From a5be549e393962764a9df590dc5ba6a314bfe866 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 7 Feb 2019 21:31:23 +0100 Subject: gnu: libarchive: Remove graft for 3.3.3. * gnu/packages/patches/libarchive-CVE-2017-14166.patch, gnu/packages/patches/libarchive-CVE-2017-14502.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/backup.scm (libarchive): Update to 3.3.3. [source](patches): Adjust for 3.3.3. [replacement]: Remove field. (libarchive-3.3.3): Remove variable. --- .../patches/libarchive-CVE-2017-14166.patch | 45 ---------------------- .../patches/libarchive-CVE-2017-14502.patch | 40 ------------------- 2 files changed, 85 deletions(-) delete mode 100644 gnu/packages/patches/libarchive-CVE-2017-14166.patch delete mode 100644 gnu/packages/patches/libarchive-CVE-2017-14502.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/libarchive-CVE-2017-14166.patch b/gnu/packages/patches/libarchive-CVE-2017-14166.patch deleted file mode 100644 index a122848440..0000000000 --- a/gnu/packages/patches/libarchive-CVE-2017-14166.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-14166: - -https://github.com/libarchive/libarchive/issues/935 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166 - -Patch copied from upstream source repository: - -https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 - -From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger -Date: Tue, 5 Sep 2017 18:12:19 +0200 -Subject: [PATCH] Do something sensible for empty strings to make fuzzers - happy. - ---- - libarchive/archive_read_support_format_xar.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c -index 7a22beb9d..93eeacc5e 100644 ---- a/libarchive/archive_read_support_format_xar.c -+++ b/libarchive/archive_read_support_format_xar.c -@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) - uint64_t l; - int digit; - -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - digit = *p - '0'; - while (digit >= 0 && digit < 10 && char_cnt-- > 0) { -@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) - { - int64_t l; - int digit; -- -+ -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - while (char_cnt-- > 0) { - if (*p >= '0' && *p <= '7') diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch deleted file mode 100644 index 8e0508afb5..0000000000 --- a/gnu/packages/patches/libarchive-CVE-2017-14502.patch +++ /dev/null @@ -1,40 +0,0 @@ -Fix CVE-2017-14502: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502 -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 - -Patch copied from upstream source repository: - -https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 - -From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger -Date: Sat, 9 Sep 2017 17:47:32 +0200 -Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR - archives. - -Reported-By: OSS-Fuzz issue 573 ---- - libarchive/archive_read_support_format_rar.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c -index cbb14c32..751de697 100644 ---- a/libarchive/archive_read_support_format_rar.c -+++ b/libarchive/archive_read_support_format_rar.c -@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry, - return (ARCHIVE_FATAL); - } - filename[filename_size++] = '\0'; -- filename[filename_size++] = '\0'; -+ /* -+ * Do not increment filename_size here as the computations below -+ * add the space for the terminating NUL explicitly. -+ */ -+ filename[filename_size] = '\0'; - - /* Decoded unicode form is UTF-16BE, so we have to update a string - * conversion object for it. */ --- -2.15.1 - -- cgit 1.4.1