From nobody Mon Sep 11 07:02:15 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rkd1z755Jz4t8NQ;
	Mon, 11 Sep 2023 07:02:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Rkd1z6f9Kz4VZ2;
	Mon, 11 Sep 2023 07:02:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1694415735;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=tRgeB3VIbIItdajM/2XKS4i+sGhBJHZDjRIWlnowoak=;
	b=D7UL5Yd3kW+Urez777aeRiNjghJinBRJdFsIsDO6Oapt2HMkqnwIS+R9VtLl19Ox4aOxV8
	22MbCFyDNTGHmZQHgDtiz3LclPNbtxap57Pk5tdjHyV4XGQwFhknBzQzZb/T1VOKYpR971
	PD4FEIX9S6loNX81AFl6VbSrcpuSuRA6MalMjsI2XrVfZu8q6QVh5gpJYv4ypcQnYf+UQ7
	HS7waU/pw26LJhFdyTQbPq++OhD0wDfwDnK2wamtoBZIcLNRszC6XR5hWONp30toV0EWwA
	aNkOPjgFmTVSQeGEKZznfquQkYJ/IPfKBsnvt2Ox+nLfKbux0JtsZSFTnuZKqA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694415735; a=rsa-sha256; cv=none;
	b=su1jwCibaIEeeoNHYYdaAD9eFsmHdw6R17wcyqB7KkqR//X1pAdkYC5+a893atb2F4DMFJ
	Oo2uDON7NCTww+S9SeurMq7t256U5jsm/kS9L2kfs/LLyRopqky3N1kCY2uFEbpOaOSJWF
	yAh513P4tOSY8YVog9eDsZP/4ASsRAge6yDKuotYpgBDgvpidw2p/UZTwoz54MEnlkXeLi
	DVXjHrQNK5fQpWyZdclbefOF8vyL/Alxcd1rcipNvjSv5eOkGD9Z5oVl/QsD4tTr33+xGy
	S/5FUbkAPXrEIDjwgralQ6N0w3vLR456tVE3K0cvsTP31W+1Ga7FPSOno/gYaQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1694415735;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=tRgeB3VIbIItdajM/2XKS4i+sGhBJHZDjRIWlnowoak=;
	b=x6rUSni7VXM51TjQY38XoHPOZ7YLxPuOj3jqvK3ST5rJjF9qkZ6KNvw7C0j0rP8QSsTYwY
	gk7OI1/GoIvIGEo1vX7IX4sbj8KHAPDupG+K8aYpJOSQFSb+Ek+Me4tLXrPwrFXSsXym8P
	6bgxbC+XMj8D/gLNirFv/DKBg5jMh70NtW5q46n6LJRNFKJ9TurtC7IglhbY4xCrtPfwce
	R13R3N9cEQaZ0W0KtpgG/iGVet/DVDSfE9KYendDpSlLlU2HkC0bydAaRqUOZFh7UxyFff
	XAGJLpzqQeNibNJ9RRzf9wMguIpY8kB4R5MhkAGqhjS6av2zMElU5Dt6fsZlHw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rkd1z5jx2zgN1;
	Mon, 11 Sep 2023 07:02:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38B72FUw007530;
	Mon, 11 Sep 2023 07:02:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38B72F2u007512;
	Mon, 11 Sep 2023 07:02:15 GMT
	(envelope-from git)
Date: Mon, 11 Sep 2023 07:02:15 GMT
Message-Id: <202309110702.38B72F2u007512@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Martin Matuska <mm@FreeBSD.org>
Subject: git: 0c9b0086715b - stable/14 - libarchive: merge security
  fix from vendor branch
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: mm
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 0c9b0086715b3b354d471de9dee2ea113aa94481
Auto-Submitted: auto-generated

The branch stable/14 has been updated by mm:

