mirror of
git://git.savannah.gnu.org/guix.git
synced 2023-12-14 03:33:07 +01:00
gnu: libarchive: Remove graft for 3.3.3.
* gnu/packages/patches/libarchive-CVE-2017-14166.patch, gnu/packages/patches/libarchive-CVE-2017-14502.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/backup.scm (libarchive): Update to 3.3.3. [source](patches): Adjust for 3.3.3. [replacement]: Remove field. (libarchive-3.3.3): Remove variable.
This commit is contained in:
parent
027250f1a6
commit
a5be549e39
4 changed files with 5 additions and 108 deletions
|
@ -943,8 +943,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/liba52-link-with-libm.patch \
|
||||
%D%/packages/patches/liba52-set-soname.patch \
|
||||
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
|
||||
%D%/packages/patches/libarchive-CVE-2017-14166.patch \
|
||||
%D%/packages/patches/libarchive-CVE-2017-14502.patch \
|
||||
%D%/packages/patches/libarchive-CVE-2018-1000877.patch \
|
||||
%D%/packages/patches/libarchive-CVE-2018-1000878.patch \
|
||||
%D%/packages/patches/libarchive-CVE-2018-1000880.patch \
|
||||
|
|
|
@ -197,18 +197,18 @@ backups (called chunks) to allow easy burning to CD/DVD.")
|
|||
(define-public libarchive
|
||||
(package
|
||||
(name "libarchive")
|
||||
(replacement libarchive-3.3.3)
|
||||
(version "3.3.2")
|
||||
(version "3.3.3")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "https://libarchive.org/downloads/libarchive-"
|
||||
version ".tar.gz"))
|
||||
(patches (search-patches "libarchive-CVE-2017-14166.patch"
|
||||
"libarchive-CVE-2017-14502.patch"))
|
||||
(patches (search-patches "libarchive-CVE-2018-1000877.patch"
|
||||
"libarchive-CVE-2018-1000878.patch"
|
||||
"libarchive-CVE-2018-1000880.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))
|
||||
"0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms"))))
|
||||
(build-system gnu-build-system)
|
||||
(inputs
|
||||
`(("zlib" ,zlib)
|
||||
|
@ -274,22 +274,6 @@ archive. In particular, note that there is currently no built-in support for
|
|||
random access nor for in-place modification.")
|
||||
(license license:bsd-2)))
|
||||
|
||||
(define-public libarchive-3.3.3
|
||||
(package
|
||||
(inherit libarchive)
|
||||
(version "3.3.3")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "https://libarchive.org/downloads/libarchive-"
|
||||
version ".tar.gz"))
|
||||
(patches (search-patches "libarchive-CVE-2018-1000877.patch"
|
||||
"libarchive-CVE-2018-1000878.patch"
|
||||
"libarchive-CVE-2018-1000880.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms"))))))
|
||||
|
||||
(define-public rdup
|
||||
(package
|
||||
(name "rdup")
|
||||
|
|
|
@ -1,45 +0,0 @@
|
|||
Fix CVE-2017-14166:
|
||||
|
||||
https://github.com/libarchive/libarchive/issues/935
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
|
||||
|
||||
From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Sonnenberger <joerg@bec.de>
|
||||
Date: Tue, 5 Sep 2017 18:12:19 +0200
|
||||
Subject: [PATCH] Do something sensible for empty strings to make fuzzers
|
||||
happy.
|
||||
|
||||
---
|
||||
libarchive/archive_read_support_format_xar.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
|
||||
index 7a22beb9d..93eeacc5e 100644
|
||||
--- a/libarchive/archive_read_support_format_xar.c
|
||||
+++ b/libarchive/archive_read_support_format_xar.c
|
||||
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
|
||||
uint64_t l;
|
||||
int digit;
|
||||
|
||||
+ if (char_cnt == 0)
|
||||
+ return (0);
|
||||
+
|
||||
l = 0;
|
||||
digit = *p - '0';
|
||||
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
|
||||
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
|
||||
{
|
||||
int64_t l;
|
||||
int digit;
|
||||
-
|
||||
+
|
||||
+ if (char_cnt == 0)
|
||||
+ return (0);
|
||||
+
|
||||
l = 0;
|
||||
while (char_cnt-- > 0) {
|
||||
if (*p >= '0' && *p <= '7')
|
|
@ -1,40 +0,0 @@
|
|||
Fix CVE-2017-14502:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
|
||||
|
||||
From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
|
||||
From: Joerg Sonnenberger <joerg@bec.de>
|
||||
Date: Sat, 9 Sep 2017 17:47:32 +0200
|
||||
Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
|
||||
archives.
|
||||
|
||||
Reported-By: OSS-Fuzz issue 573
|
||||
---
|
||||
libarchive/archive_read_support_format_rar.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
||||
index cbb14c32..751de697 100644
|
||||
--- a/libarchive/archive_read_support_format_rar.c
|
||||
+++ b/libarchive/archive_read_support_format_rar.c
|
||||
@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
|
||||
return (ARCHIVE_FATAL);
|
||||
}
|
||||
filename[filename_size++] = '\0';
|
||||
- filename[filename_size++] = '\0';
|
||||
+ /*
|
||||
+ * Do not increment filename_size here as the computations below
|
||||
+ * add the space for the terminating NUL explicitly.
|
||||
+ */
|
||||
+ filename[filename_size] = '\0';
|
||||
|
||||
/* Decoded unicode form is UTF-16BE, so we have to update a string
|
||||
* conversion object for it. */
|
||||
--
|
||||
2.15.1
|
||||
|
Loading…
Reference in a new issue