From owner-svn-src-all@freebsd.org Sat May 21 09:24:03 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D75AB44651; Sat, 21 May 2016 09:24:03 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2EC1F1519; Sat, 21 May 2016 09:24:03 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4L9O2jl076234; Sat, 21 May 2016 09:24:02 GMT (envelope-from mm@FreeBSD.org) Received: (from mm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4L9O25Z076233; Sat, 21 May 2016 09:24:02 GMT (envelope-from mm@FreeBSD.org) Message-Id: <201605210924.u4L9O25Z076233@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mm set sender to mm@FreeBSD.org using -f From: Martin Matuska Date: Sat, 21 May 2016 09:24:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r300362 - stable/9/contrib/libarchive/libarchive X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 09:24:03 -0000 Author: mm Date: Sat May 21 09:24:02 2016 New Revision: 300362 URL: https://svnweb.freebsd.org/changeset/base/300362 Log: Backport security fix for integer signedness error in libarchive. This is a direct commit to stable/9. Upstream git commit: 22531545514043e04633e1c015c7540b9de9dbe4 Security: CVE-2013-0211 Modified: stable/9/contrib/libarchive/libarchive/archive_write_disk.c Modified: stable/9/contrib/libarchive/libarchive/archive_write_disk.c ============================================================================== --- stable/9/contrib/libarchive/libarchive/archive_write_disk.c Sat May 21 09:03:45 2016 (r300361) +++ stable/9/contrib/libarchive/libarchive/archive_write_disk.c Sat May 21 09:24:02 2016 (r300362) @@ -1649,8 +1649,9 @@ cleanup_pathname_win(struct archive_writ /* * Canonicalize the pathname. In particular, this strips duplicate * '/' characters, '.' elements, and trailing '/'. It also raises an - * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is - * set) any '..' in the path. + * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is + * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS + * is set) if the path is absolute. */ static int cleanup_pathname(struct archive_write_disk *a) @@ -1670,8 +1671,15 @@ cleanup_pathname(struct archive_write_di return (ARCHIVE_FAILED); #endif /* Skip leading '/'. */ - if (*src == '/') + if (*src == '/') { + if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, + "Path is absolute"); + return (ARCHIVE_FAILED); + } + separator = *src++; + } /* Scan the pathname one element at a time. */ for (;;) {