From patchwork Fri Oct 25 07:39:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Graves X-Patchwork-Id: 69443 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6E4C627BBEA; Fri, 25 Oct 2024 08:42:58 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BF0B727BBE2 for ; Fri, 25 Oct 2024 08:42:56 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t4Exs-00031S-Ph; Fri, 25 Oct 2024 03:42:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t4Exq-00030w-NU for guix-patches@gnu.org; Fri, 25 Oct 2024 03:42:30 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t4Exq-000613-Ev for guix-patches@gnu.org; Fri, 25 Oct 2024 03:42:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=T0yq9lmIFAVq8TFGbuEeK3TgnJYQ+iOIGxXqyflDTlY=; b=RHiGmcoc4sDjpxiNz8lQG/9H8pRgKNak8E7Ynhu6NB9cw8IWqEddTaDH3m/y6DwIMQ9wQnkr/TqUmSgLTWB1q8ruCgQsSKjCMXMrnKPxw0muBk2IlB+V1B8mMtAqa6rspGGMDU8v+oGQH5TYLwSHd+SbOasrK0Ta/ZmAOAQBZKmVuuvHxJkPFfGd9V7R/qqYL99z2yxIHsmb95fmlKxJt9KLkZjAhZoVzmBHghdzUsUodviIfabcEsTzMIrTh/cHpeZsCiw2gCe4neWJs1L4MKcxeWzzzEf+m5ZhR1Wb/6efAWEB6DVIrMTM3msWHSYXzLvvghkNix0yEGBzRElY0w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t4EyM-0004yL-1h for guix-patches@gnu.org; Fri, 25 Oct 2024 03:43:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#74008] [PATCH] gnu: libtar: Patch CVEs. [security fixes] Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 25 Oct 2024 07:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 74008 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74008@debbugs.gnu.org Cc: Nicolas Graves X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.172984217219087 (code B ref -1); Fri, 25 Oct 2024 07:43:01 +0000 Received: (at submit) by debbugs.gnu.org; 25 Oct 2024 07:42:52 +0000 Received: from localhost ([127.0.0.1]:37150 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4EyB-0004xm-De for submit@debbugs.gnu.org; Fri, 25 Oct 2024 03:42:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:48960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4Ey9-0004xb-0g for submit@debbugs.gnu.org; Fri, 25 Oct 2024 03:42:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t4EvR-0002Lb-BP for guix-patches@gnu.org; Fri, 25 Oct 2024 03:40:01 -0400 Received: from 3.mo560.mail-out.ovh.net ([46.105.58.226]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t4EvN-0005ZA-BK for guix-patches@gnu.org; Fri, 25 Oct 2024 03:40:01 -0400 Received: from director8.ghost.mail-out.ovh.net (unknown [10.108.25.4]) by mo560.mail-out.ovh.net (Postfix) with ESMTP id 4XZZS86CgPz1ZgS for ; Fri, 25 Oct 2024 07:39:52 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-t9fw4 (unknown [10.108.54.44]) by director8.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 30DA71FDF8; Fri, 25 Oct 2024 07:39:51 +0000 (UTC) Received: from ngraves.fr ([37.59.142.110]) by ghost-submission-5b5ff79f4f-t9fw4 with ESMTPSA id XFpoHUdLG2cZGAAAdiybNg (envelope-from ); Fri, 25 Oct 2024 07:39:51 +0000 Authentication-Results: garm.ovh; auth=pass (GARM-110S004b3924090-775e-4716-a69d-031d12f0aac7, 5EE14B5C4448DA89B06CB3C74449DFBF0D417FAC) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 86.246.19.221 Date: Fri, 25 Oct 2024 09:39:45 +0200 Message-ID: <20241025073947.9242-1-ngraves@ngraves.fr> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 X-Ovh-Tracer-Id: 5424585754121396962 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrvdejuddguddvvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhephffvvefufffkofgggfestdekredtredttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpedvveetheeffffhhfffkeegfeffveegkeduvdelveefheelffeiiedvleekgfekheenucffohhmrghinhepohhrrdgtiidpfhgvughorhgrphhrohhjvggtthdrohhrghenucfkphepuddvjedrtddrtddruddpkeeirddvgeeirdduledrvddvuddpfeejrdehledrudegvddruddutdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepghhuihigqdhprghttghhvghssehgnhhurdhorhhgpdfovfetjfhoshhtpehmohehiedtpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=T0yq9lmIFAVq8TFGbuEeK3TgnJYQ+iOIGxXqyflDTlY=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1729841993; v=1; b=5dwd8iwXiQpprkh63qjsAmQtrN9InnTiIwoWwsqc7EtH/p6quaqwv8GHB+veFKAOJTGOuHe2 