diff options
Diffstat (limited to 'meta/recipes-extended/tar/tar')
-rw-r--r-- | meta/recipes-extended/tar/tar/CVE-2021-20193.patch | 133 | ||||
-rw-r--r-- | meta/recipes-extended/tar/tar/CVE-2022-48303.patch | 43 | ||||
-rw-r--r-- | meta/recipes-extended/tar/tar/CVE-2023-39804.patch | 64 |
3 files changed, 240 insertions, 0 deletions
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sun, 17 Jan 2021 20:41:11 +0200 | ||
4 | Subject: Fix memory leak in read_header | ||
5 | |||
6 | Bug reported in https://savannah.gnu.org/bugs/?59897 | ||
7 | |||
8 | * src/list.c (read_header): Don't return directly from the loop. | ||
9 | Instead set the status and break. Return the status. Free | ||
10 | next_long_name and next_long_link before returning. | ||
11 | |||
12 | CVE: CVE-2021-20193 | ||
13 | Upstream-Status: Backport | ||
14 | [https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777] | ||
15 | Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> | ||
16 | |||
17 | --- | ||
18 | src/list.c | 40 ++++++++++++++++++++++++++++------------ | ||
19 | 1 file changed, 28 insertions(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/src/list.c b/src/list.c | ||
22 | index e40a5c8..d7ef441 100644 | ||
23 | --- a/src/list.c | ||
24 | +++ b/src/list.c | ||
25 | @@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
26 | enum read_header_mode mode) | ||
27 | { | ||
28 | union block *header; | ||
29 | - union block *header_copy; | ||
30 | char *bp; | ||
31 | union block *data_block; | ||
32 | size_t size, written; | ||
33 | - union block *next_long_name = 0; | ||
34 | - union block *next_long_link = 0; | ||
35 | + union block *next_long_name = NULL; | ||
36 | + union block *next_long_link = NULL; | ||
37 | size_t next_long_name_blocks = 0; | ||
38 | size_t next_long_link_blocks = 0; | ||
39 | - | ||
40 | + enum read_header status = HEADER_SUCCESS; | ||
41 | + | ||
42 | while (1) | ||
43 | { | ||
44 | - enum read_header status; | ||
45 | - | ||
46 | header = find_next_block (); | ||
47 | *return_block = header; | ||
48 | if (!header) | ||
49 | - return HEADER_END_OF_FILE; | ||
50 | + { | ||
51 | + status = HEADER_END_OF_FILE; | ||
52 | + break; | ||
53 | + } | ||
54 | |||
55 | if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) | ||
56 | - return status; | ||
57 | + break; | ||
58 | |||
59 | /* Good block. Decode file size and return. */ | ||
60 | |||
61 | @@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
62 | { | ||
63 | info->stat.st_size = OFF_FROM_HEADER (header->header.size); | ||
64 | if (info->stat.st_size < 0) | ||
65 | - return HEADER_FAILURE; | ||
66 | + { | ||
67 | + status = HEADER_FAILURE; | ||
68 | + break; | ||
69 | + } | ||
70 | } | ||
71 | |||
72 | if (header->header.typeflag == GNUTYPE_LONGNAME | ||
73 | @@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
74 | || header->header.typeflag == SOLARIS_XHDTYPE) | ||
75 | { | ||
76 | if (mode == read_header_x_raw) | ||
77 | - return HEADER_SUCCESS_EXTENDED; | ||
78 | + { | ||
79 | + status = HEADER_SUCCESS_EXTENDED; | ||
80 | + break; | ||
81 | + } | ||
82 | else if (header->header.typeflag == GNUTYPE_LONGNAME | ||
83 | || header->header.typeflag == GNUTYPE_LONGLINK) | ||
84 | { | ||
85 | + union block *header_copy; | ||
86 | size_t name_size = info->stat.st_size; | ||
87 | size_t n = name_size % BLOCKSIZE; | ||
88 | size = name_size + BLOCKSIZE; | ||
89 | @@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
90 | xheader_decode_global (&xhdr); | ||
91 | xheader_destroy (&xhdr); | ||
92 | if (mode == read_header_x_global) | ||
93 | - return HEADER_SUCCESS_EXTENDED; | ||
94 | + { | ||
95 | + status = HEADER_SUCCESS_EXTENDED; | ||
96 | + break; | ||
97 | + } | ||
98 | } | ||
99 | |||
100 | /* Loop! */ | ||
101 | @@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
102 | name = next_long_name->buffer + BLOCKSIZE; | ||
103 | recent_long_name = next_long_name; | ||
104 | recent_long_name_blocks = next_long_name_blocks; | ||
105 | + next_long_name = NULL; | ||
106 | } | ||
107 | else | ||
108 | { | ||
109 | @@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
110 | name = next_long_link->buffer + BLOCKSIZE; | ||
111 | recent_long_link = next_long_link; | ||
112 | recent_long_link_blocks = next_long_link_blocks; | ||
113 | + next_long_link = NULL; | ||
