* gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, gnu/packages/patches/libarchive-fix-symlink-check.patch, gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them.
		
			
				
	
	
		
			44 lines
		
	
	
	
		
			1.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			44 lines
		
	
	
	
		
			1.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| Fixes this buffer overflow:
 | |
| https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
 | |
| 
 | |
| Patch copied from upstream source repository:
 | |
| https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
 | |
| 
 | |
| From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
 | |
| From: Tim Kientzle <kientzle@acm.org>
 | |
| Date: Sun, 21 Aug 2016 10:51:43 -0700
 | |
| Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
 | |
| 
 | |
| The safe_fprintf function attempts to ensure clean output for an
 | |
| arbitrary sequence of bytes by doing a trial conversion of the
 | |
| multibyte characters to wide characters -- if the resulting wide
 | |
| character is printable then we pass through the corresponding bytes
 | |
| unaltered, otherwise, we convert them to C-style ASCII escapes.
 | |
| 
 | |
| The stack trace in Issue #767 suggest that the 20-byte buffer
 | |
| was getting overflowed trying to format a non-printable multibyte
 | |
| character.  This should only happen if there is a valid multibyte
 | |
| character of more than 5 bytes that was unprintable.  (Each byte
 | |
| would get expanded to a four-charcter octal-style escape of the form
 | |
| "\123" resulting in >20 characters for the >5 byte multibyte character.)
 | |
| 
 | |
| I've not been able to reproduce this, but have expanded the conversion
 | |
| buffer to 128 bytes on the belief that no multibyte character set
 | |
| has a single character of more than 32 bytes.
 | |
| ---
 | |
|  tar/util.c | 2 +-
 | |
|  1 file changed, 1 insertion(+), 1 deletion(-)
 | |
| 
 | |
| diff --git a/tar/util.c b/tar/util.c
 | |
| index 9ff22f2..2b4aebe 100644
 | |
| --- a/tar/util.c
 | |
| +++ b/tar/util.c
 | |
| @@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
 | |
|  		}
 | |
|  
 | |
|  		/* If our output buffer is full, dump it and keep going. */
 | |
| -		if (i > (sizeof(outbuff) - 20)) {
 | |
| +		if (i > (sizeof(outbuff) - 128)) {
 | |
|  			outbuff[i] = '\0';
 | |
|  			fprintf(f, "%s", outbuff);
 | |
|  			i = 0;
 |