* [bug#74008] [PATCH] gnu: libtar: Patch CVEs. [security fixes]
@ 2024-10-25 7:39 Nicolas Graves via Guix-patches via
2024-10-28 9:10 ` bug#74008: Close Andreas Enge
0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-25 7:39 UTC (permalink / raw)
To: 74008; +Cc: Nicolas Graves
This fixes CVE-2021-33643, CVE-2021-33644, CVE-2021-33645,
CVE-2021-33646.
* gnu/packages/compression.scm (libtar)
[source]<patches>: Add patches here...
* gnu/local.mk: ...here...
* gnu/packages/patches/: ... and here.
---
gnu/local.mk | 2 +
gnu/packages/compression.scm | 5 +-
...libtar-CVE-2021-33643-CVE-2021-33644.patch | 91 ++++++++++++++
...libtar-CVE-2021-33645-CVE-2021-33646.patch | 119 ++++++++++++++++++
4 files changed, 216 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
create mode 100644 gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 89a795bfbd..a33550dc99 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1698,6 +1698,8 @@ dist_patch_DATA = \
%D%/packages/patches/libquicktime-ffmpeg.patch \
%D%/packages/patches/libsepol-versioned-docbook.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
+ %D%/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch \
+ %D%/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
%D%/packages/patches/libtheora-config-guess.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index b07a21432c..4a82c27c09 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -240,7 +240,10 @@ (define-public libtar
(sha256
(base32
"02cihzl77ia0dcz7z2cga2412vyhhs5pa2355q4wpwbyga2lrwjh"))
- (patches (search-patches "libtar-CVE-2013-4420.patch"))))
+ (patches
+ (search-patches "libtar-CVE-2013-4420.patch"
+ "libtar-CVE-2021-33643-CVE-2021-33644.patch"
+ "libtar-CVE-2021-33645-CVE-2021-33646.patch"))))
(build-system gnu-build-system)
(arguments `(#:tests? #f)) ; no "check" target
(native-inputs
diff --git a/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
new file mode 100644
index 0000000000..d049204338
--- /dev/null
+++ b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
@@ -0,0 +1,91 @@
+From 8b0aae25e85fafcf65545dbdbd1a42a183485a91 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Aug 26 2022 13:55:09 +0000
+Subject: fix out-of-bounds read in gnu_long{name,link}
+
+
+Resolves: CVE-2021-33643
+Resolves: CVE-2021-33644
+
+---
+
+diff --git a/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+new file mode 100644
+index 0000000..f6692c3
+--- /dev/null
++++ b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+@@ -0,0 +1,40 @@
++From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001
++From: shixuantong <1726671442@qq.com>
++Date: Wed, 6 Apr 2022 17:40:57 +0800
++Subject: [PATCH 1/2] Ensure that sz is greater than 0.
++
++---
++ lib/block.c | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/lib/block.c b/lib/block.c
++index 092bc28..f12c4bc 100644
++--- a/lib/block.c
+++++ b/lib/block.c
++@@ -118,6 +118,11 @@ th_read(TAR *t)
++ if (TH_ISLONGLINK(t))
++ {
++ sz = th_get_size(t);
+++ if ((int)sz <= 0)
+++ {
+++ errno = EINVAL;
+++ return -1;
+++ }
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++@@ -168,6 +173,11 @@ th_read(TAR *t)
++ if (TH_ISLONGNAME(t))
++ {
++ sz = th_get_size(t);
+++ if ((int)sz <= 0)
+++ {
+++ errno = EINVAL;
+++ return -1;
+++ }
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++--
++2.37.1
++
+diff --git a/libtar.spec b/libtar.spec
+index ffa5512..89b33f5 100644
+--- a/libtar.spec
++++ b/libtar.spec
+@@ -1,7 +1,7 @@
+ Summary: Tar file manipulation API
+ Name: libtar
+ Version: 1.2.20
+-Release: 24%{?dist}
++Release: 25%{?dist}
+ License: MIT
+ URL: http://repo.or.cz/libtar.git
+ Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz
+@@ -14,6 +14,9 @@ Patch7: libtar-1.2.20-no-static-buffer.patch
+ # fix programming mistakes detected by static analysis
+ Patch8: libtar-1.2.20-static-analysis.patch
+
++# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
++Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
++
+ BuildRequires: libtool
+ BuildRequires: make
+ BuildRequires: zlib-devel
+@@ -72,6 +75,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
