From dbddebdde98fac2f27363df3f9a0e57903753c23 Mon Sep 17 00:00:00 2001 From: Samuli Suominen Date: Sat, 30 Mar 2013 15:19:17 +0000 Subject: Backport upstream patch for CVE-2013-0211 wrt security #463632 by Agostino Sarubbo (Portage version: 2.2.0_alpha169/cvs/Linux x86_64, signed Manifest commit with key 4868F14D) --- app-arch/libarchive/ChangeLog | 9 ++- .../files/libarchive-3.1.2-CVE-2013-0211.patch | 32 ++++++++ app-arch/libarchive/libarchive-3.1.2-r1.ebuild | 91 ++++++++++++++++++++++ 3 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch create mode 100644 app-arch/libarchive/libarchive-3.1.2-r1.ebuild (limited to 'app-arch/libarchive') diff --git a/app-arch/libarchive/ChangeLog b/app-arch/libarchive/ChangeLog index fa2b3bc82105..4e67926ebb2d 100644 --- a/app-arch/libarchive/ChangeLog +++ b/app-arch/libarchive/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for app-arch/libarchive # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/ChangeLog,v 1.141 2013/03/30 15:13:07 ssuominen Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/ChangeLog,v 1.142 2013/03/30 15:19:17 ssuominen Exp $ + +*libarchive-3.1.2-r1 (30 Mar 2013) + + 30 Mar 2013; Samuli Suominen + +libarchive-3.1.2-r1.ebuild, +files/libarchive-3.1.2-CVE-2013-0211.patch: + Backport upstream patch for CVE-2013-0211 wrt security #463632 by Agostino + Sarubbo *libarchive-3.1.2 (30 Mar 2013) diff --git a/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch b/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch new file mode 100644 index 000000000000..78427ce47740 --- /dev/null +++ b/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch @@ -0,0 +1,32 @@ +From 22531545514043e04633e1c015c7540b9de9dbe4 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Fri, 22 Mar 2013 23:48:41 -0700 +Subject: [PATCH] Limit write requests to at most INT_MAX. This prevents a + certain common programming error (passing -1 to write) from leading to other + problems deeper in the library. + +--- + libarchive/archive_write.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index eede5e0..be85621 100644 +--- a/libarchive/archive_write.c ++++ b/libarchive/archive_write.c +@@ -673,8 +673,13 @@ static ssize_t + _archive_write_data(struct archive *_a, const void *buff, size_t s) + { + struct archive_write *a = (struct archive_write *)_a; ++ const size_t max_write = INT_MAX; ++ + archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, + ARCHIVE_STATE_DATA, "archive_write_data"); ++ /* In particular, this catches attempts to pass negative values. */ ++ if (s > max_write) ++ s = max_write; + archive_clear_error(&a->archive); + return ((a->format_write_data)(a, buff, s)); + } +-- +1.8.1 + diff --git a/app-arch/libarchive/libarchive-3.1.2-r1.ebuild b/app-arch/libarchive/libarchive-3.1.2-r1.ebuild new file mode 100644 index 000000000000..1d91051324cc --- /dev/null +++ b/app-arch/libarchive/libarchive-3.1.2-r1.ebuild @@ -0,0 +1,91 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/libarchive-3.1.2-r1.ebuild,v 1.1 2013/03/30 15:19:17 ssuominen Exp $ + +EAPI=5 +inherit eutils libtool multilib + +DESCRIPTION="BSD tar command" +HOMEPAGE="http://www.libarchive.org/" +SRC_URI="http://www.libarchive.org/downloads/${P}.tar.gz" + +LICENSE="BSD BSD-2 BSD-4 public-domain" +SLOT="0/13" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="acl +bzip2 +e2fsprogs expat +iconv kernel_linux +lzma lzo nettle static-libs xattr +zlib" + +RDEPEND="dev-libs/openssl:0 + acl? ( virtual/acl ) + bzip2? ( app-arch/bzip2 ) + expat? ( dev-libs/expat ) + !expat? ( dev-libs/libxml2 ) + iconv? ( virtual/libiconv ) + kernel_linux? ( + xattr? ( sys-apps/attr ) + ) + lzma? ( app-arch/xz-utils ) + lzo? ( >=dev-libs/lzo-2 ) + nettle? ( dev-libs/nettle ) + zlib? ( sys-libs/zlib )" +DEPEND="${RDEPEND} + kernel_linux? ( + virtual/os-headers + e2fsprogs? ( sys-fs/e2fsprogs ) + )" + +DOCS="NEWS README" + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2013-0211.patch + elibtoolize +} + +src_configure() { + export ac_cv_header_ext2fs_ext2_fs_h=$(usex e2fsprogs) #354923 + + # We disable lzmadec because we support the newer liblzma from xz-utils + # and not liblzmadec with this version. + econf \ + $(use_enable static-libs static) \ + --enable-bsdtar=shared \ + --enable-bsdcpio=shared \ + $(use_enable xattr) \ + $(use_enable acl) \ + $(use_with zlib) \ + $(use_with bzip2 bz2lib) \ + --without-lzmadec \ + $(use_with iconv) \ + $(use_with lzma) \ + $(use_with lzo lzo2) \ + $(use_with nettle) \ + $(use_with !expat xml2) \ + $(use_with expat) +} + +src_test() { + # Replace the default src_test so that it builds tests in parallel + emake check +} + +src_install() { + default + + # Libs.private: should be used from libarchive.pc instead + prune_libtool_files + + # Create tar symlink for FreeBSD + if ! use prefix && [[ ${CHOST} == *-freebsd* ]]; then + dosym bsdtar /usr/bin/tar + echo '.so bsdtar.1' > "${T}"/tar.1 + doman "${T}"/tar.1 + # We may wish to switch to symlink bsdcpio to cpio too one day + fi +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/${PN}$(get_libname 12) +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/${PN}$(get_libname 12) +} -- cgit v1.2.3-65-gdbad