rpms / libarchive

Clone
Source Code
GIT

Blame SOURCES/libarchive-3.1.2-CVE-2016-4300.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   58251f7edd9885e6b08be8a365ebd8142186b480
  2.   SOURCES
  3.   libarchive-3.1.2-CVE-2016-4300.patch
Blob History Raw
58251f 
From f084b0568ac2845f12a9a34e0636811d49d6a2a8 Mon Sep 17 00:00:00 2001
58251f 
From: Tim Kientzle <kientzle@acm.org>
58251f 
Date: Sun, 19 Jun 2016 14:14:09 -0700
58251f 
Subject: [PATCH] Issue #718: Fix TALOS-CAN-152
58251f
58251f 
If a 7-Zip archive declares a rediculously large number of substreams,
58251f 
it can overflow an internal counter, leading a subsequent memory
58251f 
allocation to be too small for the substream data.
58251f
58251f 
Thanks to the Open Source and Threat Intelligence project at Cisco
58251f 
for reporting this issue.
58251f 
---
58251f 
 libarchive/archive_read_support_format_7zip.c | 3 +++
58251f 
 1 file changed, 3 insertions(+)
58251f
58251f 
diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
58251f 
index e490c00..8ae8443 100644
58251f 
--- a/libarchive/archive_read_support_format_7zip.c
58251f 
+++ b/libarchive/archive_read_support_format_7zip.c
58251f 
@@ -2054,6 +2054,9 @@ read_SubStreamsInfo(struct archive_read *a, struct _7z_substream_info *ss,
58251f 
 				return (-1);
58251f 
 			if (1000000 < f[i].numUnpackStreams)
58251f 
 				return (-1);
58251f 
+			if (unpack_streams > SIZE_MAX - 1000000) {
58251f 
+				return (-1);
58251f 
+			}
58251f 
 			unpack_streams += (size_t)f[i].numUnpackStreams;
58251f 
 		}
58251f 
 		if ((p = header_bytes(a, 1)) == NULL)
58251f 
--
58251f 
2.7.4
58251f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation