diff options
| author | Joe Slater <joe.slater@windriver.com> | 2023-02-17 15:01:22 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-02-19 07:47:53 +0000 |
| commit | add828fa4feafba18930b53ff2deca62d7a02ffd (patch) | |
| tree | 8b3f9371a09a634649909a12c54eb1d9c856df8e /meta/recipes-extended/tar/files/CVE-2022-48303.patch | |
| parent | 432941810577903ef0116a1f5c6d7e41f5077ed8 (diff) | |
| download | poky-add828fa4feafba18930b53ff2deca62d7a02ffd.tar.gz | |
tar: Update fix for CVE-2022-48303 to upstream version
Fixes CVE-2022-48303 by checking Base-256 encoding is at least
2 bytes long. GNU Tar through 1.34 has a one-byte out-of-bounds
read that results in use of uninitialized memory for a conditional
jump. Exploitation to change the flow of control has not been
demonstrated. The issue occurs in from_header in list.c via a
V7 archive in which mtime has approximately 11 whitespace characters.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-48303
Upstream patch:
https://savannah.gnu.org/bugs/?62387
https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
(From OE-Core rev: 0043c9d3f7b65a0cbb0a27c37b4825b8f5511dec)
Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/tar/files/CVE-2022-48303.patch')
| -rw-r--r-- | meta/recipes-extended/tar/files/CVE-2022-48303.patch | 36 |
1 files changed, 0 insertions, 36 deletions
diff --git a/meta/recipes-extended/tar/files/CVE-2022-48303.patch b/meta/recipes-extended/tar/files/CVE-2022-48303.patch deleted file mode 100644 index a8e9f4ac7d..0000000000 --- a/meta/recipes-extended/tar/files/CVE-2022-48303.patch +++ /dev/null | |||
| @@ -1,36 +0,0 @@ | |||
| 1 | From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@gmail.com> | ||
| 3 | Date: Wed, 11 Jan 2023 08:55:58 +0100 | ||
| 4 | Subject: [PATCH] Fix savannah bug #62387 | ||
| 5 | |||
| 6 | * src/list.c (from_header): Check for the end of field after leading byte | ||
| 7 | (0x80 or 0xff) of base-256 encoded header value | ||
| 8 | |||
| 9 | Upstream-Status: Backport | ||
| 10 | [https://savannah.gnu.org/patch/download.php?file_id=54212] | ||
| 11 | CVE: CVE-2022-48303 | ||
| 12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
| 13 | --- | ||
| 14 | src/list.c | 6 ++++++ | ||
| 15 | 1 file changed, 6 insertions(+) | ||
| 16 | |||
| 17 | diff --git a/src/list.c b/src/list.c | ||
| 18 | index 9fafc425..bf41b581 100644 | ||
| 19 | --- a/src/list.c | ||
| 20 | +++ b/src/list.c | ||
| 21 | @@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type, | ||
| 22 | << (CHAR_BIT * sizeof (uintmax_t) | ||
| 23 | - LG_256 - (LG_256 - 2))); | ||
| 24 | value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit; | ||
| 25 | + if (where == lim) | ||
| 26 | + { | ||
| 27 | + if (type && !silent) | ||
| 28 | + ERROR ((0, 0, _("Archive base-256 value is invalid"))); | ||
| 29 | + return -1; | ||
| 30 | + } | ||
| 31 | for (;;) | ||
| 32 | { | ||
| 33 | value = (value << LG_256) + (unsigned char) *where++; | ||
| 34 | -- | ||
| 35 | 2.38.1 | ||
| 36 | |||