New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix various crash, memory corruption and infinite loop conditions #1105
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
new_size can be 0 with a malicious or corrupted RAR archive. realloc(area, 0) is equivalent to free(area), so the region would be free()d here and the free()d again in the cleanup function. Found with a setup running AFL, afl-rb, and qsym.
Fuzzing uncovered some UAF and memory overrun bugs where a file in a single file archive reported that it was split across multiple volumes. This was caused by ppmd7 operations calling rar_br_fillup. This would invoke rar_read_ahead, which would in some situations invoke archive_read_format_rar_read_header. That would check the new file name against the old file name, and if they didn't match up it would free the ppmd7 buffer and allocate a new one. However, because the ppmd7 decoder wasn't actually done with the buffer, it would continue to used the freed buffer. Both reads and writes to the freed region can be observed. This is quite tricky to solve: once the buffer has been freed it is too late, as the ppmd7 decoder functions almost universally assume success - there's no way for ppmd_read to signal error, nor are there good ways for functions like Range_Normalise to propagate them. So we can't detect after the fact that we're in an invalid state - e.g. by checking rar->cursor, we have to prevent ourselves from ever ending up there. So, when we are in the dangerous part or rar_read_ahead that assumes a valid split, we set a flag force read_header to either go down the path for split files or bail. This means that the ppmd7 decoder keeps a valid buffer and just runs out of data. Found with a combination of AFL, afl-rb and qsym.
Currently, it is possible to create an archive that crashes bsdtar
with a malformed ACL:
Program received signal SIGSEGV, Segmentation fault.
archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
1726 switch (*s) {
(gdb) p n
$1 = 1
(gdb) p field[n]
$2 = {start = 0x0, end = 0x0}
Stop this by checking that the length is not zero before beginning
the switch statement.
I am pretty sure this is the bug mentioned in the qsym paper [1],
and I was able to replicate it with a qsym + AFL + afl-rb setup.
[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
The warc decoder only used read ahead, it wouldn't actually consume data that had previously been printed. This means that if you specify an invalid content length, it will just reprint the same data over and over and over again until it hits the desired length. This means that a WARC resource with e.g. Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 but only a few hundred bytes of data, causes a quasi-infinite loop. Consume data in subsequent calls to _warc_read. Found with an AFL + afl-rb + qsym setup.
|
There are some test cases at https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 |
|
I have requested CVEs for these issues through the Distributed Weakness Filing project. |
|
In case someone else is looking for the CVEs, it looks like the assignments are :
|
balabit-sync
pushed a commit
to balabit-deps/balabit-os-8-libarchive
that referenced
this pull request
Nov 11, 2022
libarchive (3.4.0-2ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds
read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
- CVE-2022-26280
libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
- debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
ACLs in libarchive/archive_disk_acl_freebsd.c,
libarchive/archive_disk_acl_linux.c,
libarchive/archive_disk_acl_sunos.c.
- CVE-2021-23177
* SECURITY UPDATE: symbolic links incorrectly followed
- debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
processing the fixup list in Makefile.am,
libarchive/archive_write_disk_posix.c,
libarchive/test/CMakeLists.txt,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
setting file flags on Linux in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
processing the fixup list in libarchive/archive_write_disk_posix.c,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
8a1bd5c in libarchive/archive_write_disk_posix.c.
- CVE-2021-31566
* SECURITY UPDATE: use-after-free in copy_string
- debian/patches/CVE-2021-36976-pre1.patch: verify window size for
solid files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5*.
- debian/patches/CVE-2021-36976-pre2.patch: verify window size for
multivolume archives in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5*.
- debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/*.
- debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c, libarchive/test/*.
- CVE-2021-36976
libarchive (3.4.0-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
libarchive (3.4.0-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.5.0 with no changes.
* Add the year 2020 to my debian/* copyright notice.
* Add the CVE-2020-9308 patch - invalid RAR5 headers. (Closes: #951759)
* Make the autopkgtests cross-test-friendly. (Closes: #953140)
libarchive (3.4.0-1ubuntu2) focal; urgency=medium
* Make autopkgtests cross-test-friendly.
libarchive (3.4.0-1ubuntu1) focal; urgency=medium
* SECURITY UPDATE: Out-of-read and Denial of service
- debian/patches/CVE-2019-19221.patch: Bugfix and optimize
archive_wstring_append_from_mbs() in libarchive/archive_string.c.
