diff options
| -rw-r--r-- | REUSE.toml | 5 | ||||
| -rw-r--r-- | bugs/README.md | 8 | ||||
| -rw-r--r-- | bugs/cve/2016/5844/libarchive-signed-int-overflow.iso | bin | 0 -> 49152 bytes | |||
| -rw-r--r-- | loftix/bugs.scm | 21 |
4 files changed, 34 insertions, 0 deletions
@@ -14,6 +14,11 @@ path = 'bugs/cve/2013/7437/2.bmp' SPDX-FileCopyrightText = '2013 Stefan Cornelius' [[annotations]] +path = 'bugs/cve/2016/5844/libarchive-signed-int-overflow.iso' +SPDX-FileCopyrightText = '2016 Hanno Böck' +SPDX-License-Identifier = 'CC0-1.0' + +[[annotations]] path = 'bugs/cve/2016/8691/11.crash' SPDX-FileCopyrightText = '2016 Agostino Sarubbo' SPDX-License-Identifier = 'CC0-1.0' diff --git a/bugs/README.md b/bugs/README.md index 6ae8618..7378d71 100644 --- a/bugs/README.md +++ b/bugs/README.md @@ -41,6 +41,13 @@ guix shell jasper@1.900.19 imginfo -f cve/2016/9557/signed-int-overflow.jp2 +## libarchive + +- CVE-2016-5844: [signed integer overflow][libarchive-717] + + guix shell libarchive@3.2.0 + bsdtar -tf cve/2016/5844/libarchive-signed-int-overflow.iso + ## libjpeg-turbo - CVE-2017-15232: [null pointer dereference][mozjpeg-268] @@ -68,6 +75,7 @@ [jasper-22]: https://github.com/jasper-software/jasper/issues/22 [jasper-67]: https://github.com/jasper-software/jasper/issues/67 +[libarchive-717]: https://github.com/libarchive/libarchive/issues/717 [mozjpeg-268]: https://github.com/mozilla/mozjpeg/issues/268 [oss-sec-20161105-3]: https://www.openwall.com/lists/oss-security/2016/11/05/3 [redhat-955808]: https://bugzilla.redhat.com/show_bug.cgi?id=955808 diff --git a/bugs/cve/2016/5844/libarchive-signed-int-overflow.iso b/bugs/cve/2016/5844/libarchive-signed-int-overflow.iso Binary files differnew file mode 100644 index 0000000..f262b04 --- /dev/null +++ b/bugs/cve/2016/5844/libarchive-signed-int-overflow.iso diff --git a/loftix/bugs.scm b/loftix/bugs.scm index 09ed206..296043f 100644 --- a/loftix/bugs.scm +++ b/loftix/bugs.scm @@ -11,6 +11,7 @@ ;;; SPDX-License-Identifier: GPL-3.0-or-later (define-module (loftix bugs) + #:use-module (gnu packages backup) #:use-module (gnu packages base) #:use-module (gnu packages fontutils) #:use-module (gnu packages image) @@ -90,6 +91,26 @@ "106xwiyn40k5yrnny198mzscvyd18rza9clhd2nl6xvcsz73swrn")))) (arguments '(#:make-flags '("LDFLAGS=-static"))))) +(define-public libarchive-3.2.0 + (package + (inherit libarchive) + (name "libarchive") + (version "3.2.0") + (source (origin + (method url-fetch) + (uri (string-append "https://libarchive.org/downloads/libarchive-" + version ".tar.gz")) + (sha256 + (base32 "11xabdpmvdmcdkidigmqh4ymhra95lr7ipcys4hdq0gzf7ylbkkv")) + (patches '()))) + (arguments '(#:make-flags + (list (string-append "CFLAGS=-O2 -g" + " -fsanitize=undefined" + " -fno-sanitize-recover=undefined") + "LDFLAGS=-fsanitize=undefined") + ;; Tests fail with UBSan enabled^ + #:tests? #f)))) + (define-public libjpeg-turbo-1.5.2 (package (inherit libjpeg-turbo) |