Bug#945287: libarchive: CVE-2019-19221

Gianfranco Costamagna Thu, 02 Apr 2020 03:45:52 -0700

control: tags -1 patch

diff attached, taken from Ubuntu

diff -Nru libarchive-3.4.0/debian/changelog libarchive-3.4.0/debian/changelog
--- libarchive-3.4.0/debian/changelog   2020-03-07 15:28:00.000000000 +0100
+++ libarchive-3.4.0/debian/changelog   2020-04-02 12:33:18.000000000 +0200
@@ -1,3 +1,12 @@
+libarchive (3.4.0-2.1) unstable; urgency=low
+
+  * Cherry-pick upstream fixes for CVE-2019-19221: (Closes: #945287)
+    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
+      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
+    - CVE-2019-19221
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Thu, 02 Apr 2020 
12:33:18 +0200
+
 libarchive (3.4.0-2) unstable; urgency=medium
 
   * Declare compliance with Debian Policy 4.5.0 with no changes.
diff -Nru libarchive-3.4.0/debian/patches/CVE-2019-19221.patch 
libarchive-3.4.0/debian/patches/CVE-2019-19221.patch
--- libarchive-3.4.0/debian/patches/CVE-2019-19221.patch        1970-01-01 
01:00:00.000000000 +0100
+++ libarchive-3.4.0/debian/patches/CVE-2019-19221.patch        2020-04-02 
12:33:18.000000000 +0200
@@ -0,0 +1,97 @@
+From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <mar...@matuska.org>
+Date: Thu, 21 Nov 2019 03:08:40 +0100
+Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
+
+The cal to mbrtowc() or mbtowc() should read up to mbs_length
+bytes and not wcs_length. This avoids out-of-bounds reads.
+
+mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
+they encounter an invalid multibyte character and (size_t)-2 when
+they they encounter an incomplete multibyte character. As we return
+failure and all our callers error out it makes no sense to continue
+parsing mbs.
+
+As we allocate `len` wchars at the beginning and each wchar has
+at least one byte, there will never be need to grow the buffer,
+so the code can be left out. On the other hand, we are always
+allocatng more memory than we need.
+
+As long as wcs_length == mbs_length == len we can omit wcs_length.
+We keep the old code commented if we decide to save memory and
+use autoexpanding wcs_length in the future.
+
+Fixes #1276
+---
+ libarchive/archive_string.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
+index 979a418b6..bd39c96f1 100644
+--- a/libarchive/archive_string.c
++++ b/libarchive/archive_string.c
+@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring 
*dest,
+        * No single byte will be more than one wide character,
+        * so this length estimate will always be big enough.
+        */
+-      size_t wcs_length = len;
++      // size_t wcs_length = len;
+       size_t mbs_length = len;
+       const char *mbs = p;
+       wchar_t *wcs;
+@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring 
*dest,
+ 
+       memset(&shift_state, 0, sizeof(shift_state));
+ #endif
+-      if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
++      /*
++       * As we decided to have wcs_length == mbs_length == len
++       * we can use len here instead of wcs_length
++       */
++      if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
+               return (-1);
+       wcs = dest->s + dest->length;
+       /*
+@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring 
*dest,
+        * multi bytes.
+        */
+       while (*mbs && mbs_length > 0) {
++              /*
++               * The buffer we allocated is always big enough.
++               * Keep this code path in a comment if we decide to choose
++               * smaller wcs_length in the future
++               */
++/*
+               if (wcs_length == 0) {
+                       dest->length = wcs - dest->s;
+                       dest->s[dest->length] = L'\0';
+@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring 
*dest,
+                               return (-1);
+                       wcs = dest->s + dest->length;
+               }
++*/
+ #if HAVE_MBRTOWC
+-              r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
++              r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
+ #else
+-              r = mbtowc(wcs, mbs, wcs_length);
++              r = mbtowc(wcs, mbs, mbs_length);
+ #endif
+               if (r == (size_t)-1 || r == (size_t)-2) {
+                       ret_val = -1;
+-                      if (errno == EILSEQ) {
+-                              ++mbs;
+-                              --mbs_length;
+-                              continue;
+-                      } else
+-                              break;
++                      break;
+               }
+               if (r == 0 || r > mbs_length)
+                       break;
+               wcs++;
+-              wcs_length--;
++              // wcs_length--;
+               mbs += r;
+               mbs_length -= r;
+       }
diff -Nru libarchive-3.4.0/debian/patches/series 
libarchive-3.4.0/debian/patches/series
--- libarchive-3.4.0/debian/patches/series      2020-03-07 14:38:42.000000000 
+0100
+++ libarchive-3.4.0/debian/patches/series      2020-04-02 12:33:18.000000000 
+0200
@@ -10,3 +10,4 @@
 upstream-lz4-uint32.patch
 CVE-2020-9308.patch
 typos.patch
+CVE-2019-19221.patch

Bug#945287: libarchive: CVE-2019-19221

Reply via email to