FS#75474 - [security] [libarchive] null pointer dereference
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Monday, 01 August 2022, 00:48 GMT
Last edited by Christian Hesse (eworm) - Monday, 01 August 2022, 21:38 GMT
Opened by T.J. Townsend (blakkheim) - Monday, 01 August 2022, 00:48 GMT
Last edited by Christian Hesse (eworm) - Monday, 01 August 2022, 21:38 GMT
|
Details
Description:
The libarchive package has a null pointer dereference bug that has been fixed upstream. Separately there was another oss-fuzz fix committed that may be relevant to security. The attached diff adds both fixes to the PKGBUILD. Applying the second commit's full patch breaks one of the tests in "make check" (likely because it's missing another commit to that file) so I opted to use: git apply --include=archive_read_support_format_tar.c to only apply the relevant part of the full change. This adds git to makedepends, which isn't pretty, but it works. If you'd rather manually download the patch, edit it, and put that file in SVN, that's ok too. Additional info: https://github.com/libarchive/libarchive/issues/1754 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48467 
libarchive.diff
(1.4 KiB)
|
This task depends upon
Closed by Christian Hesse (eworm)
Monday, 01 August 2022, 21:38 GMT
Reason for closing: Fixed
Additional comments about closing: libarchive 3.6.1-2
Monday, 01 August 2022, 21:38 GMT
Reason for closing: Fixed
Additional comments about closing: libarchive 3.6.1-2