Hello community, here is the log from the commit of package libarchive checked in at Tue Mar 6 09:09:05 CET 2007. -------- --- libarchive/libarchive.changes 2006-05-19 07:35:06.000000000 +0200 +++ /mounts/work_src_done/STABLE/libarchive/libarchive.changes 2007-03-05 20:20:48.867273000 +0100 @@ -1,0 +2,12 @@ +Fri Nov 10 13:01:38 CET 2006 - mrueckert@suse.de + +- added SA-06-24_libarchive.patch: + fix DOS in libarchive (CVE-2006-5680) + http://security.freebsd.org/advisories/FreeBSD-SA-06:24.libarchive.asc + +------------------------------------------------------------------- +Fri Sep 22 13:03:42 CET 2006 - mrueckert@suse.de + +- update to version 1.3.1 + +------------------------------------------------------------------- New: ---- SA-06-24_libarchive.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libarchive.spec ++++++ --- /var/tmp/diff_new_pack.F12594/_old 2007-03-06 09:07:05.000000000 +0100 +++ /var/tmp/diff_new_pack.F12594/_new 2007-03-06 09:07:05.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libarchive (Version 1.3.1) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -12,15 +12,20 @@ Name: libarchive Version: 1.3.1 -Release: 1 +Release: 13 +# License: BSD License and BSD-like Group: Development/Libraries/C and C++ +# BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bzip2 libacl-devel zlib-devel +# URL: http://people.freebsd.org/~kientzle/libarchive/ Source0: http://people.freebsd.org/~kientzle/libarchive/src/libarchive-%{version}.tar.gz Patch: bsdtar-1.2.53_ext2_include.patch Patch1: bsdtar-1.2.53_testsuite.patch +Patch2: SA-06-24_libarchive.patch +# Summary: Libarchive is a programming library that can create and read several different streaming archive formats %description @@ -130,6 +135,7 @@ %setup %patch %patch1 +%patch2 %build %configure @@ -163,7 +169,13 @@ %defattr(-,root,root) %{_bindir}/bsdtar -%changelog -n libarchive +%changelog +* Fri Nov 10 2006 - mrueckert@suse.de +- added SA-06-24_libarchive.patch: + fix DOS in libarchive (CVE-2006-5680) + http://security.freebsd.org/advisories/FreeBSD-SA-06:24.libarchive.asc +* Fri Sep 22 2006 - mrueckert@suse.de +- update to version 1.3.1 * Thu Apr 27 2006 - mrueckert@suse.de - updated to 1.2.53: Upstream merged the source tarball. ++++++ SA-06-24_libarchive.patch ++++++ Index: libarchive/archive_read_support_compression_none.c =================================================================== --- libarchive/archive_read_support_compression_none.c.orig +++ libarchive/archive_read_support_compression_none.c @@ -257,7 +257,9 @@ archive_decompressor_none_read_consume(s } /* - * Skip at most request bytes. Skipped data is marked as consumed. + * Skip forward by exactly the requested bytes or else return + * ARCHIVE_FATAL. Note that this differs from the contract for + * read_ahead, which does not gaurantee a minimum count. */ static ssize_t archive_decompressor_none_skip(struct archive *a, size_t request) @@ -287,9 +289,7 @@ archive_decompressor_none_skip(struct ar if (request == 0) return (total_bytes_skipped); /* - * If no client_skipper is provided, just read the old way. It is very - * likely that after skipping, the request has not yet been fully - * satisfied (and is still > 0). In that case, read as well. + * If a client_skipper was provided, try that first. */ if (a->client_skipper != NULL) { bytes_skipped = (a->client_skipper)(a, a->client_data, @@ -307,6 +307,12 @@ archive_decompressor_none_skip(struct ar a->raw_position += bytes_skipped; state->client_avail = state->client_total = 0; } + /* + * Note that client_skipper will usually not satisfy the + * full request (due to low-level blocking concerns), + * so even if client_skipper is provided, we may still + * have to use ordinary reads to finish out the request. + */ while (request > 0) { const void* dummy_buffer; ssize_t bytes_read; @@ -314,6 +320,12 @@ archive_decompressor_none_skip(struct ar &dummy_buffer, request); if (bytes_read < 0) return (bytes_read); + if (bytes_read == 0) { + /* We hit EOF before we satisfied the skip request. */ + archive_set_error(a, ARCHIVE_ERRNO_MISC, + "Truncated input file (need to skip %d bytes)", (int)request); + return (ARCHIVE_FATAL); + } assert(bytes_read >= 0); /* precondition for cast below */ min = minimum((size_t)bytes_read, request); bytes_read = archive_decompressor_none_read_consume(a, min); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org