Date: Tuesday, March 29, 2022 @ 14:29:17 Author: eworm Revision: 440887
upgpkg: libarchive 3.6.0-2: fix possible out of bounds read Added: libarchive/trunk/0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch Modified: libarchive/trunk/PKGBUILD -----------------------------------------------------------------+ 0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch | 27 ++++++++++ PKGBUILD | 14 ++++- 2 files changed, 38 insertions(+), 3 deletions(-) Added: 0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch =================================================================== --- 0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch (rev 0) +++ 0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch 2022-03-29 14:29:17 UTC (rev 440887) @@ -0,0 +1,27 @@ +From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kient...@acm.org> +Date: Thu, 24 Mar 2022 10:35:00 +0100 +Subject: [PATCH 1/1] ZIP reader: fix possible out-of-bounds read in + zipx_lzma_alone_init() + +Fixes #1672 +--- + libarchive/archive_read_support_format_zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 38ada70b..9d6c900b 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip) + */ + + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Truncated lzma data"); + return (ARCHIVE_FATAL); +-- +2.35.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-03-29 14:19:58 UTC (rev 440886) +++ PKGBUILD 2022-03-29 14:29:17 UTC (rev 440887) @@ -3,7 +3,7 @@ pkgname=libarchive pkgver=3.6.0 -pkgrel=1 +pkgrel=2 pkgdesc='Multi-format archive and compression library' arch=('x86_64') url='https://libarchive.org/' @@ -12,10 +12,18 @@ provides=('libarchive.so') options=('debug') validpgpkeys=('A5A45B12AD92D964B89EEE2DEC560C81CEC2276E') # Martin Matuska <m...@freebsd.org> -source=("https://github.com/${pkgname}/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.xz"{,.asc}) +source=("https://github.com/${pkgname}/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.xz"{,.asc} + '0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch') sha256sums=('df283917799cb88659a5b33c0a598f04352d61936abcd8a48fe7b64e74950de7' - 'SKIP') + 'SKIP' + 'fb0ccefdce771ac1f19e4d2f991f6ed4201313f55af0dcbb3abb0e7b0f25696e') +prepare() { + cd "${pkgname}-${pkgver}" + + patch -Np1 < ../0001-ZIP-reader-fix-possible-out-of-bounds-read-in-zipx_l.patch +} + build() { cd "${pkgname}-${pkgver}"