1 files changed, 160 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch
new file mode 100644
index 0000000000..93b35cbcd3
--- /dev/null
+++ b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch
@@ -0,0 +1,160 @@
+From 2c81f47508fa6bce9df84e3b43dfb16dffb742a0 Mon Sep 17 00:00:00 2001
+From: Raphael Geissert <geissert@debian.org>
+Date: Thu, 12 Sep 2024 15:51:05 +0300
+Subject: [PATCH] Avoid directory traversal when extracting archives
+Description of the vulnerability from the NIST CVE tracker [1]:
+    Multiple directory traversal vulnerabilities in the (1)
+    tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20
+    and earlier allow remote attackers to overwrite arbitrary files via
+    a .. (dot dot) in a crafted tar file.
+Imported from the Debian libtar package 1.2.20-8 [2]. Original Debian
+description:
+    Author: Raphael Geissert <geissert@debian.org>
+    Bug-Debian: https://bugs.debian.org/731860
+    Description: Avoid directory traversal when extracting archives
+    by skipping over leading slashes and any prefix containing ".." components.
+    Forwarded: yes
+meta-openembedded uses Debian's release tarball [3]. Debian uses
+repo.or.cz/libtar.git as their upstream [4]. repo.or.cz/libtar.git has
+been inactive since 2013 [5].
+CVE: CVE-2013-4420
+Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013]
+Comments: Added the commit message
+[1] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
+[2] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
+[3] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8
+[4] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged)
+[5] https://repo.or.cz/libtar.git/shortlog/refs/heads/master
+Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
+---
+ lib/decode.c   | 33 +++++++++++++++++++++++++++++++--
+ lib/extract.c  |  8 ++++----
+ lib/internal.h |  1 +
+ lib/output.c   |  4 ++--
+ 4 files changed, 38 insertions(+), 8 deletions(-)
+diff --git a/lib/decode.c b/lib/decode.c
+index 35312be..edd5f2e 100644
+--- a/lib/decode.c
+++ b/lib/decode.c
+@@ -22,13 +22,42 @@
+ # include <string.h>
+ #endif
+ 
+char *
+safer_name_suffix (char const *file_name)
+{
+       char const *p, *t;
+       p = t = file_name;
+       while (*p == '/') t = ++p;
+       while (*p)
+       {
+               while (p[0] == '.' && p[0] == p[1] && p[2] == '/')
+               {
+                       p += 3;
+                       t = p;
+               }
+               /* advance pointer past the next slash */
+               while (*p && (p++)[0] != '/');
+       }
+
+       if (!*t)
+       {
+               t = ".";
+       }
+
+       if (t != file_name)
+       {
+               /* TODO: warn somehow that the path was modified */
+       }
+       return (char*)t;
+}
+
+ 
+ /* determine full path name */
+ char *
+ th_get_pathname(TAR *t)
+ {
+        if (t->th_buf.gnu_longname)
+-               return t->th_buf.gnu_longname;
+               return safer_name_suffix(t->th_buf.gnu_longname);
+ 
+        /* allocate the th_pathname buffer if not already */
+        if (t->th_pathname == NULL)
+@@ -50,7 +79,7 @@ th_get_pathname(TAR *t)
+        }
+ 
+        /* will be deallocated in tar_close() */
+-       return t->th_pathname;
+       return safer_name_suffix(t->th_pathname);
+ }
+ 
+ 
+diff --git a/lib/extract.c b/lib/extract.c
+index 9fc6ad5..4ff1a95 100644