- CVE-2019-19221
* SECURITY UPDATE: SIGSEGV denial of service
- debian/patches/CVE-2020-9308.patch: reject files that
declare invalid header flags fix in
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c,
libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu.
- CVE-2020-9308
libarchive (3.4.0-1build1) focal; urgency=medium
* No-change rebuild against libnettle7
libarchive (3.4.0-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0 with no changes.
* Mark the adequate test as superficial and give it a name.
* Update the watch file a bit:
- use the version 4 format placeholders
- drop the "pasv" option, no FTP upstream sites
- add the upstream signing key
* Run all available Salsa CI jobs.
* Drop the bsdtar and bsdcpio transitional packages.
Closes: #940745, #940753
* New upstream version:
- drop all the patches obtained from the upstream Git repository
(CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
zip-nullptr)
- update the library symbols file
* Add some bugfix patches obtained from upstream.
* Add the typos patch to correct some typographical and grammatical
errors.
* Update the upstream copyright information.
libarchive (3.3.3-4) unstable; urgency=medium
* Add three upstream patches:
- CVE-2019-1000019: fix a crash when parsing some 7zip archives
- CVE-2019-1000020: require the RockRidge extension for iso9660
- zip-nullptr: fix a null pointer deference in ZIP files handling
libarchive (3.3.3-3) unstable; urgency=medium
[ Andreas Henriksson ]
* Build-depend on libext2fs-dev instead of e2fslibs-dev (Closes: #890210)
* CI: Use the salsa-ci-team pipeline
[ Peter Pentchev ]
* Declare compliance with Debian Policy 4.3.0 with no changes.
* Bump the debhelper compatibility level to 12 with no changes.
* Add my copyright notice for debian/*.
* Extend Andreas Henriksson's copyright notice all the way to 2019.
libarchive (3.3.3-2) unstable; urgency=medium
* Add Daniel Axtens's security and reliability patches:
- CVE-2018-1000877.patch: Closes: #916964
- CVE-2018-1000878.patch: Closes: #916963
- CVE-2018-1000879.patch: Closes: #916962
- CVE-2018-1000880.patch: Closes: #916960
- all merged upstream in libarchive/libarchive#1105
Thanks to Salvatore Bonaccorso for filing the Debian bugs!
libarchive (3.3.3-1) unstable; urgency=medium
[ Peter Pentchev ]
* Declare compliance with Debian Policy 4.2.1 with no changes.
* Drop the Lintian overrides related to B-D: debhelper-compat -
Lintian 2.5.98 no longer emits these warnings and errors.
* Build with zstd compression support.
* Pass --fail-missing to dh_missing, not to dh_install any more.
[ Andreas Henriksson ]
* New upstream release.
* Drop debian/patches/ now part of upstream release:
- Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch
- Do-something-sensible-for-empty-strings-to-make-fuzz.patch
- Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
- Reject-LHA-archive-entries-with-negative-size.patch
- Reread-the-CAB-header-skipping-the-self-extracting-b.patch
- archive_strncat_l-allocate-and-do-not-convert-if-len.patch
- iso9660-validate-directory-record-length.patch
* Update libarchive13.symbols
libarchive (3.2.2-5) unstable; urgency=medium
* Acknowledge NMUs; many thanks to Salvatore Bonaccorso!
* Use my Debian e-mail address.
* Declare compliance with Debian Policy 4.2.0:
- add Rules-Requires-Root: no to the source control stanza
- install the upstream release notes (NEWS)
* Drop the duplicate Priority fields for the binary packages.
* Switch to the HTTPS scheme in various upstream and Debian
packaging URLs.
* Drop some trailing whitespace from old changelog entries.
* Bump the debhelper compatibility level to 11 with no changes and
use the B-D: debhelper-compat (= 11) mechanism.
* Add a trivial autopkgtest running adequate on the binary packages.
libarchive (3.2.2-4.2) unstable; urgency=medium
* Non-maintainer upload.
