cpio: fix CVE-2016-2037

"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." https://nvd.nist.gov/vuln/detail/CVE-2016-2037 Note that there appear to be two versions of this fix. The original patch posted to the bug-cpio mailing list [1] is used by Debian [2], but apparently causes regression [3]. The patch accepted to the upstream git repo [4] seems to be the most complete fix. [1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html [2] https://security-tracker.debian.org/tracker/CVE-2016-2037 [3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html [4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b (From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andre McCurdy <armccurdy@gmail.com> 2018-05-24 17:14:19 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-06-15 17:56:24 +0100
commit: 31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2 (patch)
tree: 750028c0d52529c6775317f8a4dbbebec338f9db
parent: a0a395a8c614277cdbfe3f13ae7f200c85d1f2b5 (diff)
download: poky-31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2.tar.gz
2 files changed, 347 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
new file mode 100644
index 0000000000..0a3054483c
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
@@ -0,0 +1,346 @@
+From ebf9a2d776474181936a720ce811d72bbd1da3b6 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Tue, 26 Jan 2016 23:17:54 +0100
+Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write
+Ensure that cpio_safer_name_suffix always works with dynamically
+allocated buffer, and that it has size of at least 32 bytes.
+Then, any call to cpio_safer_name_suffix is safe (it requires at
+least 2 bytes in the buffer).
+Also ensure that c_namesize is always correctly initialized (by
+cpio_set_c_name) to avoid undefined behavior when reading
+file_hdr.c_namesize (previously happened for tar archives).
+References:
+http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
+* src/copyin.c (query_rename): Drop the hack, as we now work with
+dynamically allocated buffer.  Use cpio_set_c_name.
+(create_defered_links_to_skipped): Use cpio_set_c_name rather than
+manual assignment.
+(read_name_from_file): New function to avoid C&P.
+(read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
+read_name_from_file.
+(process_copy_in): Initialize file_hdr.c_namesize.
+* src/copyout.c (process_copy_out): Use cpio_set_c_name.
+* src/cpiohdr.h (cpio_set_c_name): New prototype.
+* src/tar.c (read_in_tar_header): Use cpio_set_c_name.
+* src/util.c (cpio_set_c_name): New function to set
+file_hdr->c_name and c_namesize from arbitrary string.
+(cpio_safer_name_suffix): Some docs fixes.
+* tests/inout.at: Also test copy-in, and try various formats.
+CVE: CVE-2016-2037
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b]
+Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
+---
+ src/copyin.c   | 68 +++++++++++++++++++---------------------------------------
+ src/copyout.c  | 13 +++++------
+ src/cpiohdr.h  |  1 +
+ src/tar.c      | 10 +++++----
+ src/util.c     | 32 ++++++++++++++++++++++++++-
+ tests/inout.at | 19 ++++++++++++++--
+ 6 files changed, 82 insertions(+), 61 deletions(-)
+diff --git a/src/copyin.c b/src/copyin.c
+index cde911e..972f8a6 100644
+--- a/src/copyin.c
+++ b/src/copyin.c
+@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
+       return -1;
+     }
+   else
+-  /* Debian hack: file_hrd.c_name is sometimes set to
+-     point to static memory by code in tar.c.  This
+-     causes a segfault.  This has been fixed and an
+-     additional check to ensure that the file name
+-     is not too long has been added.  (Reported by
+-     Horst Knobloch.)  This bug has been reported to
+-     "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
+-    {
+-      if (archive_format != arf_tar && archive_format != arf_ustar)
+-       {
+-         free (file_hdr->c_name);
+-         file_hdr->c_name = xstrdup (new_name.ds_string);
+-       }
+-      else
+-       {
+-         if (is_tar_filename_too_long (new_name.ds_string))
+-           error (0, 0, _("%s: file name too long"),
+-                  new_name.ds_string);
+-         else
+-           strcpy (file_hdr->c_name, new_name.ds_string);
+-       }
+-    }
+    cpio_set_c_name (file_hdr, new_name.ds_string);
+   return 0;
+ }
+ 
+@@ -344,8 +323,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
+            d_prev->next = d->next;
+          else
+            deferments = d->next;
+-         free (file_hdr->c_name);
+-         file_hdr->c_name = xstrdup(d->header.c_name);
+         cpio_set_c_name (file_hdr, d->header.c_name);
+          free_deferment (d);
+          copyin_regular_file(file_hdr, in_file_des);
+          return 0;
+@@ -1064,6 +1042,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
+     }
