Hello community, here is the log from the commit of package libarchive for openSUSE:Factory checked in at 2014-11-24 11:15:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libarchive (Old) and /work/SRC/openSUSE:Factory/.libarchive.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libarchive" Changes: -------- --- /work/SRC/openSUSE:Factory/libarchive/libarchive.changes 2014-06-05 10:49:40.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libarchive.new/libarchive.changes 2014-11-24 11:15:39.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Nov 11 12:07:46 UTC 2014 - jsegitz@novell.com + +- Added CVE-2013-0211.patch to fix CVE-2013-0211 (bnc#800024) + +------------------------------------------------------------------- New: ---- CVE-2013-0211.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libarchive.spec ++++++ --- /var/tmp/diff_new_pack.dgHdzJ/_old 2014-11-24 11:15:40.000000000 +0100 +++ /var/tmp/diff_new_pack.dgHdzJ/_new 2014-11-24 11:15:40.000000000 +0100 @@ -56,6 +56,7 @@ BuildRequires: zlib-devel Patch0: libarchive-openssl.patch Patch1: libarchive-xattr.patch +Patch2: CVE-2013-0211.patch %description Libarchive is a programming library that can create and read several @@ -165,6 +166,7 @@ %patch0 %endif %patch1 -p1 +%patch2 -p1 %build autoreconf -fiv %global optflags %{optflags} -D_REENTRANT -pipe ++++++ CVE-2013-0211.patch ++++++ Index: libarchive-3.1.2/libarchive/archive_write.c =================================================================== --- libarchive-3.1.2.orig/libarchive/archive_write.c +++ libarchive-3.1.2/libarchive/archive_write.c @@ -671,8 +671,13 @@ static ssize_t _archive_write_data(struct archive *_a, const void *buff, size_t s) { struct archive_write *a = (struct archive_write *)_a; + size_t max_write = INT_MAX; + archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, ARCHIVE_STATE_DATA, "archive_write_data"); + /* This catches attempts to pass negative values. */ + if (s > max_write) + s = max_write; archive_clear_error(&a->archive); return ((a->format_write_data)(a, buff, s)); } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org