tar: Fix for CVE-2023-39804

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (From OE-Core rev: 082c31db387957963952c485a436dc38a64498d0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-03-29 08:56:03 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-04-05 06:34:42 -0700
commit: ea68e06fa2182e61768c90b7a72e7f2a2e8ea593 (patch)
tree: 688e3d14225173b80a4ac94d9487b61eec360d63 /meta
parent: 869db167b1c71e036a70565dc73cef6b002d6d22 (diff)
download: poky-ea68e06fa2182e61768c90b7a72e7f2a2e8ea593.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 0000000000..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
+CVE: CVE-2023-39804
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
+++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+     if (p->prefix)
+       {
+-        if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
+       size_t kwlen = strlen (p->keyword);
+        if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+           return p;
+       }
+     else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+                char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
+  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
+  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
+  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
+  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
+
+  free (xkey);
+  free (xstr);
+ }
+ 
+ static void
+-- 
+cgit v1.1
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index 1246f01256..c560741599 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
           file://musl_dirent.patch \
           file://CVE-2021-20193.patch \
           file://CVE-2022-48303.patch \
+           file://CVE-2023-39804.patch \
 "
 SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-03-29 08:56:03 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-04-05 06:34:42 -0700
commit	ea68e06fa2182e61768c90b7a72e7f2a2e8ea593 (patch)
tree	688e3d14225173b80a4ac94d9487b61eec360d63 /meta
parent	869db167b1c71e036a70565dc73cef6b002d6d22 (diff)
download	poky-ea68e06fa2182e61768c90b7a72e7f2a2e8ea593.tar.gz

diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
		1	From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
		2	From: Sergey Poznyakoff <gray@gnu.org>
		3	Date: Sat, 28 Aug 2021 16:02:12 +0300
		4	Subject: Fix handling of extended header prefixes
		5
		6	* src/xheader.c (locate_handler): Recognize prefix keywords only
		7	when followed by a dot.
		8	(xattr_decoder): Use xmalloc/xstrdup instead of alloc
		9
		10	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
		11	CVE: CVE-2023-39804
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	src/xheader.c \| 17 +++++++++--------
		15	1 file changed, 9 insertions(+), 8 deletions(-)
		16
		17	diff --git a/src/xheader.c b/src/xheader.c
		18	index 4f8b2b2..3cd694d 100644
		19	--- a/src/xheader.c
		20	+++ b/src/xheader.c
		21	@@ -637,11 +637,11 @@ static struct xhdr_tab const *
		22	locate_handler (char const *keyword)
		23	{
		24	struct xhdr_tab const *p;
		25	-
		26	for (p = xhdr_tab; p->keyword; p++)
		27	if (p->prefix)
		28	{
		29	- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
		30	+ size_t kwlen = strlen (p->keyword);
		31	+ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
		32	return p;
		33	}
		34	else
		35	@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
		36	char const keyword, char const arg, size_t size)
		37	{
		38	char xstr, xkey;
		39	-
		40	+
		41	/* copy keyword */
		42	- size_t klen_raw = strlen (keyword);
		43	- xkey = alloca (klen_raw + 1);
		44	- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
		45	+ xkey = xstrdup (keyword);
		46
		47	/* copy value */
		48	- xstr = alloca (size + 1);
		49	+ xstr = xmalloc (size + 1);
		50	memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
		51
		52	xattr_decode_keyword (xkey);
		53
		54	- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
		55	+ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
		56	+
		57	+ free (xkey);
		58	+ free (xstr);
		59	}
		60
		61	static void
		62	--
		63	cgit v1.1
		64


diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index 1246f01256..c560741599 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
10	file://musl_dirent.patch \	10	file://musl_dirent.patch \
11	file://CVE-2021-20193.patch \	11	file://CVE-2021-20193.patch \
12	file://CVE-2022-48303.patch \	12	file://CVE-2022-48303.patch \
		13	file://CVE-2023-39804.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"	16	SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"