3 files changed, 240 insertions, 0 deletions
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
new file mode 100644
index 0000000000..89e8e20844
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
+From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sun, 17 Jan 2021 20:41:11 +0200
+Subject: Fix memory leak in read_header
+Bug reported in https://savannah.gnu.org/bugs/?59897
+* src/list.c (read_header): Don't return directly from the loop.
+Instead set the status and break.  Return the status.  Free
+next_long_name and next_long_link before returning.
+CVE: CVE-2021-20193
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+---
+ src/list.c | 40 ++++++++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+diff --git a/src/list.c b/src/list.c
+index e40a5c8..d7ef441 100644
+--- a/src/list.c
+++ b/src/list.c
+@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
+             enum read_header_mode mode)
+ {
+   union block *header;
+-  union block *header_copy;
+   char *bp;
+   union block *data_block;
+   size_t size, written;
+-  union block *next_long_name = 0;
+-  union block *next_long_link = 0;
+  union block *next_long_name = NULL;
+  union block *next_long_link = NULL;
+   size_t next_long_name_blocks = 0;
+   size_t next_long_link_blocks = 0;
+-
+  enum read_header status = HEADER_SUCCESS;
+  
+   while (1)
+     {
+-      enum read_header status;
+-
+       header = find_next_block ();
+       *return_block = header;
+       if (!header)
+-       return HEADER_END_OF_FILE;
+       {
+         status = HEADER_END_OF_FILE;
+         break;
+       }
+ 
+       if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
+-       return status;
+       break;
+ 
+       /* Good block.  Decode file size and return.  */
+ 
+@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+        {
+          info->stat.st_size = OFF_FROM_HEADER (header->header.size);
+          if (info->stat.st_size < 0)
+-           return HEADER_FAILURE;
+           {
+             status = HEADER_FAILURE;
+             break;
+           }
+        }
+ 
+       if (header->header.typeflag == GNUTYPE_LONGNAME
+@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
+          || header->header.typeflag == SOLARIS_XHDTYPE)
+        {
+          if (mode == read_header_x_raw)
+-           return HEADER_SUCCESS_EXTENDED;
+           {
+             status = HEADER_SUCCESS_EXTENDED;
+             break;
+           }
+          else if (header->header.typeflag == GNUTYPE_LONGNAME
+                   || header->header.typeflag == GNUTYPE_LONGLINK)
+            {
+             union block *header_copy;
+              size_t name_size = info->stat.st_size;
+              size_t n = name_size % BLOCKSIZE;
+              size = name_size + BLOCKSIZE;
+@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              xheader_decode_global (&xhdr);
+              xheader_destroy (&xhdr);
+              if (mode == read_header_x_global)
+-               return HEADER_SUCCESS_EXTENDED;
+               {
+                 status = HEADER_SUCCESS_EXTENDED;
+                 break;
+               }
+            }
+ 
+          /* Loop!  */
+@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              name = next_long_name->buffer + BLOCKSIZE;
+              recent_long_name = next_long_name;
+              recent_long_name_blocks = next_long_name_blocks;
+             next_long_name = NULL;
+            }
+          else
+            {
+@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+              name = next_long_link->buffer + BLOCKSIZE;
+              recent_long_link = next_long_link;
+              recent_long_link_blocks = next_long_link_blocks;
+             next_long_link = NULL;
+            }
+          else
+            {
+@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
+            }
+          assign_string (&info->link_name, name);
+ 
+-         return HEADER_SUCCESS;
+         break;
+        }
+     }
+  free (next_long_name);
+  free (next_long_link);
+  return status;
+ }
+ 
+ #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
+-- 
+cgit v1.2.1
diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
new file mode 100644
index 0000000000..b2f40f3e64
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
@@ -0,0 +1,43 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+Upstream-Status: Backport [see reference below]
+CVE: CVE-2022-48303
+Reference to upstream patch:
+https://savannah.gnu.org/bugs/?62387
+https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
+(limited to 'src/list.c')
+diff --git a/src/list.c b/src/list.c
+index 9fafc42..86bcfdd 100644
+--- a/src/list.c
+++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+          where++;
+        }
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-          || *where == '\377' /* negative base-256 */)
+  else if (where <= lim - 2
+          && (*where == '\200' /* positive base-256 */
+              || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+         represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+cgit v1.1
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 0000000000..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
+CVE: CVE-2023-39804
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
+++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+     if (p->prefix)
+       {
+-        if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
+       size_t kwlen = strlen (p->keyword);
+        if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+           return p;
+       }
+     else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+                char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
+  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
+  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
+  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
+  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
+
+  free (xkey);
+  free (xstr);
+ }
+ 
+ static void
+-- 
+cgit v1.1

diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
	1	From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
	2	From: Sergey Poznyakoff <gray@gnu.org>
	3	Date: Sun, 17 Jan 2021 20:41:11 +0200
	4	Subject: Fix memory leak in read_header
	5
	6	Bug reported in https://savannah.gnu.org/bugs/?59897
	7
	8	* src/list.c (read_header): Don't return directly from the loop.