* iso9660: validate directory record length (CVE-2017-14501)
(Closes: #875966)
libarchive (3.2.2-4.1) unstable; urgency=medium
* Non-maintainer upload.
* Reject LHA archive entries with negative size (CVE-2017-14503)
(Closes: #875960)
* Avoid a read off-by-one error for UTF16 names in RAR archives
(CVE-2017-14502)
(Closes: #875974)
libarchive (3.2.2-4) unstable; urgency=medium
* Team upload.
* debian/control: Update Vcs-* fields for move to salsa.debian.org
* debian/control: Replace Priority: extra with optional
libarchive (3.2.2-3.1) unstable; urgency=high
* Non-maintainer upload.
* Reupload 3.2.2-2.1 on top of 3.2.2-3
* archive_strncat_l(): allocate and do not convert if length == 0
(CVE-2016-10209) (Closes: #859456)
* Reread the CAB header skipping the self-extracting binary code
(CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
* Do something sensible for empty strings to make fuzzers happy
(CVE-2017-14166)
Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)
libarchive (3.2.2-3) unstable; urgency=medium
* Remove myself from uploaders
* Promote Peter to primary maintainer replacing team address
libarchive (3.2.2-2) unstable; urgency=medium
* Disable tests (Closes: #859455)
libarchive (3.2.2-1) unstable; urgency=medium
* Shorten long line in previous changelog entry to please lintian.
* debian/gbp.conf: add upstream-vcs-tag for import-orig
* New upstream release.
* Drop patches now part of upstream release.
* Stop shipping README for now
libarchive (3.2.1-6) unstable; urgency=medium
* Add d/p/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
- Cherry-pick upstream commit 98dcbbf0bf4854bf987557
"Fail with negative lha->compsize in lha_read_file_header_1()"
Secunia SA74169, CVE-2017-5601 (Closes: #853278)
libarchive (3.2.1-5) unstable; urgency=medium
* Cherry-pick upstream commits 7f17c791, eec077f5, e37b620f
- Fixes for upstream issues 747, 761, 767 also known as
CVE-2016-8689, CVE-2016-8688, CVE-2016-8687
(Closes: #840934, #840935, #840936)
libarchive (3.2.1-4) unstable; urgency=medium
* Bump debhelper compat to 10
* Install manpages via debian/*.install
* libarchive-dev: ship examples/ directory (Closes: #659650)
* Use the "fail-missing" dh_install option
* Cherry-pick upstream commits for CVE-2016-5418 (Closes: #837714)
libarchive (3.2.1-3) unstable; urgency=medium
[ Michael Biebl ]
* (Re)add debian/libarchive13.symbols (Closes: #838775)
[ Andreas Henriksson ]
* Mark leaked private symbols as optional for now until fixed upstream
* Fail to build when symbols file is outdated
libarchive (3.2.1-2) unstable; urgency=medium
* The "welcome Peter to the team" upload
[ Peter Pentchev ]
* Declare compliancy with Debian Policy 3.9.8 with no changes.
* Remove the "XS-Testsuite: autopkgtest" header from the control file:
it has not been "XS-" for some time, and it is added by default by
dpkg-1.17.11 when debian/tests/control is present.
* Use the HTTPS scheme for the Alioth VCS URLs.
* Switch to Alioth's cgit in the Vcs-Browser source control field.
* Convert the copyright file to the machine-readable format.
* Fill in the upstream metadata file.
* Enable full build hardening.
* Pass --as-needed to the linker to avoid overlinking.
* Bump the debhelper build dependency to version 9 to reflect
the debhelper compatibility level and drop the now-unused Lintian
override.
* Fold the bsdtar and bsdcpio packages into the new libarchive-tools
binary package and install bsdcat into it, too. Make bsdtar and
bsdcpio transitional dummy packages.
* Drop the Breaks and Replaces relations to libarchive1, it's not
even in oldstable any more.
* Drop the misc:Pre-Depends that were needed for the multi-arch
transition; dpkg-dev adds them automatically now.
* Fix a typo in README.Debian.
* Add an upstream patch to replace the use of SIGRTMAX with something
that calculates the exact value of the highest signal actually used;
hopefully this fixes the FTBFS on the GNU Hurd.
* Drop the outdated and unused SONAME mismatch Lintian override.
