svn commit: r300362 - stable/9/contrib/libarchive/libarchive

Martin Matuska mm at FreeBSD.org
Sat May 21 09:24:03 UTC 2016


Author: mm
Date: Sat May 21 09:24:02 2016
New Revision: 300362
URL: https://svnweb.freebsd.org/changeset/base/300362

Log:
  Backport security fix for integer signedness error in libarchive.
  This is a direct commit to stable/9.
  
  Upstream git commit:	22531545514043e04633e1c015c7540b9de9dbe4
  
  Security:	CVE-2013-0211

Modified:
  stable/9/contrib/libarchive/libarchive/archive_write_disk.c

Modified: stable/9/contrib/libarchive/libarchive/archive_write_disk.c
==============================================================================
--- stable/9/contrib/libarchive/libarchive/archive_write_disk.c	Sat May 21 09:03:45 2016	(r300361)
+++ stable/9/contrib/libarchive/libarchive/archive_write_disk.c	Sat May 21 09:24:02 2016	(r300362)
@@ -1649,8 +1649,9 @@ cleanup_pathname_win(struct archive_writ
 /*
  * Canonicalize the pathname.  In particular, this strips duplicate
  * '/' characters, '.' elements, and trailing '/'.  It also raises an
- * error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is
- * set) any '..' in the path.
+ * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is
+ * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
+ * is set) if the path is absolute.
  */
 static int
 cleanup_pathname(struct archive_write_disk *a)
@@ -1670,8 +1671,15 @@ cleanup_pathname(struct archive_write_di
 		return (ARCHIVE_FAILED);
 #endif
 	/* Skip leading '/'. */
-	if (*src == '/')
+	if (*src == '/') {
+		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
+			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+			                  "Path is absolute");
+			return (ARCHIVE_FAILED);
+		}
+
 		separator = *src++;
+	}
 
 	/* Scan the pathname one element at a time. */
 	for (;;) {


More information about the svn-src-stable-9 mailing list