+
+
+ %changelog
++* Fri Aug 26 2022 Kamil Dudka <kdudka@redhat.com> - 1.2.20-25
++- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
++
+ * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-24
+ - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+
diff --git a/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
new file mode 100644
index 0000000000..86d5124953
--- /dev/null
+++ b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
@@ -0,0 +1,119 @@
+From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong@h-partners.com>
+Date: Sat, 7 May 2022 17:04:46 +0800
+Subject: [PATCH 2/2] fix memory leak
+
+---
+ lib/libtar.h | 1 +
+ lib/util.c | 9 ++++++++-
+ lib/wrapper.c | 11 +++++++++++
+ libtar/libtar.c | 3 +++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 08a8e0f..8b00e93 100644
+--- a/lib/libtar.h
++++ b/lib/libtar.h
+@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
+ /* integer to string-octal conversion, no NULL */
+ void int_to_oct_nonull(int num, char *oct, size_t octlen);
+
++void free_longlink_longname(struct tar_header th_buf);
+
+ /***** wrapper.c **********************************************************/
+
+diff --git a/lib/util.c b/lib/util.c
+index 11438ef..8a42e62 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <sys/param.h>
+ #include <errno.h>
++#include <stdlib.h>
+
+ #ifdef STDC_HEADERS
+ # include <string.h>
+@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
+ oct[octlen - 1] = ' ';
+ }
+
+-
++void free_longlink_longname(struct tar_header th_buf)
++{
++ if (th_buf.gnu_longname != NULL)
++ free(th_buf.gnu_longname);
++ if (th_buf.gnu_longlink !=NULL)
++ free(th_buf.gnu_longlink);
++}
+diff --git a/lib/wrapper.c b/lib/wrapper.c
+index 2d3f5b9..9d2f3bf 100644
+--- a/lib/wrapper.c
++++ b/lib/wrapper.c
+@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
+ {
+ if (TH_ISREG(t) && tar_skip_regfile(t))
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ continue;
+ }
+ if (t->options & TAR_VERBOSE)
+@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ else
+ strlcpy(buf, filename, sizeof(buf));
+ if (tar_extract_file(t, buf) != 0)
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ }
+
++ free_longlink_longname(t->th_buf);
+ return (i == 1 ? 0 : -1);
+ }
+
+@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
+ "\"%s\")\n", buf);
+ #endif
+ if (tar_extract_file(t, buf) != 0)
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ }
+
++ free_longlink_longname(t->th_buf);
+ return (i == 1 ? 0 : -1);
+ }
+
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index ac339e7..b992abb 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -197,6 +197,7 @@ list(char *tarfile)
+ {
+ fprintf(stderr, "tar_skip_regfile(): %s\n",
+ strerror(errno));
++ free_longlink_longname(t->th_buf);
+ return -1;
+ }
+ }
+@@ -218,10 +219,12 @@ list(char *tarfile)
+
+ if (tar_close(t) != 0)
+ {
++ free_longlink_longname(t->th_buf);
+ fprintf(stderr, "tar_close(): %s\n", strerror(errno));
+ return -1;
+ }
+
++ free_longlink_longname(t->th_buf);
+ return 0;
+ }
+
+--
+2.37.1
+
--
2.46.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* bug#74008: Close
2024-10-25 7:39 [bug#74008] [PATCH] gnu: libtar: Patch CVEs. [security fixes] Nicolas Graves via Guix-patches via
@ 2024-10-28 9:10 ` Andreas Enge
0 siblings, 0 replies; 2+ messages in thread
From: Andreas Enge @ 2024-10-28 9:10 UTC (permalink / raw)
To: 74008-done
Part of one patch changes a libtar.spec file, which is, I suppose, Fedora
specific; it did not apply to our source code. After removing the hunk,
the package builds. I have pushed the commit.
I wonder if this is not actually a good candidate for removal: last commit
in the official repo since 2013, no dependencies.
What do you think?
Andreas
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-28 9:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-25 7:39 [bug#74008] [PATCH] gnu: libtar: Patch CVEs. [security fixes] Nicolas Graves via Guix-patches via
2024-10-28 9:10 ` bug#74008: Close Andreas Enge
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).