diff options
author | Davide Gardenal <davidegarde2000@gmail.com> | 2022-03-24 16:09:11 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-31 21:09:33 +0100 |
commit | 92b8b18ca9cd01b3d7a2bf2332cfb8a4cb07a555 (patch) | |
tree | 1475430d2b81a7824ab5d963ea12bdb8515a8578 /meta/recipes-devtools/apt | |
parent | d69c49f33a8a280f97906dd87188c7d13ddbd5b7 (diff) | |
download | poky-92b8b18ca9cd01b3d7a2bf2332cfb8a4cb07a555.tar.gz |
apt: backport patch fix for CVE-2020-3810
Upstream commit:
https://salsa.debian.org/apt-team/apt/-/blob/dceb1e49e4b8e4dadaf056be34088b415939cda6/apt-pkg/contrib/arfile.cc
CVE: CVE-2020-3810
(From OE-Core rev: 2c58d4691b07230616272f2727e0ad0a345064be)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/apt')
-rw-r--r-- | meta/recipes-devtools/apt/apt.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/apt/apt/CVE-2020-3810.patch | 174 |
2 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc index 3c4fc6df07..ba827848a7 100644 --- a/meta/recipes-devtools/apt/apt.inc +++ b/meta/recipes-devtools/apt/apt.inc | |||
@@ -18,6 +18,7 @@ SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/${BPN}/${P | |||
18 | file://0001-environment.mak-musl-based-systems-can-generate-shar.patch \ | 18 | file://0001-environment.mak-musl-based-systems-can-generate-shar.patch \ |
19 | file://0001-apt-1.2.12-Fix-musl-build.patch \ | 19 | file://0001-apt-1.2.12-Fix-musl-build.patch \ |
20 | file://0001-Include-array.h-for-std-array.patch \ | 20 | file://0001-Include-array.h-for-std-array.patch \ |
21 | file://CVE-2020-3810.patch \ | ||
21 | " | 22 | " |
22 | SRC_URI[md5sum] = "d30eed9304e82ea8238c854b5c5a34d9" | 23 | SRC_URI[md5sum] = "d30eed9304e82ea8238c854b5c5a34d9" |
23 | SRC_URI[sha256sum] = "03ded4f5e9b8d43ecec083704b2dcabf20c182ed382db9ac7251da0b0b038059" | 24 | SRC_URI[sha256sum] = "03ded4f5e9b8d43ecec083704b2dcabf20c182ed382db9ac7251da0b0b038059" |
diff --git a/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch new file mode 100644 index 0000000000..cf1206a3fa --- /dev/null +++ b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch | |||
@@ -0,0 +1,174 @@ | |||
1 | From dceb1e49e4b8e4dadaf056be34088b415939cda6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Julian Andres Klode <julian.klode@canonical.com> | ||
3 | Date: Tue, 12 May 2020 11:49:09 +0200 | ||
4 | Subject: [PATCH] SECURITY UPDATE: Fix out of bounds read in .ar and .tar | ||
5 | implementation (CVE-2020-3810) | ||
6 | |||
7 | When normalizing ar member names by removing trailing whitespace | ||
8 | and slashes, an out-out-bound read can be caused if the ar member | ||
9 | name consists only of such characters, because the code did not | ||
10 | stop at 0, but would wrap around and continue reading from the | ||
11 | stack, without any limit. | ||
12 | |||
13 | Add a check to abort if we reached the first character in the | ||
14 | name, effectively rejecting the use of names consisting just | ||
15 | of slashes and spaces. | ||
16 | |||
17 | Furthermore, certain error cases in arfile.cc and extracttar.cc have | ||
18 | included member names in the output that were not checked at all and | ||
19 | might hence not be nul terminated, leading to further out of bound reads. | ||
20 | |||
21 | Fixes Debian/apt#111 | ||
22 | LP: #1878177 | ||
23 | |||
24 | CVE: CVE-2020-3810 | ||
25 | |||
26 | Upstream-Status: Backport: | ||
27 | https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6 | ||
28 | |||
29 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
30 | --- | ||
31 | apt-inst/contrib/arfile.cc | 11 ++- | ||
32 | apt-inst/contrib/extracttar.cc | 2 +- | ||
33 | .../test-github-111-invalid-armember | 88 +++++++++++++++++++ | ||
34 | 3 files changed, 98 insertions(+), 3 deletions(-) | ||
35 | create mode 100755 test/integration/test-github-111-invalid-armember | ||
36 | |||
37 | diff --git a/apt-inst/contrib/arfile.cc b/st/contrib/arfile.cc | ||
38 | index 3fc3afedb..5cb43c690 100644 | ||
39 | --- a/apt-inst/contrib/arfile.cc | ||
40 | +++ b/apt-inst/contrib/arfile.cc | ||
41 | @@ -92,7 +92,7 @@ bool ARArchive::LoadHeaders() | ||
42 | StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false) | ||
43 | { | ||
44 | delete Memb; | ||
45 | - return _error->Error(_("Invalid archive member header %s"), Head.Name); | ||
46 | + return _error->Error(_("Invalid archive member header")); | ||
47 | } | ||
48 | |||
49 | // Check for an extra long name string | ||
50 | @@ -119,7 +119,14 @@ bool ARArchive::LoadHeaders() | ||
51 | else | ||
52 | { | ||
53 | unsigned int I = sizeof(Head.Name) - 1; | ||
54 | - for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--); | ||