4+QMPDhpdgqSJXHqLJHeuBW0gkwPkdQpHUmI6SQx/0LpVYB32H/SuJJWz+5hxKBfJBrBg/bEh4N WI14eJOC7oOuiVtCmC0tgJmdgmINIxrvafMrZmzJ+R3fZYZgYORYzD+3fr6OwOmq2FW+gpSvo3P 9qxy+8aW9DClqarSp2lm2UOvkeSQZlAJ3VMkZ3RkiN3qlIgTyA864VshUEMl+OyAmrvK5dgAqE1 xLoGyqA5yvIenuPM2MLxBMCMh5yekaesFAJzkuUAFazNA== Received-SPF: pass client-ip=46.105.58.226; envelope-from=ngraves@ngraves.fr; helo=3.mo560.mail-out.ovh.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches X-Patchwork-Original-From: Nicolas Graves via Guix-patches via From: Nicolas Graves Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This fixes CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646. * gnu/packages/compression.scm (libtar) [source]: Add patches here... * gnu/local.mk: ...here... * gnu/packages/patches/: ... and here. --- gnu/local.mk | 2 + gnu/packages/compression.scm | 5 +- ...libtar-CVE-2021-33643-CVE-2021-33644.patch | 91 ++++++++++++++ ...libtar-CVE-2021-33645-CVE-2021-33646.patch | 119 ++++++++++++++++++ 4 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch create mode 100644 gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch diff --git a/gnu/local.mk b/gnu/local.mk index 89a795bfbd..a33550dc99 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1698,6 +1698,8 @@ dist_patch_DATA = \ %D%/packages/patches/libquicktime-ffmpeg.patch \ %D%/packages/patches/libsepol-versioned-docbook.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ + %D%/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch \ + %D%/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch \ %D%/packages/patches/libtgvoip-disable-sse2.patch \ %D%/packages/patches/libtgvoip-disable-webrtc.patch \ %D%/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index b07a21432c..4a82c27c09 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -240,7 +240,10 @@ (define-public libtar (sha256 (base32 "02cihzl77ia0dcz7z2cga2412vyhhs5pa2355q4wpwbyga2lrwjh")) - (patches (search-patches "libtar-CVE-2013-4420.patch")))) + (patches + (search-patches "libtar-CVE-2013-4420.patch" + "libtar-CVE-2021-33643-CVE-2021-33644.patch" + "libtar-CVE-2021-33645-CVE-2021-33646.patch")))) (build-system gnu-build-system) (arguments `(#:tests? #f)) ; no "check" target (native-inputs diff --git a/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000000..d049204338 --- /dev/null +++ b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,91 @@ +From 8b0aae25e85fafcf65545dbdbd1a42a183485a91 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Aug 26 2022 13:55:09 +0000 +Subject: fix out-of-bounds read in gnu_long{name,link} + + +Resolves: CVE-2021-33643 +Resolves: CVE-2021-33644 + +--- + +diff --git a/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch +new file mode 100644 +index 0000000..f6692c3 +--- /dev/null ++++ b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch +@@ -0,0 +1,40 @@ ++From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001 ++From: shixuantong <1726671442@qq.com> ++Date: Wed, 6 Apr 2022 17:40:57 +0800 ++Subject: [PATCH 1/2] Ensure that sz is greater than 0. ++ ++--- ++ lib/block.c | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/lib/block.c b/lib/block.c ++index 092bc28..f12c4bc 100644 ++--- a/lib/block.c +++++ b/lib/block.c ++@@ -118,6 +118,11 @@ th_read(TAR *t) ++ if (TH_ISLONGLINK(t)) ++ { ++ sz = th_get_size(t); +++ if ((int)sz <= 0) +++ { +++ errno = EINVAL; +++ return -1; +++ } ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++@@ -168,6 +173,11 @@ th_read(TAR *t) ++ if (TH_ISLONGNAME(t)) ++ { ++ sz = th_get_size(t); +++ if ((int)sz <= 0) +++ { +++ errno = EINVAL; +++ return -1; +++ } ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++-- ++2.37.1 ++ +diff --git a/libtar.spec b/libtar.spec +index ffa5512..89b33f5 100644 +--- a/libtar.spec ++++ b/libtar.spec +@@ -1,7 +1,7 @@ + Summary: Tar file manipulation API + Name: libtar + Version: 1.2.20 +-Release: 24%{?dist} ++Release: 25%{?dist} + License: MIT + URL: http://repo.or.cz/libtar.git + Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz +@@ -14,6 +14,9 @@ Patch7: libtar-1.2.20-no-static-buffer.patch + # fix programming mistakes detected by static analysis + Patch8: libtar-1.2.20-static-analysis.patch + ++# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) ++Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch ++ + BuildRequires: libtool + BuildRequires: make + BuildRequires: zlib-devel +@@ -72,6 +75,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la + + + %changelog ++* Fri Aug 26 2022 Kamil Dudka - 1.2.20-25 ++- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) ++ + * Thu Jul 21 2022 Fedora Release Engineering - 1.2.20-24 + - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + + diff --git a/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000000..86d5124953 --- /dev/null +++ b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,119 @@ +From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Sat, 7 May 2022 17:04:46 +0800 +Subject: [PATCH 2/2] fix memory leak + +--- + lib/libtar.h | 1 + + lib/util.c | 9 ++++++++- + lib/wrapper.c | 11 +++++++++++ + libtar/libtar.c | 3 +++ + 4 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/lib/libtar.h b/lib/libtar.h +index 08a8e0f..8b00e93 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -285,6 +285,7 @@ int oct_to_int(char *oct); + /* integer to string-octal conversion, no NULL */ + void int_to_oct_nonull(int num, char *oct, size_t octlen); + ++void free_longlink_longname(struct tar_header th_buf); + + /***** wrapper.c **********************************************************/ + +diff --git a/lib/util.c b/lib/util.c +index 11438ef..8a42e62 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #ifdef STDC_HEADERS + # include +@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen) + oct[octlen - 1] = ' '; + } + +- ++void free_longlink_longname(struct tar_header th_buf) ++{ ++ if (th_buf.gnu_longname != NULL) ++ free(th_buf.gnu_longname); ++ if (th_buf.gnu_longlink !=NULL) ++ free(th_buf.gnu_longlink); ++} +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 2d3f5b9..9d2f3bf 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD)) + { + if (TH_ISREG(t) && tar_skip_regfile(t)) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + continue; + } + if (t->options & TAR_VERBOSE) +@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + else + strlcpy(buf, filename, sizeof(buf)); + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix) + "\"%s\")\n", buf); + #endif + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index ac339e7..b992abb 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -197,6 +197,7 @@ list(char *tarfile) + { + fprintf(stderr, "tar_skip_regfile(): %s\n", + strerror(errno)); ++ free_longlink_longname(t->th_buf); + return -1; + } + } +@@ -218,10 +219,12 @@ list(char *tarfile) + + if (tar_close(t) != 0) + { ++ free_longlink_longname(t->th_buf); + fprintf(stderr, "tar_close(): %s\n", strerror(errno)); + return -1; + } + ++ free_longlink_longname(t->th_buf); + return 0; + } + +-- +2.37.1 +