diff options
| author | Katariina Lounento <katariina.lounento@vaisala.com> | 2024-10-03 11:11:27 +0300 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2024-10-03 08:49:50 -0700 |
| commit | 3c9b5b36c8dc619240ac422de2a0aaed0949de08 (patch) | |
| tree | 27ae8a1bf1b39bf0e9bf56add0781da2871f875a /meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch | |
| parent | 7be0d59669f9bc102895bc0596c30805be0eda23 (diff) | |
| download | meta-openembedded-3c9b5b36c8dc619240ac422de2a0aaed0949de08.tar.gz | |
libtar: patch CVEs
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch')
| -rw-r--r-- | meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch b/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch new file mode 100644 index 0000000000..beba45405e --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch | |||
| @@ -0,0 +1,89 @@ | |||
| 1 | From edbee9832475347183a841a8fd5be71f74e10392 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Kamil Dudka <kdudka@redhat.com> | ||
| 3 | Date: Wed, 23 Oct 2013 15:04:22 +0200 | ||
| 4 | Subject: [PATCH] decode: avoid using a static buffer in th_get_pathname() | ||
| 5 | |||
| 6 | A solution suggested by Chris Frey: | ||
| 7 | https://lists.feep.net:8080/pipermail/libtar/2013-October/000377.html | ||
| 8 | |||
| 9 | Note this can break programs that expect sizeof(TAR) to be fixed. | ||
| 10 | |||
| 11 | Authored by Kamil Dudka <kdudka@redhat.com>. | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/ec613af2e9371d7a3e1f7c7a6822164a4255b4d1] | ||
| 14 | |||
| 15 | Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com> | ||
| 16 | --- | ||
| 17 | lib/decode.c | 24 +++++++++++++++++------- | ||
| 18 | lib/handle.c | 1 + | ||
| 19 | lib/libtar.h | 3 +++ | ||
| 20 | 3 files changed, 21 insertions(+), 7 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/lib/decode.c b/lib/decode.c | ||
| 23 | index c16ea2d..edb2185 100644 | ||
| 24 | --- a/lib/decode.c | ||
| 25 | +++ b/lib/decode.c | ||
| 26 | @@ -26,20 +26,30 @@ | ||
| 27 | char * | ||
| 28 | th_get_pathname(TAR *t) | ||
| 29 | { | ||
| 30 | - static TLS_THREAD char filename[MAXPATHLEN]; | ||
| 31 | - | ||
| 32 | if (t->th_buf.gnu_longname) | ||
| 33 | return t->th_buf.gnu_longname; | ||
| 34 | |||
| 35 | - if (t->th_buf.prefix[0] != '\0') | ||
| 36 | + /* allocate the th_pathname buffer if not already */ | ||
| 37 | + if (t->th_pathname == NULL) | ||
| 38 | + { | ||
| 39 | + t->th_pathname = malloc(MAXPATHLEN * sizeof(char)); | ||
| 40 | + if (t->th_pathname == NULL) | ||
| 41 | + /* out of memory */ | ||
| 42 | + return NULL; | ||
| 43 | + } | ||
| 44 | + | ||
| 45 | + if (t->th_buf.prefix[0] == '\0') | ||
| 46 | + { | ||
| 47 | + snprintf(t->th_pathname, MAXPATHLEN, "%.100s", t->th_buf.name); | ||
| 48 | + } | ||
| 49 | + else | ||
| 50 | { | ||
| 51 | - snprintf(filename, sizeof(filename), "%.155s/%.100s", | ||
| 52 | + snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", | ||
| 53 | t->th_buf.prefix, t->th_buf.name); | ||
| 54 | - return filename; | ||
| 55 | } | ||
| 56 | |||
| 57 | - snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); | ||
| 58 | - return filename; | ||
| 59 | + /* will be deallocated in tar_close() */ | ||
| 60 | + return t->th_pathname; | ||
| 61 | } | ||
| 62 | |||
| 63 | |||
| 64 | diff --git a/lib/handle.c b/lib/handle.c | ||
| 65 | index 002d23c..a19c046 100644 | ||
| 66 | --- a/lib/handle.c | ||
| 67 | +++ b/lib/handle.c | ||
| 68 | @@ -122,6 +122,7 @@ tar_close(TAR *t) | ||
| 69 | libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY | ||
| 70 | ? free | ||
| 71 | : (libtar_freefunc_t)tar_dev_free)); | ||
| 72 | + free(t->th_pathname); | ||
| 73 | free(t); | ||
| 74 | |||
| 75 | return i; | ||
| 76 | diff --git a/lib/libtar.h b/lib/libtar.h | ||
| 77 | index 7fc4d03..08a8e0f 100644 | ||
| 78 | --- a/lib/libtar.h | ||
| 79 | +++ b/lib/libtar.h | ||
| 80 | @@ -85,6 +85,9 @@ typedef struct | ||
| 81 | int options; | ||
| 82 | struct tar_header th_buf; | ||
| 83 | libtar_hash_t *h; | ||
| 84 | + | ||
| 85 | + /* introduced in libtar 1.2.21 */ | ||
| 86 | + char *th_pathname; | ||
| 87 | } | ||
| 88 | TAR; | ||
| 89 | |||