diff options
Diffstat (limited to 'meta/recipes-extended/tar/tar/CVE-2021-20193.patch')
-rw-r--r-- | meta/recipes-extended/tar/tar/CVE-2021-20193.patch | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sun, 17 Jan 2021 20:41:11 +0200 | ||
4 | Subject: Fix memory leak in read_header | ||
5 | |||
6 | Bug reported in https://savannah.gnu.org/bugs/?59897 | ||
7 | |||
8 | * src/list.c (read_header): Don't return directly from the loop. | ||
9 | Instead set the status and break. Return the status. Free | ||
10 | next_long_name and next_long_link before returning. | ||
11 | |||
12 | CVE: CVE-2021-20193 | ||
13 | Upstream-Status: Backport | ||
14 | [https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777] | ||
15 | Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> | ||
16 | |||
17 | --- | ||
18 | src/list.c | 40 ++++++++++++++++++++++++++++------------ | ||
19 | 1 file changed, 28 insertions(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/src/list.c b/src/list.c | ||
22 | index e40a5c8..d7ef441 100644 | ||
23 | --- a/src/list.c | ||
24 | +++ b/src/list.c | ||
25 | @@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
26 | enum read_header_mode mode) | ||
27 | { | ||
28 | union block *header; | ||
29 | - union block *header_copy; | ||
30 | char *bp; | ||
31 | union block *data_block; | ||
32 | size_t size, written; | ||
33 | - union block *next_long_name = 0; | ||
34 | - union block *next_long_link = 0; | ||
35 | + union block *next_long_name = NULL; | ||
36 | + union block *next_long_link = NULL; | ||
37 | size_t next_long_name_blocks = 0; | ||
38 | size_t next_long_link_blocks = 0; | ||
39 | - | ||
40 | + enum read_header status = HEADER_SUCCESS; | ||
41 | + | ||
42 | while (1) | ||
43 | { | ||
44 | - enum read_header status; | ||
45 | - | ||
46 | header = find_next_block (); | ||
47 | *return_block = header; | ||
48 | if (!header) | ||
49 | - return HEADER_END_OF_FILE; | ||
50 | + { | ||
51 | + status = HEADER_END_OF_FILE; | ||
52 | + break; | ||
53 | + } | ||
54 | |||
55 | if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) | ||
56 | - return status; | ||
57 | + break; | ||
58 | |||
59 | /* Good block. Decode file size and return. */ | ||
60 | |||
61 | @@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
62 | { | ||
63 | info->stat.st_size = OFF_FROM_HEADER (header->header.size); | ||
64 | if (info->stat.st_size < 0) | ||
65 | - return HEADER_FAILURE; | ||
66 | + { | ||
67 | + status = HEADER_FAILURE; | ||
68 | + break; | ||
69 | + } | ||
70 | } | ||
71 | |||
72 | if (header->header.typeflag == GNUTYPE_LONGNAME | ||
73 | @@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
74 | || header->header.typeflag == SOLARIS_XHDTYPE) | ||
75 | { | ||
76 | if (mode == read_header_x_raw) | ||
77 | - return HEADER_SUCCESS_EXTENDED; | ||
78 | + { | ||
79 | + status = HEADER_SUCCESS_EXTENDED; | ||
80 | + break; | ||
81 | + } | ||
82 | else if (header->header.typeflag == GNUTYPE_LONGNAME | ||
83 | || header->header.typeflag == GNUTYPE_LONGLINK) | ||
84 | { | ||
85 | + union block *header_copy; | ||
86 | size_t name_size = info->stat.st_size; | ||
87 | size_t n = name_size % BLOCKSIZE; | ||
88 | size = name_size + BLOCKSIZE; | ||
89 | @@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
90 | xheader_decode_global (&xhdr); | ||
91 | xheader_destroy (&xhdr); | ||
92 | if (mode == read_header_x_global) | ||
93 | - return HEADER_SUCCESS_EXTENDED; | ||
94 | + { | ||
95 | + status = HEADER_SUCCESS_EXTENDED; | ||
96 | + break; | ||
97 | + } | ||
98 | } | ||
99 | |||
100 | /* Loop! */ | ||
101 | @@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
102 | name = next_long_name->buffer + BLOCKSIZE; | ||
103 | recent_long_name = next_long_name; | ||
104 | recent_long_name_blocks = next_long_name_blocks; | ||
105 | + next_long_name = NULL; | ||
106 | } | ||
107 | else | ||
108 | { | ||
109 | @@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
110 | name = next_long_link->buffer + BLOCKSIZE; | ||
111 | recent_long_link = next_long_link; | ||
112 | recent_long_link_blocks = next_long_link_blocks; | ||
113 | + next_long_link = NULL; | ||
114 | } | ||
115 | else | ||
116 | { | ||
117 | @@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
118 | } | ||
119 | assign_string (&info->link_name, name); | ||
120 | |||
121 | - return HEADER_SUCCESS; | ||
122 | + break; | ||
123 | } | ||
124 | } | ||
125 | + free (next_long_name); | ||
126 | + free (next_long_link); | ||
127 | + return status; | ||
128 | } | ||
129 | |||
130 | #define ISOCTAL(c) ((c)>='0'&&(c)<='7') | ||
131 | -- | ||
132 | cgit v1.2.1 | ||
133 | |||