[mingw-libarchive] Update to 3.1.2
mooninite
mooninite at fedoraproject.org
Fri Mar 29 05:39:47 UTC 2013
commit 98db386eb853d9471ba337d2af8d2ef2a9a51d10
Author: Michael Cronenworth <mike at cchtml.com>
Date: Fri Mar 29 00:39:33 2013 -0500
Update to 3.1.2
.gitignore | 1 +
...-3.1.3-CVE-2013-0211_read_buffer_overflow.patch | 32 ++++++++++++++++++++
mingw-libarchive.spec | 17 ++++++++--
sources | 2 +-
4 files changed, 47 insertions(+), 5 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 954eff0..76605be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
/libarchive-3.0.4.tar.gz
/libarchive-3.1.1.tar.gz
+/libarchive-3.1.2.tar.gz
diff --git a/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch b/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
new file mode 100644
index 0000000..78427ce
--- /dev/null
+++ b/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
@@ -0,0 +1,32 @@
+From 22531545514043e04633e1c015c7540b9de9dbe4 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle at acm.org>
+Date: Fri, 22 Mar 2013 23:48:41 -0700
+Subject: [PATCH] Limit write requests to at most INT_MAX. This prevents a
+ certain common programming error (passing -1 to write) from leading to other
+ problems deeper in the library.
+
+---
+ libarchive/archive_write.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index eede5e0..be85621 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -673,8 +673,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ struct archive_write *a = (struct archive_write *)_a;
++ const size_t max_write = INT_MAX;
++
+ archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ ARCHIVE_STATE_DATA, "archive_write_data");
++ /* In particular, this catches attempts to pass negative values. */
++ if (s > max_write)
++ s = max_write;
+ archive_clear_error(&a->archive);
+ return ((a->format_write_data)(a, buff, s));
+ }
+--
+1.8.1
+
diff --git a/mingw-libarchive.spec b/mingw-libarchive.spec
index deeef5a..8c42c84 100644
--- a/mingw-libarchive.spec
+++ b/mingw-libarchive.spec
@@ -1,13 +1,13 @@
%{?mingw_package_header}
Name: mingw-libarchive
-Version: 3.1.1
-Release: 2%{?dist}
+Version: 3.1.2
+Release: 1%{?dist}
Summary: MinGW package for handling streaming archive formats
License: BSD
-URL: http://libarchive.github.com/
-Source0: https://github.com/downloads/libarchive/libarchive/libarchive-%{version}.tar.gz
+URL: http://www.libarchive.org/
+Source0: http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz
BuildArch: noarch
@@ -29,6 +29,10 @@ BuildRequires: mingw32-zlib
BuildRequires: mingw64-zlib
BuildRequires: automake autoconf libtool
+# CVE-2013-0211 libarchive: read buffer overflow on 64-bit systems
+# https://bugzilla.redhat.com/show_bug.cgi?id=927105
+Patch0: libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
+
%description
Libarchive is a programming library that can create and read several different
@@ -116,6 +120,7 @@ libarchive packages.
%prep
%setup -q -n libarchive-%{version}
+%patch0 -p1 -b .CVE-2013-0211
%build
@@ -176,6 +181,10 @@ rm -r $RPM_BUILD_ROOT/%{mingw64_prefix}/share
%changelog
+* Fri Mar 29 2013 Michael Cronenworth <mike at cchtml.com> - 3.1.2-1
+- Update to 3.1.2
+- Fix CVE-2013-0211: read buffer overflow on 64-bit systems (#927105)
+
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
diff --git a/sources b/sources
index 3c98732..b146a35 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b482463d73370bdbe8e234095a6ef6c9 libarchive-3.1.1.tar.gz
+efad5a503f66329bb9d2f4308b5de98a libarchive-3.1.2.tar.gz
More information about the scm-commits
mailing list