From patchwork Sun Nov  3 10:38:15 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 1188537
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=busybox.net (client-ip=140.211.166.133;
	helo=hemlock.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=korsgaard.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="sNtcPiv+"; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 475XTv092nz9sP4
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Sun,  3 Nov 2019 21:38:56 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 1B3978AD17;
	Sun,  3 Nov 2019 10:38:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dhmYYTGz4O0y; Sun,  3 Nov 2019 10:38:49 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 228E78ACC7;
	Sun,  3 Nov 2019 10:38:49 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 1979E1BF2CA
	for <buildroot@lists.busybox.net>;
	Sun,  3 Nov 2019 10:38:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 121198A891
	for <buildroot@lists.busybox.net>;
	Sun,  3 Nov 2019 10:38:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id O2L+23RFtRJt for <buildroot@lists.busybox.net>;
	Sun,  3 Nov 2019 10:38:46 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
	[209.85.221.67])
	by whitealder.osuosl.org (Postfix) with ESMTPS id C3C468A88F
	for <buildroot@buildroot.org>; Sun,  3 Nov 2019 10:38:45 +0000 (UTC)
Received: by mail-wr1-f67.google.com with SMTP id n1so13836215wra.10
	for <buildroot@buildroot.org>; Sun, 03 Nov 2019 02:38:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=+gG3zrFIWeQyA+YPT29wS3bSieZA8R02DcF1dif/Q08=;
	b=sNtcPiv+JSESke4kTnsWzRfn8bLqbqiVSjob2neeWkSGA+UBsqpsFBXNL1ZDFdIM6F
	aXGD0OxmcAP2fvdFMdbohUp7t4d1FXuOlcY1RLBnDViFfRB8vJs7Taf3tuzKl5MJ1lWj
	xlSsuo07RgOaD/yPIqcZcp7Y3G9njIu2usA+ZOL9jQ7yOCDR4DcDHMMNTqnPnNZvn/u0
	2e8ypNAoQ65U5zeaMQplkwkWot8wyJJ7frtrkXAjB9GC6nOhb5/tBLK7DPdl3Lwj4nyf
	CuuNImw8RwwrnqHmSB0GT7TYO2BFpChJNVuh2d7GjrkJaifzkHiOjRNEezVtKYL9D2j5
	6SvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:mime-version:content-transfer-encoding;
	bh=+gG3zrFIWeQyA+YPT29wS3bSieZA8R02DcF1dif/Q08=;
	b=lXjW7KQ3SdYaDS2YEgeMB54lXHobwz0slf6KZqRTDyrp8W8Y7Ej5m+h+aggSgZtm0E
	EUZvdEgRHj6AVK8Abx81uBHterOo66vO/2TM6UE07mhumiW8CPeWp2JaCRUkgLDIk67q
	2bYVTUgdTEAMQt9GL5yw7ze9M5hYI+UzbH37f9/6LhiHpgg4JXsD7CF7gI2KHMM/N7TM
	NMf3jN+wLOyIP1e8CZ4YzcKZaf+pGVnCGFK82aiXBVN11bQvEPFhChHxCiG5Uozqj5Yz
	2D8HyS5UWJ2bfJ5UBVU+qNxPQ135XO6xep3CVQVg0ZPtEAHIoDV9Vxo+7B+zymv0/RNt
	hJCA==
X-Gm-Message-State: APjAAAX1eVisSvKihA1sVvClURpqzFFPtH1DIjjcj4x8EdWD+IwtZ3Om
	EGCtvHqXUBh9Knn3x1dbNQbjaRZn
X-Google-Smtp-Source: 
 APXvYqwS1KhAaoUfNLcgZhl6LiURuNcqhjkfAQDmI13anh5Z+ZW/6kJdALxCGXI4hUsRx5fn2MkZcA==
X-Received: by 2002:a5d:55ce:: with SMTP id
	i14mr18053786wrw.169.1572777523709;
	Sun, 03 Nov 2019 02:38:43 -0800 (PST)
Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	g14sm14201883wro.33.2019.11.03.02.38.42
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Sun, 03 Nov 2019 02:38:42 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.92)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1iRDHO-0008Ak-51; Sun, 03 Nov 2019 11:38:42 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Sun,  3 Nov 2019 11:38:15 +0100
Message-Id: <20191103103815.31359-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH-2019.02.x] package/libarchive: add upstream
	security fix for CVE-2019-18408
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes the following security issue:

- CVE-2019-18408: archive_read_format_rar_read_data in
  archive_read_support_format_rar.c in libarchive before 3.4.0 has a
  use-after-free in a certain ARCHIVE_FAILED situation, related to
  Ppmd7_DecodeSymbol.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 .../0007-RAR-reader-fix-use-after-free.patch  | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 package/libarchive/0007-RAR-reader-fix-use-after-free.patch

diff --git a/package/libarchive/0007-RAR-reader-fix-use-after-free.patch b/package/libarchive/0007-RAR-reader-fix-use-after-free.patch
new file mode 100644
index 0000000000..5acbb77e96
--- /dev/null
+++ b/package/libarchive/0007-RAR-reader-fix-use-after-free.patch
@@ -0,0 +1,36 @@
+From b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.org>
+Date: Sat, 11 May 2019 02:36:53 +0200
+Subject: [PATCH] RAR reader: fix use after free
+
+If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed
+to continue with next archive headers. We need to set rar->start_new_table
+after the ppmd7_context got freed, otherwise it won't be allocated again.
+
+Reported by: OSS-Fuzz issue 2582
+
+[Peter: fixes CVE-2019-18408]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libarchive/archive_read_support_format_rar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index a8cc5c94..49360876 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1024,8 +1024,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
+   case COMPRESS_METHOD_GOOD:
+   case COMPRESS_METHOD_BEST:
+     ret = read_data_compressed(a, buff, size, offset);
+-    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
++    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
+       __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context);
++      rar->start_new_table = 1;
++    }
+     break;
+ 
+   default:
+-- 
+2.20.1
+