[libarchive] Update to 3.1.2
Tomas Bzatek
tbzatek at fedoraproject.org
Thu Mar 28 15:14:10 UTC 2013
commit 7e034d873198bef020ce74093702ac2d9ec0242c
Author: Tomas Bzatek <tbzatek at redhat.com>
Date: Thu Mar 28 16:13:55 2013 +0100
Update to 3.1.2
- Fix CVE-2013-0211: read buffer overflow on 64-bit systems (#927105)
.gitignore | 1 +
...-3.1.3-CVE-2013-0211_read_buffer_overflow.patch | 32 ++++++++++++++++++++
libarchive.spec | 18 ++++++++--
sources | 2 +-
4 files changed, 48 insertions(+), 5 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 84b7ad2..686d237 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ libarchive-2.8.4.tar.gz
/libarchive-3.0.4.tar.gz
/v3.1.1.tar.gz
/libarchive-3.1.1.tar.gz
+/libarchive-3.1.2.tar.gz
diff --git a/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch b/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
new file mode 100644
index 0000000..78427ce
--- /dev/null
+++ b/libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
@@ -0,0 +1,32 @@
+From 22531545514043e04633e1c015c7540b9de9dbe4 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle at acm.org>
+Date: Fri, 22 Mar 2013 23:48:41 -0700
+Subject: [PATCH] Limit write requests to at most INT_MAX. This prevents a
+ certain common programming error (passing -1 to write) from leading to other
+ problems deeper in the library.
+
+---
+ libarchive/archive_write.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index eede5e0..be85621 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -673,8 +673,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ struct archive_write *a = (struct archive_write *)_a;
++ const size_t max_write = INT_MAX;
++
+ archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ ARCHIVE_STATE_DATA, "archive_write_data");
++ /* In particular, this catches attempts to pass negative values. */
++ if (s > max_write)
++ s = max_write;
+ archive_clear_error(&a->archive);
+ return ((a->format_write_data)(a, buff, s));
+ }
+--
+1.8.1
+
diff --git a/libarchive.spec b/libarchive.spec
index f175b31..6d21eab 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -1,12 +1,12 @@
Name: libarchive
-Version: 3.1.1
-Release: 2%{?dist}
+Version: 3.1.2
+Release: 1%{?dist}
Summary: A library for handling streaming archive formats
Group: System Environment/Libraries
License: BSD
-URL: http://libarchive.github.com/
-Source0: https://github.com/libarchive/libarchive/archive/%{name}-%{version}.tar.gz
+URL: http://www.libarchive.org/
+Source0: http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -25,6 +25,11 @@ BuildRequires: libunistring-devel
BuildRequires: automake autoconf libtool
+# CVE-2013-0211 libarchive: read buffer overflow on 64-bit systems
+# https://bugzilla.redhat.com/show_bug.cgi?id=927105
+Patch0: libarchive-3.1.3-CVE-2013-0211_read_buffer_overflow.patch
+
+
%description
Libarchive is a programming library that can create and read several different
streaming archive formats, including most popular tar variants, several cpio
@@ -61,6 +66,7 @@ libarchive packages.
%prep
%setup -q -n %{name}-%{version}
+%patch0 -p1 -b .CVE-2013-0211
%build
@@ -119,6 +125,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Mar 28 2013 Tomas Bzatek <tbzatek at redhat.com> - 3.1.2-1
+- Update to 3.1.2
+- Fix CVE-2013-0211: read buffer overflow on 64-bit systems (#927105)
+
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
diff --git a/sources b/sources
index 3c98732..b146a35 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b482463d73370bdbe8e234095a6ef6c9 libarchive-3.1.1.tar.gz
+efad5a503f66329bb9d2f4308b5de98a libarchive-3.1.2.tar.gz
More information about the scm-commits
mailing list