	9	Instead set the status and break. Return the status. Free
	10	next_long_name and next_long_link before returning.
	11
	12	CVE: CVE-2021-20193
	13	Upstream-Status: Backport
	14	[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
	15	Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
	16
	17	---
	18	src/list.c \| 40 ++++++++++++++++++++++++++++------------
	19	1 file changed, 28 insertions(+), 12 deletions(-)
	20
	21	diff --git a/src/list.c b/src/list.c
	22	index e40a5c8..d7ef441 100644
	23	--- a/src/list.c
	24	+++ b/src/list.c
	25	@@ -408,26 +408,27 @@ read_header (union block *return_block, struct tar_stat_info info,
	26	enum read_header_mode mode)
	27	{
	28	union block *header;
	29	- union block *header_copy;
	30	char *bp;
	31	union block *data_block;
	32	size_t size, written;
	33	- union block *next_long_name = 0;
	34	- union block *next_long_link = 0;
	35	+ union block *next_long_name = NULL;
	36	+ union block *next_long_link = NULL;
	37	size_t next_long_name_blocks = 0;
	38	size_t next_long_link_blocks = 0;
	39	-
	40	+ enum read_header status = HEADER_SUCCESS;
	41	+
	42	while (1)
	43	{
	44	- enum read_header status;
	45	-
	46	header = find_next_block ();
	47	*return_block = header;
	48	if (!header)
	49	- return HEADER_END_OF_FILE;
	50	+ {
	51	+ status = HEADER_END_OF_FILE;
	52	+ break;
	53	+ }
	54
	55	if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
	56	- return status;
	57	+ break;
	58
	59	/* Good block. Decode file size and return. */
	60
	61	@@ -437,7 +438,10 @@ read_header (union block *return_block, struct tar_stat_info info,
	62	{
	63	info->stat.st_size = OFF_FROM_HEADER (header->header.size);
	64	if (info->stat.st_size < 0)
	65	- return HEADER_FAILURE;
	66	+ {
	67	+ status = HEADER_FAILURE;
	68	+ break;
	69	+ }
	70	}
	71
	72	if (header->header.typeflag == GNUTYPE_LONGNAME
	73	@@ -447,10 +451,14 @@ read_header (union block *return_block, struct tar_stat_info info,
	74	\|\| header->header.typeflag == SOLARIS_XHDTYPE)
	75	{
	76	if (mode == read_header_x_raw)
	77	- return HEADER_SUCCESS_EXTENDED;
	78	+ {
	79	+ status = HEADER_SUCCESS_EXTENDED;
	80	+ break;
	81	+ }
	82	else if (header->header.typeflag == GNUTYPE_LONGNAME
	83	\|\| header->header.typeflag == GNUTYPE_LONGLINK)
	84	{
	85	+ union block *header_copy;
	86	size_t name_size = info->stat.st_size;
	87	size_t n = name_size % BLOCKSIZE;
	88	size = name_size + BLOCKSIZE;
	89	@@ -517,7 +525,10 @@ read_header (union block *return_block, struct tar_stat_info info,
	90	xheader_decode_global (&xhdr);
	91	xheader_destroy (&xhdr);
	92	if (mode == read_header_x_global)
	93	- return HEADER_SUCCESS_EXTENDED;
	94	+ {
	95	+ status = HEADER_SUCCESS_EXTENDED;
	96	+ break;
	97	+ }
	98	}
	99
	100	/* Loop! */
	101	@@ -536,6 +547,7 @@ read_header (union block *return_block, struct tar_stat_info info,
	102	name = next_long_name->buffer + BLOCKSIZE;
	103	recent_long_name = next_long_name;
	104	recent_long_name_blocks = next_long_name_blocks;
	105	+ next_long_name = NULL;
	106	}
	107	else
	108	{
	109	@@ -567,6 +579,7 @@ read_header (union block *return_block, struct tar_stat_info info,
	110	name = next_long_link->buffer + BLOCKSIZE;
	111	recent_long_link = next_long_link;
	112	recent_long_link_blocks = next_long_link_blocks;
	113	+ next_long_link = NULL;
	114	}
	115	else
	116	{
	117	@@ -578,9 +591,12 @@ read_header (union block *return_block, struct tar_stat_info info,
	118	}
	119	assign_string (&info->link_name, name);
	120
	121	- return HEADER_SUCCESS;
	122	+ break;
	123	}
	124	}
	125	+ free (next_long_name);
	126	+ free (next_long_link);
	127	+ return status;
	128	}
	129
	130	#define ISOCTAL(c) ((c)>='0'&&(c)<='7')
	131	--
	132	cgit v1.2.1
	133


diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch new file mode 100644 index 0000000000..b2f40f3e64 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
@@ -0,0 +1,43 @@
	1	From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
	2	From: Sergey Poznyakoff <gray@gnu.org>
	3	Date: Sat, 11 Feb 2023 11:57:39 +0200
	4	Subject: Fix boundary checking in base-256 decoder
	5
	6	* src/list.c (from_header): Base-256 encoding is at least 2 bytes
	7	long.