+--- a/lib/extract.c
+++ b/lib/extract.c
+@@ -302,14 +302,14 @@ tar_extract_hardlink(TAR * t, char *realname)
+        if (mkdirhier(dirname(filename)) == -1)
+                return -1;
+        libtar_hashptr_reset(&hp);
+-       if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),
+       if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),
+                               (libtar_matchfunc_t)libtar_str_match) != 0)
+        {
+                lnp = (char *)libtar_hashptr_data(&hp);
+                linktgt = &lnp[strlen(lnp) + 1];
+        }
+        else
+-               linktgt = th_get_linkname(t);
+               linktgt = safer_name_suffix(th_get_linkname(t));
+ 
+ #ifdef DEBUG
+        printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);
+@@ -347,9 +347,9 @@ tar_extract_symlink(TAR *t, char *realname)
+ 
+ #ifdef DEBUG
+        printf("  ==> extracting: %s (symlink to %s)\n",
+-              filename, th_get_linkname(t));
+              filename, safer_name_suffix(th_get_linkname(t)));
+ #endif
+-       if (symlink(th_get_linkname(t), filename) == -1)
+       if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
+        {
+ #ifdef DEBUG
+                perror("symlink()");
+diff --git a/lib/internal.h b/lib/internal.h
+index da7be7f..f05ca4f 100644
+--- a/lib/internal.h
+++ b/lib/internal.h
+@@ -21,3 +21,4 @@
+ #define TLS_THREAD
+ #endif
+ 
+char* safer_name_suffix(char const*);
+diff --git a/lib/output.c b/lib/output.c
+index a5262ee..af754f1 100644
+--- a/lib/output.c
+++ b/lib/output.c
+@@ -124,9 +124,9 @@ th_print_long_ls(TAR *t)
+                else
+                        printf(" link to ");
+                if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL)
+-                       printf("%s", t->th_buf.gnu_longlink);
+                       printf("%s", safer_name_suffix(t->th_buf.gnu_longlink));
+                else
+-                       printf("%.100s", t->th_buf.linkname);
+                       printf("%.100s", safer_name_suffix(t->th_buf.linkname));
+        }
+ 
+        putchar('\n');

diff --git a/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch new file mode 100644 index 0000000000..93b35cbcd3 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch
@@ -0,0 +1,160 @@
	1	From 2c81f47508fa6bce9df84e3b43dfb16dffb742a0 Mon Sep 17 00:00:00 2001
	2	From: Raphael Geissert <geissert@debian.org>
	3	Date: Thu, 12 Sep 2024 15:51:05 +0300
	4	Subject: [PATCH] Avoid directory traversal when extracting archives
	5
	6	Description of the vulnerability from the NIST CVE tracker [1]:
	7
	8	Multiple directory traversal vulnerabilities in the (1)
	9	tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20
	10	and earlier allow remote attackers to overwrite arbitrary files via
	11	a .. (dot dot) in a crafted tar file.
	12
	13	Imported from the Debian libtar package 1.2.20-8 [2]. Original Debian
	14	description:
	15
	16	Author: Raphael Geissert <geissert@debian.org>
	17	Bug-Debian: https://bugs.debian.org/731860
	18	Description: Avoid directory traversal when extracting archives
	19	by skipping over leading slashes and any prefix containing ".." components.
	20	Forwarded: yes
	21
	22	meta-openembedded uses Debian's release tarball [3]. Debian uses
	23	repo.or.cz/libtar.git as their upstream [4]. repo.or.cz/libtar.git has
	24	been inactive since 2013 [5].