+ }
+ 
+static void
+read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
+{
+  static char *tmp_filename;
+  static size_t buflen;
+
+  if (buflen < len)
+    {
+      buflen = len;
+      tmp_filename = xrealloc (tmp_filename, buflen);
+    }
+
+  tape_buffered_read (tmp_filename, fd, len);
+  cpio_set_c_name (file_hdr, tmp_filename);
+}
+
+ /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
+    file descriptor IN_DES, except for the magic number, which is
+    already filled in.  */
+@@ -1090,14 +1084,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
+   file_hdr->c_rdev_min = minor (dev);
+ 
+   file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
+-  file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
+   file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
+-  
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
+ 
+   /* HP/UX cpio creates archives that look just like ordinary archives,
+      but for devices it sets major = 0, minor = 1, and puts the
+@@ -1152,14 +1140,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
+   file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
+   file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
+   file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
+-  file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
+   file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
+-  
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
+ 
+   /* In SVR4 ASCII format, the amount of space allocated for the header
+      is rounded up to the next long-word, so we might need to drop
+@@ -1207,16 +1189,9 @@ read_in_binary (struct cpio_file_stat *file_hdr,
+   file_hdr->c_rdev_min = minor (short_hdr->c_rdev);
+   file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
+                       | short_hdr->c_mtimes[1];
+-
+-  file_hdr->c_namesize = short_hdr->c_namesize;
+   file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
+                       | short_hdr->c_filesizes[1];
+-
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
+ 
+   /* In binary mode, the amount of space allocated in the header for
+      the filename is `c_namesize' rounded up to the next short-word,
+@@ -1297,6 +1272,7 @@ process_copy_in ()
+       read_pattern_file ();
+     }
+   file_hdr.c_name = NULL;
+  file_hdr.c_namesize = 0;
+ 
+   if (rename_batch_file)
+     {
+diff --git a/src/copyout.c b/src/copyout.c
+index 1f0987a..bb39559 100644
+--- a/src/copyout.c
+++ b/src/copyout.c
+@@ -660,8 +660,7 @@ process_copy_out ()
+          cpio_safer_name_suffix (input_name.ds_string, false,
+                                  !no_abs_paths_flag, true);
+ #ifndef HPUX_CDF
+-         file_hdr.c_name = input_name.ds_string;
+-         file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
+         cpio_set_c_name (&file_hdr, input_name.ds_string);
+ #else
+          if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
+            {
+@@ -670,16 +669,15 @@ process_copy_out ()
+                 properly recreate the directory as hidden (in case the
+                 files of a directory go into the archive before the
+                 directory itself (e.g from "find ... -depth ... | cpio")).  */
+-             file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
+-             file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
+              cpio_set_c_name (&file_hdr,
+                               add_cdf_double_slashes (input_name.ds_string));
+            }
+          else
+            {
+              /* We don't mark CDF's in tar files.  We assume the "hidden"
+                 directory will always go into the archive before any of
+                 its files.  */
+-             file_hdr.c_name = input_name.ds_string;
+-             file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
+              cpio_set_c_name (&file_hdr, input_name.ds_string);
+            }
+ #endif
+ 
+@@ -866,8 +864,7 @@ process_copy_out ()
+   file_hdr.c_chksum = 0;
+ 
+   file_hdr.c_filesize = 0;
+-  file_hdr.c_namesize = 11;
+-  file_hdr.c_name = CPIO_TRAILER_NAME;
+  cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     write_out_header (&file_hdr, out_file_des);
+   else
+diff --git a/src/cpiohdr.h b/src/cpiohdr.h
+index b29e6fb..f4c63be 100644
+--- a/src/cpiohdr.h
+++ b/src/cpiohdr.h
+@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
+   char *c_tar_linkname;
+ };
+ 
+void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
+ 
+ #endif /* cpiohdr.h */
+diff --git a/src/tar.c b/src/tar.c
+index a2ce171..e41f89d 100644
+--- a/src/tar.c
+++ b/src/tar.c
+@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+       if (null_block ((long *) &tar_rec, TARRECORDSIZE))
+ #endif
+        {
+-         file_hdr->c_name = CPIO_TRAILER_NAME;