URL: https://cgit.FreeBSD.org/src/commit/?id=0c9b0086715b3b354d471de9dee2ea113aa94481

commit 0c9b0086715b3b354d471de9dee2ea113aa94481
Author:     Martin Matuska <mm@FreeBSD.org>
AuthorDate: 2023-09-07 15:18:12 +0000
Commit:     Martin Matuska <mm@FreeBSD.org>
CommitDate: 2023-09-11 07:02:07 +0000

    libarchive: merge security fix from vendor branch
    
    This commit fixes a couple of security vulnerabilities in the PAX writer:
    1. Heap overflow in url_encode() in archive_write_set_format_pax.c
    2. NULL dereference in archive_write_pax_header_xattrs()
    3. Another NULL dereference in archive_write_pax_header_xattrs()
    4. NULL dereference in archive_write_pax_header_xattr()
    
    Security:       No known reference yet
    Obtained from:  https://github.com/libarchive/libarchive/commit/1b4e0d0f9
    
    (cherry picked from commit f10f65999fe56e92f00b5bc5d27ac342cfea5364)
---
 .../libarchive/archive_write_set_format_pax.c      | 35 +++++++++++++++-------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/contrib/libarchive/libarchive/archive_write_set_format_pax.c b/contrib/libarchive/libarchive/archive_write_set_format_pax.c
index 661b7013e0d2..8ce1d18c61e5 100644
--- a/contrib/libarchive/libarchive/archive_write_set_format_pax.c
+++ b/contrib/libarchive/libarchive/archive_write_set_format_pax.c
@@ -368,10 +368,12 @@ archive_write_pax_header_xattr(struct pax *pax, const char *encoded_name,
 	struct archive_string s;
 	char *encoded_value;
 
+	if (encoded_name == NULL)
+		return;
+
 	if (pax->flags & WRITE_LIBARCHIVE_XATTR) {
 		encoded_value = base64_encode((const char *)value, value_len);
-
-		if (encoded_name != NULL && encoded_value != NULL) {
+		if (encoded_value != NULL) {
 			archive_string_init(&s);
 			archive_strcpy(&s, "LIBARCHIVE.xattr.");
 			archive_strcat(&s, encoded_name);
@@ -404,17 +406,22 @@ archive_write_pax_header_xattrs(struct archive_write *a,
 
 		archive_entry_xattr_next(entry, &name, &value, &size);
 		url_encoded_name = url_encode(name);
-		if (url_encoded_name != NULL) {
+		if (url_encoded_name == NULL)
+			goto malloc_error;
+		else {
 			/* Convert narrow-character to UTF-8. */
 			r = archive_strcpy_l(&(pax->l_url_encoded_name),
 			    url_encoded_name, pax->sconv_utf8);
 			free(url_encoded_name); /* Done with this. */
 			if (r == 0)
 				encoded_name = pax->l_url_encoded_name.s;
-			else if (errno == ENOMEM) {
-				archive_set_error(&a->archive, ENOMEM,
-				    "Can't allocate memory for Linkname");
-				return (ARCHIVE_FATAL);
+			else if (r == -1)
+				goto malloc_error;
+			else {
+				archive_set_error(&a->archive,
+				    ARCHIVE_ERRNO_MISC,
+				    "Error encoding pax extended attribute");
+				return (ARCHIVE_FAILED);
 			}
 		}
 
@@ -423,6 +430,9 @@ archive_write_pax_header_xattrs(struct archive_write *a,
 
 	}
 	return (ARCHIVE_OK);
+malloc_error:
+	archive_set_error(&a->archive, ENOMEM, "Can't allocate memory");
+	return (ARCHIVE_FATAL);
 }
 
 static int
@@ -1904,14 +1914,19 @@ url_encode(const char *in)
 {
 	const char *s;
 	char *d;
-	int out_len = 0;
+	size_t out_len = 0;
 	char *out;
 
 	for (s = in; *s != '\0'; s++) {
-		if (*s < 33 || *s > 126 || *s == '%' || *s == '=')
+		if (*s < 33 || *s > 126 || *s == '%' || *s == '=') {
+			if (SIZE_MAX - out_len < 4)
+				return (NULL);
 			out_len += 3;
-		else
+		} else {
+			if (SIZE_MAX - out_len < 2)
+				return (NULL);
 			out_len++;
+		}
 	}
 
 	out = (char *)malloc(out_len + 1);