9121be2bc8c04f1060f libarchive-3.2.2.tar.gz -300c119e85a49615e2ed34521de77fa8202d1db39bb861998b3e71148c1adcdc CVE-2017-5601.patch" +300c119e85a49615e2ed34521de77fa8202d1db39bb861998b3e71148c1adcdc CVE-2017-5601.patch +059c894d5a26ebbd7f908e54ecc47429eb6166968c6b900447ac7d8c04b936b8 CVE-2017-14166.patch" sha512sums="a67920c37d49cf9478032d77fc4fa21827cebb96e9b83d9ecb8466328834052e4ab3d3a9bc4e2edf405d6cb14ffd648c9fa100b578257f6e5842c99bbea558a7 libarchive-3.2.2.tar.gz -a00839e72fa7ccbdbde4b8b5a8e04f96d6eabcaa2d0150393c8273e4855b09d18cbec6fb1e4551d0d1bbc0439e1f41d5341539a0de8a97f821a5281a7bac8494 CVE-2017-5601.patch" +a00839e72fa7ccbdbde4b8b5a8e04f96d6eabcaa2d0150393c8273e4855b09d18cbec6fb1e4551d0d1bbc0439e1f41d5341539a0de8a97f821a5281a7bac8494 CVE-2017-5601.patch +7cc9dbafd970c07fb4421b7a72a075cc0a000db77df4432222539c58625c93c45f01a144838b551980bc0c6dc5b4c3ab852eb1433006c3174581ba0897010dbe CVE-2017-14166.patch" diff --git a/main/libarchive/CVE-2017-14166.patch b/main/libarchive/CVE-2017-14166.patch new file mode 100644 index 00000000000..b729ae41e0a --- /dev/null +++ b/main/libarchive/CVE-2017-14166.patch @@ -0,0 +1,36 @@ +From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger <joerg@bec.de> +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: [PATCH] Do something sensible for empty strings to make fuzzers + happy. + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9d..93eeacc5e 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') |