114 | } | ||
115 | else | ||
116 | { | ||
117 | @@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
118 | } | ||
119 | assign_string (&info->link_name, name); | ||
120 | |||
121 | - return HEADER_SUCCESS; | ||
122 | + break; | ||
123 | } | ||
124 | } | ||
125 | + free (next_long_name); | ||
126 | + free (next_long_link); | ||
127 | + return status; | ||
128 | } | ||
129 | |||
130 | #define ISOCTAL(c) ((c)>='0'&&(c)<='7') | ||
131 | -- | ||
132 | cgit v1.2.1 | ||
133 | |||
diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch new file mode 100644 index 0000000000..b2f40f3e64 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sat, 11 Feb 2023 11:57:39 +0200 | ||
4 | Subject: Fix boundary checking in base-256 decoder | ||
5 | |||
6 | * src/list.c (from_header): Base-256 encoding is at least 2 bytes | ||
7 | long. | ||
8 | |||
9 | Upstream-Status: Backport [see reference below] | ||
10 | CVE: CVE-2022-48303 | ||
11 | |||
12 | Reference to upstream patch: | ||
13 | https://savannah.gnu.org/bugs/?62387 | ||
14 | https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 | ||
15 | |||
16 | Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> | ||
17 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
18 | --- | ||
19 | src/list.c | 5 +++-- | ||
20 | 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> | ||
21 | |||
22 | |||
23 | (limited to 'src/list.c') | ||
24 | |||
25 | diff --git a/src/list.c b/src/list.c | ||
26 | index 9fafc42..86bcfdd 100644 | ||
27 | --- a/src/list.c | ||
28 | +++ b/src/list.c | ||
29 | @@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, | ||
30 | where++; | ||
31 | } | ||
32 | } | ||
33 | - else if (*where == '\200' /* positive base-256 */ | ||
34 | - || *where == '\377' /* negative base-256 */) | ||
35 | + else if (where <= lim - 2 | ||
36 | + && (*where == '\200' /* positive base-256 */ | ||
37 | + || *where == '\377' /* negative base-256 */)) | ||
38 | { | ||
39 | /* Parse base-256 output. A nonnegative number N is | ||
40 | represented as (256**DIGS)/2 + N; a negative number -N is | ||
41 | -- | ||
42 | cgit v1.1 | ||
43 | |||
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sat, 28 Aug 2021 16:02:12 +0300 | ||
4 | Subject: Fix handling of extended header prefixes | ||
5 | |||
6 | * src/xheader.c (locate_handler): Recognize prefix keywords only | ||
7 | when followed by a dot. | ||
8 | (xattr_decoder): Use xmalloc/xstrdup instead of alloc | ||
9 | |||
10 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4] | ||
11 | CVE: CVE-2023-39804 | ||
12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
13 | --- | ||
14 | src/xheader.c | 17 +++++++++-------- | ||
15 | 1 file changed, 9 insertions(+), 8 deletions(-) | ||
16 | |||
17 | diff --git a/src/xheader.c b/src/xheader.c | ||
18 | index 4f8b2b2..3cd694d 100644 | ||
19 | --- a/src/xheader.c | ||
20 | +++ b/src/xheader.c | ||
21 | @@ -637,11 +637,11 @@ static struct xhdr_tab const * | ||
22 | locate_handler (char const *keyword) | ||
23 | { | ||
24 | struct xhdr_tab const *p; | ||
25 | - | ||
26 | for (p = xhdr_tab; p->keyword; p++) | ||
27 | if (p->prefix) | ||
28 | { | ||
29 | - if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) | ||
30 | + size_t kwlen = strlen (p->keyword); | ||
31 | + if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) | ||
32 | return p; | ||
33 | } | ||
34 | else | ||
35 | @@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, | ||
36 | char const *keyword, char const *arg, size_t size) | ||
37 | { | ||
38 | char *xstr, *xkey; | ||
39 | - | ||
40 | + | ||
41 | /* copy keyword */ | ||
42 | - size_t klen_raw = strlen (keyword); | ||
43 | - xkey = alloca (klen_raw + 1); | ||
44 | - memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; | ||
45 | + xkey = xstrdup (keyword); | ||
46 | |||
47 | /* copy value */ | ||
48 | - xstr = alloca (size + 1); | ||
49 | + xstr = xmalloc (size + 1); | ||
50 | memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; | ||
51 | |||
52 | xattr_decode_keyword (xkey); | ||
53 | |||
54 | - xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); | ||
55 | + xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); | ||
56 | + | ||
57 | + free (xkey); | ||
58 | + free (xstr); | ||
59 | } | ||
60 | |||
61 | static void | ||
62 | -- | ||
63 | cgit v1.1 | ||
64 | |||