1 files changed, 42 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch b/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch
new file mode 100644
index 000000000..0a2773fae
--- /dev/null
+++ b/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch
@@ -0,0 +1,42 @@
+From e590423f62cf5bc922ff4a1f7eab9bf7d65ee472 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 4 Oct 2022 10:39:35 +0200
+Subject: [PATCH] free memory allocated by gnu_long* fields
+
+Authored by Kamil Dudka <kdudka@redhat.com>.
+
+meta-openembedded uses Debian's release tarball [1]. Debian uses
+repo.or.cz/libtar.git as their upstream [2]. repo.or.cz/libtar.git has
+been inactive since 2013 [3].
+
+CVE: CVE-2021-33640 CVE-2021-33645 CVE-2021-33646
+
+Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013]
+
+[1] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8
+[2] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged)
+[3] https://repo.or.cz/libtar.git/shortlog/refs/heads/master
+
+Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
+---
+ lib/handle.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 28a7dc2..18bd8dc 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -122,8 +122,11 @@ tar_close(TAR *t)
+                libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY
+                                        ? free
+                                        : (libtar_freefunc_t)tar_dev_free));
+-       if (t->th_pathname != NULL)
+-               free(t->th_pathname);
++
++       free(t->th_pathname);
++       free(t->th_buf.gnu_longname);
++       free(t->th_buf.gnu_longlink);
++
+        free(t);
+ 
+        return i;