+         cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
+          return;
+        }
+ #if 0
+@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+        }
+ 
+       if (archive_format != arf_ustar)
+-       file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
+        cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
+       else
+-       file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
+        cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
+                                                      tar_hdr->name));
+
+       file_hdr->c_nlink = 1;
+       file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
+       file_hdr->c_mode = file_hdr->c_mode & 07777;
+@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+        case AREGTYPE:
+          /* Old tar format; if the last char in filename is '/' then it is
+             a directory, otherwise it's a regular file.  */
+-         if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
+         if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
+            file_hdr->c_mode |= CP_IFDIR;
+          else
+            file_hdr->c_mode |= CP_IFREG;
+diff --git a/src/util.c b/src/util.c
+index 6ff6032..4f3c073 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -1410,8 +1410,34 @@ set_file_times (int fd,
+     utime_error (name);
+ }
+ 
+
+void
+cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+{
+  static size_t buflen = 0;
+  size_t len = strlen (name) + 1;
+
+  if (buflen == 0)
+    {
+      buflen = len;
+      if (buflen < 32)
+        buflen = 32;
+      file_hdr->c_name = xmalloc (buflen);
+    }
+  else if (buflen < len)
+    {
+      buflen = len;
+      file_hdr->c_name = xrealloc (file_hdr->c_name, buflen);
+    }
+
+  file_hdr->c_namesize = len;
+  memmove (file_hdr->c_name, name, len);
+}
+
+ /* Do we have to ignore absolute paths, and if so, does the filename
+-   have an absolute path?  */
+   have an absolute path?  Before calling this function make sure that the
+   allocated NAME buffer has capacity at least 2 bytes. */
+
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+                        bool strip_leading_dots)
+@@ -1426,6 +1452,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+          ++p;
+       }
+   if (p != name)
+    /* The 'p' string is shortened version of 'name' with one exception;  when
+       the 'name' points to an empty string (buffer where name[0] == '\0') the
+       'p' then points to static string ".".  So caller needs to ensure there
+       are at least two bytes available in 'name' buffer so memmove succeeds. */
+     memmove (name, p, (size_t)(strlen (p) + 1));
+ }
+ 
+diff --git a/tests/inout.at b/tests/inout.at
+index 60c3716..730cbd2 100644
+--- a/tests/inout.at
+++ b/tests/inout.at
+@@ -35,7 +35,22 @@ while read NAME LENGTH
+ do
+        genfile --length $LENGTH > $NAME
+        echo $NAME
+-done < filelist |
+- cpio --quiet -o > archive])
+done < filelist > filelist_raw
+
+for format in bin odc newc crc tar ustar hpbin hpodc
+do
+    cpio --format=$format --quiet -o < filelist_raw > archive.$format
+    rm -rf output
+    mkdir output && cd output
+    cpio -i --quiet < ../archive.$format
+
+    while read file
+    do
+        test -f $file || echo "$file not found"
+    done < ../filelist_raw
+
+    cd ..
+done
+])
+ 
+ AT_CLEANUP
+-- 
+1.9.1
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 19ad69b037..69d36983e3 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
           file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
           file://0001-Fix-CVE-2015-1197.patch \
+           file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
           "
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"
author	Andre McCurdy <armccurdy@gmail.com>	2018-05-24 17:14:19 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-06-15 17:56:24 +0100
commit	31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2 (patch)
tree	750028c0d52529c6775317f8a4dbbebec338f9db
parent	a0a395a8c614277cdbfe3f13ae7f200c85d1f2b5 (diff)
download	poky-31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2.tar.gz

diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch new file mode 100644 index 0000000000..0a3054483c --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
@@ -0,0 +1,346 @@
		1	From ebf9a2d776474181936a720ce811d72bbd1da3b6 Mon Sep 17 00:00:00 2001
		2	From: Pavel Raiskup <praiskup@redhat.com>
		3	Date: Tue, 26 Jan 2016 23:17:54 +0100
		4	Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write
		5
		6	Ensure that cpio_safer_name_suffix always works with dynamically
		7	allocated buffer, and that it has size of at least 32 bytes.
		8	Then, any call to cpio_safer_name_suffix is safe (it requires at
		9	least 2 bytes in the buffer).