* Re-enable the use of minitar for extraction, too, in the CI test;
keep the untar test for completeness.
* Add the Typos patch to fix a couple of typographical errors.
* Add the Candidate patch to fix a typographical error in a structure
member field and, consequently, update all references to it.
* Add the CPPCheck patch to fix some issues reported by cppcheck.
[ Andreas Henriksson ]
* Add Peter Pentchev to Uploaders
libarchive (3.2.1-1) unstable; urgency=medium
* New upstream release.
- Includes fixes for CVE-2015-8934, CVE-2016-4300, CVE-2016-4301,
CVE-2016-4302, CVE-2016-4809 and CVE-2016-5844.
* Add patch cherry-picked from upstream fixing build with xz-utils < 5.2
libarchive (3.2.0-2) unstable; urgency=medium
* Add CVE identifiers to previous changelog entry.
* Upload to unstable.
libarchive (3.2.0-1) experimental; urgency=medium
* CVE-2016-1541: heap-based buffer overflow due to improper input
validation (Closes: #823893)
* New upstream test release (3.1.901a).
* Add liblz4-dev build-dependency to enable lz4 support.
* Enable new bsdcat utility in separate package
* Drop all patches, now included in release.
* Add pkg-config build-dependency
* Have dh-autoreconf use upstream build/autogen.sh
* New upstream release (3.2.0).
libarchive (3.1.2-11) unstable; urgency=medium
* Add d/p/Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
(Closes: #778266)
libarchive (3.1.2-10) unstable; urgency=medium
* Add d/p/Do-not-overwrite-file-size-if-the-local-file-header-.patch
- cherry-picked from upstream git commit e234932de2474c4f99787
Thanks to Maximiliano Curia (Closes: #769290)
libarchive (3.1.2-9) unstable; urgency=medium
[ Andreas Henriksson ]
* Drop Andres Mejia from Uploaders by request of MIA (Closes: #743538)
[ Breno Leitao ]
* Use dh-autoreconf for the benefit of ppc64el (Closes: #750483)
[ Andreas Henriksson ]
* Bump Standards-Version to 3.9.5
libarchive (3.1.2-8) unstable; urgency=medium
[ Michael Terry ]
* Fix DEP8 minitar test to use application/gzip (Closes: #731962)
[ Daniel Schepler ]
* Implement DEB_BUILD_OPTIONS=nocheck (Closes: #738159)
libarchive (3.1.2-7) unstable; urgency=low
* Upload to unstable.
libarchive (3.1.2-6) experimental; urgency=low
[ Andreas Henriksson ]
* Merge debian-wheezy branch containing package revision 3.0.4-3.
[ Andres Mejia ]
* Remove gbp config overrides.
* Remove lrzip build dependency as test cases fail on certain architectures.
libarchive (3.1.2-5) experimental; urgency=low
* Update patch to fix LZO test cases to use changes from upstream.
* Update homepage field for new homepage URL.
* Add upstream changes to fix building libarchive with lrzip support.
libarchive (3.1.2-4) experimental; urgency=low
* Add mtree filename length fix from upstream.
* Add fix for LZO test cases.
* Renable LZO support.
* Bump Standards-Version to 3.9.4.
libarchive (3.1.2-3) experimental; urgency=low
* Update gbp.conf to point to branches used for libarchive packaging in
experimental.
* Disable LZO support, it is broken on some architectures.
libarchive (3.1.2-2) experimental; urgency=low
* Update patches to use changes applied upstream.
libarchive (3.1.2-1) experimental; urgency=low
* New upstream release.
* Enable LZO support.
libarchive (3.1.1-1) experimental; urgency=low
* New upstream release.
libarchive (3.1.0-1) experimental; urgency=low
[ Benjamin Drung ]
* Add autopkgtest (LP: #1073390).
[ Martin Pitt ]
* Add examples-offset-type.patch: Fix offset data type in examples.
[ Andres Mejia ]
* New upstream release.
libarchive (3.0.4-3) unstable; urgency=low
* Add patch that fixes CVE-2013-0211. (Closes: #703957)
libarchive (3.0.4-2) unstable; urgency=low
* Add debian/patches/gcc-4.7-fixes-from-upstream.patch
(Closes: #674368, #672690)
libarchive (3.0.4-1) unstable; urgency=low
* New upstream release.
