On Tue, Dec 6, 2022 at 1:59 PM Randy MacLeod <randy.macl...@windriver.com> wrote: > > On 2022-12-06 17:16, Joe Slater wrote: > > Import a patch from libarchive applied after release 3.6.1. > > Thanks Joe. > > Steve, > > This should apply to langdale as well.
"Should" :-) It doesn't apply cleanly due to: https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/langdale-nut&id=339055f5abc30ea5dc26184c94a2da39ed46a22f But I'll tweak the patch and see what happens on the autobuilder. Steve > > > > Signed-off-by: Joe Slater <joe.sla...@windriver.com> > > --- > > .../libarchive/cve-2022-36227.patch | 48 +++++++++++++++++++ > > .../libarchive/libarchive_3.6.1.bb | 4 +- > > 2 files changed, 51 insertions(+), 1 deletion(-) > > create mode 100644 > > meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > > > diff --git > > a/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > new file mode 100644 > > index 0000000000..4d13bf6492 > > --- /dev/null > > +++ b/meta/recipes-extended/libarchive/libarchive/cve-2022-36227.patch > > @@ -0,0 +1,48 @@ > > +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001 > > +From: obiwac <obi...@gmail.com> > > +Date: Fri, 22 Jul 2022 22:41:10 +0200 > > +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754) > > + > > +--- > > + libarchive/archive_write.c | 8 ++++++++ > > + 1 file changed, 8 insertions(+) > > + > > +--- > > +CVE: CVE-2022-36227 > > + > > +Source-Repo: https://github.com/libarchive/libarchive.git > > + > > +Upstream-Status: Backport [bff38efe8c... unmodified] > > + > > +Signed-off-by: Joe Slater <joe.sla...@windriver.com> > > + > > +--- > > +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c > > +index 66592e82..27626b54 100644 > > +--- a/libarchive/archive_write.c > > ++++ b/libarchive/archive_write.c > > +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a) > > + struct archive_write_filter *f; > > + > > + f = calloc(1, sizeof(*f)); > > ++ > > ++ if (f == NULL) > > ++ return (NULL); > > ++ > > + f->archive = _a; > > + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; > > + if (a->filter_first == NULL) > > +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void > > *client_data, > > + a->client_data = client_data; > > + > > + client_filter = __archive_write_allocate_filter(_a); > > ++ > > ++ if (client_filter == NULL) > > ++ return (ARCHIVE_FATAL); > > ++ > > + client_filter->open = archive_write_client_open; > > + client_filter->write = archive_write_client_write; > > + client_filter->close = archive_write_client_close; > > +-- > > +2.38.1 > > + > > diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > index c795b41628..8213940ad3 100644 > > --- a/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > +++ b/meta/recipes-extended/libarchive/libarchive_3.6.1.bb > > @@ -32,7 +32,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," > > > > EXTRA_OECONF += "--enable-largefile" > > > > -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"; > > +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ > > + file://cve-2022-36227.patch" > > + > > UPSTREAM_CHECK_URI = "http://libarchive.org/"; > > > > SRC_URI[sha256sum] = > > "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2" > > > -- > # Randy MacLeod > # Wind River Linux >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174337): https://lists.openembedded.org/g/openembedded-core/message/174337 Mute This Topic: https://lists.openembedded.org/mt/95506216/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