	8
	9	Upstream-Status: Backport [see reference below]
	10	CVE: CVE-2022-48303
	11
	12	Reference to upstream patch:
	13	https://savannah.gnu.org/bugs/?62387
	14	https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
	15
	16	Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
	17	Signed-off-by: Joe Slater <joe.slater@windriver.com>
	18	---
	19	src/list.c \| 5 +++--
	20	1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
	21
	22
	23	(limited to 'src/list.c')
	24
	25	diff --git a/src/list.c b/src/list.c
	26	index 9fafc42..86bcfdd 100644
	27	--- a/src/list.c
	28	+++ b/src/list.c
	29	@@ -881,8 +881,9 @@ from_header (char const where0, size_t digs, char const type,
	30	where++;
	31	}
	32	}
	33	- else if (where == '\200' / positive base-256 */
	34	- \|\| where == '\377' / negative base-256 */)
	35	+ else if (where <= lim - 2
	36	+ && (where == '\200' / positive base-256 */
	37	+ \|\| where == '\377' / negative base-256 */))
	38	{
	39	/* Parse base-256 output. A nonnegative number N is
	40	represented as (256**DIGS)/2 + N; a negative number -N is
	41	--
	42	cgit v1.1
	43


diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
	1	From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
	2	From: Sergey Poznyakoff <gray@gnu.org>
	3	Date: Sat, 28 Aug 2021 16:02:12 +0300
	4	Subject: Fix handling of extended header prefixes
	5
	6	* src/xheader.c (locate_handler): Recognize prefix keywords only
	7	when followed by a dot.
	8	(xattr_decoder): Use xmalloc/xstrdup instead of alloc
	9
	10	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
	11	CVE: CVE-2023-39804
	12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	13	---
	14	src/xheader.c \| 17 +++++++++--------
	15	1 file changed, 9 insertions(+), 8 deletions(-)
	16
	17	diff --git a/src/xheader.c b/src/xheader.c
	18	index 4f8b2b2..3cd694d 100644
	19	--- a/src/xheader.c
	20	+++ b/src/xheader.c
	21	@@ -637,11 +637,11 @@ static struct xhdr_tab const *
	22	locate_handler (char const *keyword)
	23	{
	24	struct xhdr_tab const *p;
	25	-
	26	for (p = xhdr_tab; p->keyword; p++)
	27	if (p->prefix)
	28	{
	29	- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
	30	+ size_t kwlen = strlen (p->keyword);
	31	+ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
	32	return p;
	33	}
	34	else
	35	@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
	36	char const keyword, char const arg, size_t size)
	37	{
	38	char xstr, xkey;
	39	-
	40	+
	41	/* copy keyword */
	42	- size_t klen_raw = strlen (keyword);
	43	- xkey = alloca (klen_raw + 1);
	44	- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
	45	+ xkey = xstrdup (keyword);
	46
	47	/* copy value */
	48	- xstr = alloca (size + 1);
	49	+ xstr = xmalloc (size + 1);
	50	memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
	51
	52	xattr_decode_keyword (xkey);
	53
	54	- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
	55	+ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
	56	+
	57	+ free (xkey);
	58	+ free (xstr);
	59	}
	60
	61	static void
	62	--
	63	cgit v1.1
	64