55 | + for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--) | ||
56 | + { | ||
57 | + if (I == 0) | ||
58 | + { | ||
59 | + delete Memb; | ||
60 | + return _error->Error(_("Invalid archive member header")); | ||
61 | + } | ||
62 | + } | ||
63 | Memb->Name = std::string(Head.Name,I+1); | ||
64 | } | ||
65 | |||
66 | diff --git a/apt-inst/contrib/extracttar.cc b/apt-inst/contrib/extracttar.cc | ||
67 | index 9bb0a55c0..b22f59dbc 100644 | ||
68 | --- a/apt-inst/contrib/extracttar.cc | ||
69 | +++ b/apt-inst/contrib/extracttar.cc | ||
70 | @@ -254,7 +254,7 @@ bool ExtractTar::Go(pkgDirStream &Stream) | ||
71 | |||
72 | default: | ||
73 | BadRecord = true; | ||
74 | - _error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name); | ||
75 | + _error->Warning(_("Unknown TAR header type %u"), (unsigned)Tar->LinkFlag); | ||
76 | break; | ||
77 | } | ||
78 | |||
79 | diff --git a/test/integration/test-github-111-invalid-armember b/test/integration/test-github-111-invalid-armember | ||
80 | new file mode 100755 | ||
81 | index 000000000..ec2163bf6 | ||
82 | --- /dev/null | ||
83 | +++ b/test/integration/test-github-111-invalid-armember | ||
84 | @@ -0,0 +1,88 @@ | ||
85 | +#!/bin/sh | ||
86 | +set -e | ||
87 | + | ||
88 | +TESTDIR="$(readlink -f "$(dirname "$0")")" | ||
89 | +. "$TESTDIR/framework" | ||
90 | +setupenvironment | ||
91 | +configarchitecture "amd64" | ||
92 | +setupaptarchive | ||
93 | + | ||
94 | +# this used to crash, but it should treat it as an invalid member header | ||
95 | +touch ' ' | ||
96 | +ar -q test.deb ' ' | ||
97 | +testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb | ||
98 | + | ||
99 | + | ||
100 | +rm test.deb | ||
101 | +touch 'x' | ||
102 | +ar -q test.deb 'x' | ||
103 | +testsuccessequal "E: This is not a valid DEB archive, missing 'debian-binary' member" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb | ||
104 | + | ||
105 | + | ||
106 | +# <name><size> [ other fields] - name is not nul terminated here, it ends in . | ||
107 | +msgmsg "Unterminated ar member name" | ||
108 | +printf '!<arch>\0120123456789ABCDE.A123456789A.01234.01234.0123456.012345678.0.' > test.deb | ||
109 | +testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb | ||
110 | + | ||
111 | + | ||
112 | +# unused source code for generating $tar below | ||
113 | +maketar() { | ||
114 | + cat > maketar.c << EOF | ||
115 | + #include <stdio.h> | ||
116 | + #include <string.h> | ||
117 | + struct tar { | ||
118 | + char Name[100]; | ||
119 | + char Mode[8]; | ||
120 | + char UserID[8]; | ||
121 | + char GroupID[8]; | ||
122 | + char Size[12]; | ||
123 | + char MTime[12]; | ||
124 | + char Checksum[8]; | ||
125 | + char LinkFlag; | ||
126 | + char LinkName[100]; | ||
127 | + char MagicNumber[8]; | ||
128 | + char UserName[32]; | ||
129 | + char GroupName[32]; | ||
130 | + char Major[8]; | ||
131 | + char Minor[8]; | ||
132 | + }; | ||
133 | + | ||
134 | + int main(void) | ||
135 | + { | ||
136 | + union { | ||
137 | + struct tar t; | ||
138 | + char buf[512]; | ||
139 | + } t; | ||
140 | + for (int i = 0; i < sizeof(t.buf); i++) | ||
141 | + t.buf[i] = '7'; | ||
142 | + memcpy(t.t.Name, "unterminatedName", 16); | ||
143 | + memcpy(t.t.UserName, "userName", 8); | ||
144 | + memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32); | ||
145 | + t.t.LinkFlag = 'X'; // I AM BROKEN | ||
146 | + memcpy(t.t.Size, "000000000000", sizeof(t.t.Size)); | ||
147 | + memset(t.t.Checksum,' ',sizeof(t.t.Checksum)); | ||
148 | + | ||
149 | + unsigned long sum = 0; | ||
150 | + for (int i = 0; i < sizeof(t.buf); i++) | ||
151 | + sum += t.buf[i]; | ||
152 | + | ||
153 | + int written = sprintf(t.t.Checksum, "%lo", sum); | ||
154 | + for (int i = written; i < sizeof(t.t.Checksum); i++) | ||
155 | + t.t.Checksum[i] = ' '; | ||
156 | + fwrite(t.buf, sizeof(t.buf), 1, stdout); | ||
157 | + } | ||
158 | +EOF | ||
159 | + | ||
160 | + gcc maketar.c -o maketar -Wall | ||
161 | + ./maketar | ||
162 | +} | ||
163 | + | ||
164 | + | ||
165 | +# | ||
166 | +tar="unterminatedName77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777700000000000077777777777773544 X777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777userName777777777777777777777777thisIsAGroupNamethisIsAGroupName777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777" | ||
167 | +printf '%s' "$tar" | gzip > control.tar.gz | ||
168 | +cp control.tar.gz data.tar.gz | ||
169 | +touch debian-binary | ||
170 | +rm test.deb | ||
171 | +ar -q test.deb debian-binary control.tar.gz data.tar.gz | ||
172 | +testsuccessequal "W: Unknown TAR header type 88" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb | ||
173 | -- | ||
174 | GitLab | ||