* Patches removed, applied upstream.
libarchive (3.0.3-7) unstable; urgency=low
* Allow the dev package to be multi-arch installable.
* Set verbosity level to 1 for test programs. This incorporates upstream
commit 7cd65cd07cfa2693455d174049b4887434041695. (Closes: #662716)
* Fixup package description about ISO support. (Closes: #659651)
libarchive (3.0.3-6) unstable; urgency=low
* Add patch to fix infinite loop in xps files (Closes: #662603)
- Thanks for the patch to Savvas Radevic!
libarchive (3.0.3-5) unstable; urgency=low
* Detect if locales or locales-all is installed for use with test suite.
* Bump Standards-Version to 3.9.3.
libarchive (3.0.3-4) unstable; urgency=low
* Ensure tests are not run via root. (Closes: #659294)
libarchive (3.0.3-3) unstable; urgency=low
* Update watch file to use new home for downloads.
libarchive (3.0.3-2) unstable; urgency=low
* Upload to unstable.
* Update homepage to libarchive's new home.
libarchive (3.0.3-1) experimental; urgency=low
* New upstream release.
* Fix for hurd build failure included in new release. (Closes: #653458)
* Update copyright file.
libarchive (3.0.2-3) experimental; urgency=low
* Prepare an upload to experimental.
libarchive (3.0.2-1) unstable; urgency=low
* Prepare new upstream release.
* Update package descriptions, deleting some information that doesn't
apply to current build of packages.
* Rename shared library package for soname bump.
* Remove symbols files. Symbols file needs to be maintained better. Also,
numerous symbols were in the file which were meant to stay private
(all the __archive_* symbols for example).
libarchive (3.0.1b-1) experimental; urgency=low
* Package latest testing release.
* Update debian/control, noting new 7zip support.
* Fix package description for bsdcpio.
* Update symbols file for new symbols added in libarchive-3.0.1b.
libarchive (3.0.0a-1) experimental; urgency=low
* Package testing release of libarchive for experimental.
* Better ext2 file attribute/flag support included in new release.
(Closes: #615875)
* Remove all patches, applied in upstream source.
* Add option to unapply patches for dpkg-source v3.
* Change package name libarchive1 to libarchive11 to match soname bump.
* Rename files used in packaging libarchive11.
* Build depend on Nettle library.
* Add mention of rar support in package description.
* Remove installation of symlink for libarchive library file.
* Explicitely build without openssl and with nettle support.
* Add proper depends to new libarchive11 package.
* Update symbols file for libarchive11.
* Ensure bsdtar and bsdcpio are linked to shared library dynamically.
* Build en_US.UTF-8 locale at runtime to pass test suite.
libarchive (2.8.5-5) unstable; urgency=medium
* Backport fixes for fix for CVE-2011-1777 and CVE-2011-1778.
(Closes: #651844)
* Fix build failure for GNU/Hurd. (Closes: #651995)
* Regenerate autoreconf patch.
libarchive (2.8.5-4) unstable; urgency=low
[ Andres Mejia ]
* Improve each packages' long description.
* Refresh all patches.
[ Samuel Thibault ]
* Skip libacl1-dev build dependency on hurd (Closes: #645403)
[ Andreas Henriksson ]
* Add 0009-Patch-from-upstream-rev-3751.patch (Closes: #641265)
+ Thanks to Michael Cree for figuring out the details.
libarchive (2.8.5-3) unstable; urgency=low
* Fix upgrade breakage because of manpages being moved from libarchive1 to
libarchive-dev. (Closes: #641978)
* Make short descriptions for packages unique.
* Explicitly set config options to be used during builds.
libarchive (2.8.5-2) unstable; urgency=low
* Add gbp.conf to enable pristine-tar to true by default.
* Add myself to uploaders field.
* Add default options to fail on any upstream changes during a build.
* Bump Standards-Version to 3.9.2.
* Remove duplicate "Section" field.
* Remove unnecessary use of *.dirs dh files.
* Remove unneeded build-deps.
* Provide patch that implements changes made after running autoreconf -vif.
* Remove generic comments from debian/rules.