		10
		11	Also ensure that c_namesize is always correctly initialized (by
		12	cpio_set_c_name) to avoid undefined behavior when reading
		13	file_hdr.c_namesize (previously happened for tar archives).
		14
		15	References:
		16	http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
		17
		18	* src/copyin.c (query_rename): Drop the hack, as we now work with
		19	dynamically allocated buffer. Use cpio_set_c_name.
		20	(create_defered_links_to_skipped): Use cpio_set_c_name rather than
		21	manual assignment.
		22	(read_name_from_file): New function to avoid C&P.
		23	(read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
		24	read_name_from_file.
		25	(process_copy_in): Initialize file_hdr.c_namesize.
		26	* src/copyout.c (process_copy_out): Use cpio_set_c_name.
		27	* src/cpiohdr.h (cpio_set_c_name): New prototype.
		28	* src/tar.c (read_in_tar_header): Use cpio_set_c_name.
		29	* src/util.c (cpio_set_c_name): New function to set
		30	file_hdr->c_name and c_namesize from arbitrary string.
		31	(cpio_safer_name_suffix): Some docs fixes.
		32	* tests/inout.at: Also test copy-in, and try various formats.
		33
		34	CVE: CVE-2016-2037
		35
		36	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b]
		37
		38	Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
		39	---
		40	src/copyin.c \| 68 +++++++++++++++++++---------------------------------------
		41	src/copyout.c \| 13 +++++------
		42	src/cpiohdr.h \| 1 +
		43	src/tar.c \| 10 +++++----
		44	src/util.c \| 32 ++++++++++++++++++++++++++-
		45	tests/inout.at \| 19 ++++++++++++++--
		46	6 files changed, 82 insertions(+), 61 deletions(-)
		47
		48	diff --git a/src/copyin.c b/src/copyin.c
		49	index cde911e..972f8a6 100644
		50	--- a/src/copyin.c
		51	+++ b/src/copyin.c
		52	@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE tty_in, FILE tty_out,
		53	return -1;
		54	}
		55	else
		56	- /* Debian hack: file_hrd.c_name is sometimes set to
		57	- point to static memory by code in tar.c. This
		58	- causes a segfault. This has been fixed and an
		59	- additional check to ensure that the file name
		60	- is not too long has been added. (Reported by
		61	- Horst Knobloch.) This bug has been reported to
		62	- "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
		63	- {
		64	- if (archive_format != arf_tar && archive_format != arf_ustar)
		65	- {
		66	- free (file_hdr->c_name);
		67	- file_hdr->c_name = xstrdup (new_name.ds_string);
		68	- }
		69	- else
		70	- {
		71	- if (is_tar_filename_too_long (new_name.ds_string))
		72	- error (0, 0, _("%s: file name too long"),
		73	- new_name.ds_string);
		74	- else
		75	- strcpy (file_hdr->c_name, new_name.ds_string);
		76	- }
		77	- }
		78	+ cpio_set_c_name (file_hdr, new_name.ds_string);
		79	return 0;
		80	}
		81
		82	@@ -344,8 +323,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
		83	d_prev->next = d->next;
		84	else
		85	deferments = d->next;
		86	- free (file_hdr->c_name);
		87	- file_hdr->c_name = xstrdup(d->header.c_name);
		88	+ cpio_set_c_name (file_hdr, d->header.c_name);
		89	free_deferment (d);
		90	copyin_regular_file(file_hdr, in_file_des);
		91	return 0;
		92	@@ -1064,6 +1042,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
		93	}
		94	}
		95
		96	+static void
		97	+read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
		98	+{
		99	+ static char *tmp_filename;
		100	+ static size_t buflen;
		101	+
		102	+ if (buflen < len)
		103	+ {
		104	+ buflen = len;
		105	+ tmp_filename = xrealloc (tmp_filename, buflen);
		106	+ }
		107	+
		108	+ tape_buffered_read (tmp_filename, fd, len);
		109	+ cpio_set_c_name (file_hdr, tmp_filename);
		110	+}
		111	+
		112	/* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
		113	file descriptor IN_DES, except for the magic number, which is
		114	already filled in. */
		115	@@ -1090,14 +1084,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
		116	file_hdr->c_rdev_min = minor (dev);
		117
		118	file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
		119	- file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
		120	file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
		121	-
		122	- /* Read file name from input. */
		123	- if (file_hdr->c_name != NULL)
		124	- free (file_hdr->c_name);
		125	- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
		126	- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