	25
	26	CVE: CVE-2013-4420
	27
	28	Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013]
	29
	30	Comments: Added the commit message
	31
	32	[1] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
	33	[2] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
	34	[3] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8
	35	[4] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged)
	36	[5] https://repo.or.cz/libtar.git/shortlog/refs/heads/master
	37
	38	Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
	39	---
	40	lib/decode.c \| 33 +++++++++++++++++++++++++++++++--
	41	lib/extract.c \| 8 ++++----
	42	lib/internal.h \| 1 +
	43	lib/output.c \| 4 ++--
	44	4 files changed, 38 insertions(+), 8 deletions(-)
	45
	46	diff --git a/lib/decode.c b/lib/decode.c
	47	index 35312be..edd5f2e 100644
	48	--- a/lib/decode.c
	49	+++ b/lib/decode.c
	50	@@ -22,13 +22,42 @@
	51	# include <string.h>
	52	#endif
	53
	54	+char *
	55	+safer_name_suffix (char const *file_name)
	56	+{
	57	+ char const p, t;
	58	+ p = t = file_name;
	59	+ while (*p == '/') t = ++p;
	60	+ while (*p)
	61	+ {
	62	+ while (p[0] == '.' && p[0] == p[1] && p[2] == '/')
	63	+ {
	64	+ p += 3;
	65	+ t = p;
	66	+ }
	67	+ /* advance pointer past the next slash */
	68	+ while (*p && (p++)[0] != '/');
	69	+ }
	70	+
	71	+ if (!*t)
	72	+ {
	73	+ t = ".";
	74	+ }
	75	+
	76	+ if (t != file_name)
	77	+ {
	78	+ /* TODO: warn somehow that the path was modified */
	79	+ }
	80	+ return (char*)t;
	81	+}
	82	+
	83
	84	/* determine full path name */
	85	char *
	86	th_get_pathname(TAR *t)
	87	{
	88	if (t->th_buf.gnu_longname)
	89	- return t->th_buf.gnu_longname;
	90	+ return safer_name_suffix(t->th_buf.gnu_longname);
	91
	92	/* allocate the th_pathname buffer if not already */
	93	if (t->th_pathname == NULL)
	94	@@ -50,7 +79,7 @@ th_get_pathname(TAR *t)
	95	}
	96
	97	/* will be deallocated in tar_close() */
	98	- return t->th_pathname;
	99	+ return safer_name_suffix(t->th_pathname);
	100	}
	101
	102
	103	diff --git a/lib/extract.c b/lib/extract.c
	104	index 9fc6ad5..4ff1a95 100644
	105	--- a/lib/extract.c
	106	+++ b/lib/extract.c
	107	@@ -302,14 +302,14 @@ tar_extract_hardlink(TAR * t, char *realname)
	108	if (mkdirhier(dirname(filename)) == -1)
	109	return -1;
	110	libtar_hashptr_reset(&hp);
	111	- if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),
	112	+ if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),
	113	(libtar_matchfunc_t)libtar_str_match) != 0)
	114	{
	115	lnp = (char *)libtar_hashptr_data(&hp);
	116	linktgt = &lnp[strlen(lnp) + 1];
	117	}
	118	else
	119	- linktgt = th_get_linkname(t);
	120	+ linktgt = safer_name_suffix(th_get_linkname(t));
	121
	122	#ifdef DEBUG
	123	printf(" ==> extracting: %s (link to %s)\n", filename, linktgt);
	124	@@ -347,9 +347,9 @@ tar_extract_symlink(TAR t, char realname)
	125
	126	#ifdef DEBUG
	127	printf(" ==> extracting: %s (symlink to %s)\n",
	128	- filename, th_get_linkname(t));
	129	+ filename, safer_name_suffix(th_get_linkname(t)));
	130	#endif
	131	- if (symlink(th_get_linkname(t), filename) == -1)
	132	+ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
	133	{
	134	#ifdef DEBUG
	135	perror("symlink()");
	136	diff --git a/lib/internal.h b/lib/internal.h
	137	index da7be7f..f05ca4f 100644
	138	--- a/lib/internal.h
	139	+++ b/lib/internal.h
	140	@@ -21,3 +21,4 @@
	141	#define TLS_THREAD
	142	#endif
	143
	144	+char* safer_name_suffix(char const*);
	145	diff --git a/lib/output.c b/lib/output.c
	146	index a5262ee..af754f1 100644
	147	--- a/lib/output.c
	148	+++ b/lib/output.c
	149	@@ -124,9 +124,9 @@ th_print_long_ls(TAR *t)
	150	else
	151	printf(" link to ");
	152	if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL)
	153	- printf("%s", t->th_buf.gnu_longlink);
	154	+ printf("%s", safer_name_suffix(t->th_buf.gnu_longlink));
	155	else
	156	- printf("%.100s", t->th_buf.linkname);
	157	+ printf("%.100s", safer_name_suffix(t->th_buf.linkname));
	158	}
	159
	160	putchar('\n');