* Support parallel builds.
* Remove commented lines from install file.
* Add docs to all packages except the shared library package.
* Remove unneeded use of 'debian/tmp' in path for install files.
* Provide different mechanism to install symlink for libarchive1 package.
* Move all manpages for libarchive1 to libarchive-dev.
* Move libarchive-dev control stanza up. This will make libarchive-dev the
default package for installing files into, such as the README.Debian.
* Convert libarchive into multiarch library package.
* Update Vcs-* entries.
libarchive (2.8.5-1) unstable; urgency=low
* Add 0010-Patch-from-upstream-rev-2811.patch
* Drop "update-patch-series" target from debian/rules
* Convert package to dh7
* Imported Upstream version 2.8.5 (Closes: #640524)
* Rebase patch queue and drop patches merged upstream
- dropped 0003-Patch-from-upstream-rev-2516.patch
- dropped 0010-Patch-from-upstream-rev-2811.patch
libarchive (2.8.4-2) unstable; urgency=low
* update-patch-series:
+ replace local patch with upstream commit.
(Rebase patches branch to drop commit/patch
"0007-Ignore-ENOSYS-error-when-sett...", in favor of upstream
revision 2537 added as "0007-Patch-from-upstream-rev-2537.patch")
+ add 0008-Patch-from-upstream-rev-2888.patch (Closes: #610079)
+ add 0009-Patch-from-upstream-rev-2940.patch (Closes: #610783)
libarchive (2.8.4-1) unstable; urgency=low
* Update debian/watch for new code.google.com layout.
* update patch series:
+ added 0003-Patch-from-upstream-rev-2516.patch
- Compatibility with WinISO generated iso files (Closes: #587513)
+ added 0004-Patch-from-upstream-rev-2514.patch
+ added 0005-Patch-from-upstream-rev-2520.patch
- Enable version stripping code in iso9660/joliet (Closes: #587316)
* Imported Upstream version 2.8.4
* update-patch-series:
+ added 0006-Patch-from-upstream-rev-2521.patch
+ added 0007-Ignore-ENOSYS-error-when-sett... (Closes: #588925)
- Big thanks to Modestas Vainius for awesome debugging!
libarchive (2.8.3-1) unstable; urgency=low
* Imported Upstream version 2.8.3
* update-patch-series: 0001-Clear-archive_error_number-in-archiv...
- gvfs has been fixed since, workaround not needed anymore.
libarchive (2.8.0-2) unstable; urgency=low
* Clean up libarchive.la file. (Closes: #571468)
- Thanks to Sune Vuorela for suggesting this fix.
* Update patch series:
+ added two patches matching revision 1990, 1991 from upstream
regarding PATH_MAX hopefully fixing build on Hurd.
libarchive (2.8.0-1) unstable; urgency=low
* Set myself as maintainer (Closes: #570539).
+ co-maintainers welcome!
* Imported Upstream version 2.8.0 (Closes: #559158)
* Drop debian revision in symbols file.
* Updated symbols for 2.8
* Update rules for new build directory (config.aux -> build/autoconf)
* Replace ${Source-Version} with ${source:Version} in control file.
* Drop debian/shlibs.local.ex
* Bump debhelper compatibility level to 5.
* Stop trying to install non-existant usr/share/pkgconfig
* Update Vcs fields to point to new collab-maint repository.
* Update debian/copyright
* Bump Standards-Version to 3.8.4
* Add update-patch-series target in debian/rules.
* Added patch to fix gvfsd-archive problems:
+ 0001-Clear-archive_error_number-in-archive_clear_error.patch
(from http://bugs.gentoo.org/show_bug.cgi?id=289260#c1 )
* Switch to dpkg-source 3.0 (quilt) format
* Split Build-Depends on multiple lines.
* Add liblzma-dev to Build-Depends for lzma support.
* Add Build-Depends on libxml2-dev for xar support.
* Explicitly give --without-openssl to configure.
libarchive (2.6.2-2) unstable; urgency=low
* Orphaning the package; set maintainer to QA group.
libarchive (2.6.2-1) unstable; urgency=low
* New Upstream Version. Closes: #516577.