		127	+ read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
		128
		129	/* HP/UX cpio creates archives that look just like ordinary archives,
		130	but for devices it sets major = 0, minor = 1, and puts the
		131	@@ -1152,14 +1140,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
		132	file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
		133	file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
		134	file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
		135	- file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
		136	file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
		137	-
		138	- /* Read file name from input. */
		139	- if (file_hdr->c_name != NULL)
		140	- free (file_hdr->c_name);
		141	- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
		142	- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
		143	+ read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
		144
		145	/* In SVR4 ASCII format, the amount of space allocated for the header
		146	is rounded up to the next long-word, so we might need to drop
		147	@@ -1207,16 +1189,9 @@ read_in_binary (struct cpio_file_stat *file_hdr,
		148	file_hdr->c_rdev_min = minor (short_hdr->c_rdev);
		149	file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
		150	\| short_hdr->c_mtimes[1];
		151	-
		152	- file_hdr->c_namesize = short_hdr->c_namesize;
		153	file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
		154	\| short_hdr->c_filesizes[1];
		155	-
		156	- /* Read file name from input. */
		157	- if (file_hdr->c_name != NULL)
		158	- free (file_hdr->c_name);
		159	- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
		160	- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
		161	+ read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
		162
		163	/* In binary mode, the amount of space allocated in the header for
		164	the filename is `c_namesize' rounded up to the next short-word,
		165	@@ -1297,6 +1272,7 @@ process_copy_in ()
		166	read_pattern_file ();
		167	}
		168	file_hdr.c_name = NULL;
		169	+ file_hdr.c_namesize = 0;
		170
		171	if (rename_batch_file)
		172	{
		173	diff --git a/src/copyout.c b/src/copyout.c
		174	index 1f0987a..bb39559 100644
		175	--- a/src/copyout.c
		176	+++ b/src/copyout.c
		177	@@ -660,8 +660,7 @@ process_copy_out ()
		178	cpio_safer_name_suffix (input_name.ds_string, false,
		179	!no_abs_paths_flag, true);
		180	#ifndef HPUX_CDF
		181	- file_hdr.c_name = input_name.ds_string;
		182	- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
		183	+ cpio_set_c_name (&file_hdr, input_name.ds_string);
		184	#else
		185	if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
		186	{
		187	@@ -670,16 +669,15 @@ process_copy_out ()
		188	properly recreate the directory as hidden (in case the
		189	files of a directory go into the archive before the
		190	directory itself (e.g from "find ... -depth ... \| cpio")). */
		191	- file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
		192	- file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
		193	+ cpio_set_c_name (&file_hdr,
		194	+ add_cdf_double_slashes (input_name.ds_string));
		195	}
		196	else
		197	{
		198	/* We don't mark CDF's in tar files. We assume the "hidden"
		199	directory will always go into the archive before any of
		200	its files. */
		201	- file_hdr.c_name = input_name.ds_string;
		202	- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
		203	+ cpio_set_c_name (&file_hdr, input_name.ds_string);
		204	}
		205	#endif
		206
		207	@@ -866,8 +864,7 @@ process_copy_out ()
		208	file_hdr.c_chksum = 0;
		209
		210	file_hdr.c_filesize = 0;
		211	- file_hdr.c_namesize = 11;
		212	- file_hdr.c_name = CPIO_TRAILER_NAME;
		213	+ cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
		214	if (archive_format != arf_tar && archive_format != arf_ustar)
		215	write_out_header (&file_hdr, out_file_des);
		216	else
		217	diff --git a/src/cpiohdr.h b/src/cpiohdr.h
		218	index b29e6fb..f4c63be 100644
		219	--- a/src/cpiohdr.h
		220	+++ b/src/cpiohdr.h
		221	@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
		222	char *c_tar_linkname;
		223	};
		224
		225	+void cpio_set_c_name(struct cpio_file_stat file_hdr, char name);
		226
		227	#endif /* cpiohdr.h */
		228	diff --git a/src/tar.c b/src/tar.c
		229	index a2ce171..e41f89d 100644
		230	--- a/src/tar.c
		231	+++ b/src/tar.c
		232	@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
		233	if (null_block ((long *) &tar_rec, TARRECORDSIZE))
		234	#endif
		235	{
		236	- file_hdr->c_name = CPIO_TRAILER_NAME;
		237	+ cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
		238	return;
		239	}
		240	#if 0
		241	@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
		242	}
		243
		244	if (archive_format != arf_ustar)
		245	- file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
		246	+ cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
		247	else
		248	- file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
		249	+ cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
		250	+ tar_hdr->name));
		251	+
		252	file_hdr->c_nlink = 1;
		253	file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
		254	file_hdr->c_mode = file_hdr->c_mode & 07777;
		255	@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
		256	case AREGTYPE:
		257	/* Old tar format; if the last char in filename is '/' then it is
		258	a directory, otherwise it's a regular file. */
		259	- if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
		260	+ if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
		261	file_hdr->c_mode \|= CP_IFDIR;
		262	else
		263	file_hdr->c_mode \|= CP_IFREG;
		264	diff --git a/src/util.c b/src/util.c
		265	index 6ff6032..4f3c073 100644
		266	--- a/src/util.c
		267	+++ b/src/util.c
		268	@@ -1410,8 +1410,34 @@ set_file_times (int fd,
		269	utime_error (name);
		270	}
		271
		272	+
		273	+void
		274	+cpio_set_c_name (struct cpio_file_stat file_hdr, char name)
		275	+{
		276	+ static size_t buflen = 0;
		277	+ size_t len = strlen (name) + 1;
		278	+
		279	+ if (buflen == 0)
		280	+ {
		281	+ buflen = len;
		282	+ if (buflen < 32)
		283	+ buflen = 32;
		284	+ file_hdr->c_name = xmalloc (buflen);
		285	+ }
		286	+ else if (buflen < len)
		287	+ {
		288	+ buflen = len;
		289	+ file_hdr->c_name = xrealloc (file_hdr->c_name, buflen);
		290	+ }
		291	+
		292	+ file_hdr->c_namesize = len;
		293	+ memmove (file_hdr->c_name, name, len);
		294	+}
		295	+
		296	/* Do we have to ignore absolute paths, and if so, does the filename
		297	- have an absolute path? */
		298	+ have an absolute path? Before calling this function make sure that the
		299	+ allocated NAME buffer has capacity at least 2 bytes. */
		300	+
		301	void
		302	cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
		303	bool strip_leading_dots)
		304	@@ -1426,6 +1452,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
		305	++p;
		306	}
		307	if (p != name)
		308	+ /* The 'p' string is shortened version of 'name' with one exception; when
		309	+ the 'name' points to an empty string (buffer where name[0] == '\0') the
		310	+ 'p' then points to static string ".". So caller needs to ensure there
		311	+ are at least two bytes available in 'name' buffer so memmove succeeds. */
		312	memmove (name, p, (size_t)(strlen (p) + 1));
		313	}
		314
		315	diff --git a/tests/inout.at b/tests/inout.at
		316	index 60c3716..730cbd2 100644
		317	--- a/tests/inout.at
		318	+++ b/tests/inout.at
		319	@@ -35,7 +35,22 @@ while read NAME LENGTH
		320	do
		321	genfile --length $LENGTH > $NAME
		322	echo $NAME
		323	-done < filelist \|
		324	- cpio --quiet -o > archive])
		325	+done < filelist > filelist_raw
		326	+
		327	+for format in bin odc newc crc tar ustar hpbin hpodc
		328	+do
		329	+ cpio --format=$format --quiet -o < filelist_raw > archive.$format
		330	+ rm -rf output
		331	+ mkdir output && cd output
		332	+ cpio -i --quiet < ../archive.$format
		333	+
		334	+ while read file
		335	+ do
		336	+ test -f $file \|\| echo "$file not found"
		337	+ done < ../filelist_raw
		338	+
		339	+ cd ..
		340	+done
		341	+])
		342
		343	AT_CLEANUP
		344	--
		345	1.9.1
		346


diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb index 19ad69b037..69d36983e3 100644 --- a/meta/recipes-extended/cpio/cpio_2.12.bb +++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
9	SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \	9	SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
10	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \	10	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
11	file://0001-Fix-CVE-2015-1197.patch \	11	file://0001-Fix-CVE-2015-1197.patch \
		12	file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
12	"	13	"
13		14
14	SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"	15	SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"