* Update watch file to new homepage. Closes: #517398.
libarchive (2.6.1-1) unstable; urgency=low
* New Upstream Version
* Update homepage. Closes: #514835.
* Clean up Debian rules. Patch partially from Bernhard R. Link.
Closes: #480495.
libarchive (2.4.17-2) unstable; urgency=high
[ John Goerzen ]
* Ignore failures in test suite due to bugs in the testsuite that were
turning into FTBFS bugs. Closes: #474400.
* Added README.Debian documenting need for largefile suport in
sources. Mostly used suggested text found in #479728. Closes:
#479728.
[ Bernhard R. Link ]
* Added symbols file for libarchive. Closes: #476516.
libarchive (2.4.17-1) unstable; urgency=high
* New Upstream Version
* This upstream version corrected several problems with the testsuite.
Therefore, we can now run test suite after build. Closes: #473221.
* uudecode is now used as part of the build. Added build-dep on sharutils.
Fixes FTBFS. Closes: #473266.
libarchive (2.4.14-1) unstable; urgency=high
* New upstream release. Closes: #465061, #448292. #465061 is grave bug,
so setting urgency high.
* Added Vcs-* and Homepage lines to debian/control
libarchive (2.4.11-1) unstable; urgency=low
* New upstream version.
* Move bsdtar to section utils. Closes: #460988.
* Added bsdcpio package due to new upstream cpio command.
libarchive (2.2.4-1) unstable; urgency=high
* New upstream version with security fixes. Closes: #432924.
Fixes: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645
libarchive (2.2.3-1) unstable; urgency=low
* New upstream version.
libarchive (2.0.25-3) unstable; urgency=low
* SONAME should not be tied to the tarball version string
(Closes: #418637) Provide libarchive.so.1 as a backwards-compatible
symlink to libarchive.so.2, reverting the package name to libarchive1.
Patch from Neil Williams.
libarchive (2.0.25-2) unstable; urgency=low
* Remove build-dep on linux-kernel-headers for compatibility with BSD
ports. Closes: #377480.
libarchive (2.0.25-1) unstable; urgency=low
* New upstream version
* Remove unnecessary dep on libarchive1. Closes: #396756.
* Bump standards-version
* Rename libarchive1 to libarchive2 to match new soname.
libarchive (1.3.1-1) unstable; urgency=high
* New upstream release.
* Applied FreeBSD patch for potential DoS.
This is CVS-2006-5680, FreeBSD SA-06:24.
libarchive (1.2.53-2) unstable; urgency=low
* Added build-dep on bison. Closes: #374200.
libarchive (1.2.53-1) unstable; urgency=low
* New upstream version.
* The bsdtar program has been integrated into the libarchive source
package upstream. This package, therefore, now generates the
bsdtar binary package.
libarchive (1.02.036-2) unstable; urgency=low
* Added conflict on old libarchive-doc package.
This package never existed in testing or stable, so this conflict
can be removed before long.
libarchive (1.02.036-1) unstable; urgency=low
* New upstream version, now with support for building as a .so.
* Added build-dep on libattr1-dev.
* No more libarchive-doc; its files now live in libarchive1.
* Thanks to Bernhard R. Link for ideas for this package.
libarchive (1.02.034-2) unstable; urgency=low
* Split off manpages into separate package libarchive-doc.
The bsdtar manpages point readers to these.
libarchive (1.02.034-1) unstable; urgency=low
* Initial release Closes: #333222.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
I have found some hangs, crashes and memory corruption issues in libarchive.
Two are in the RAR decoder. The first (patch 1) is a double-free via a
realloc(area, 0). This leads to a crash.The second (patch 2) is memory corruption which seems to arise in ppmd7 decoding. The code can be made to read and write to a previously freed ppmd buffer by tricking the read-ahead code around multi-part archives. (This can be done even with a single archive file.) My gut feeling is that someone more skilled than I could cause arbitrary code execution with this, but I cannot say for certain.
There is a crash in ACL parsing for tar archives (patch 3). This is a simple NULL dereference leading to a crash.
The last of this batch is a quasi-infinite loop in the warc code (patch 4), where data isn't consumed after being written out, so a large Content-Length can be used to consume almost limitless time and space, leading to a DoS condition.
These were found with a combination of AFL, afl-rb and qsym.