GNU bug report logs -
#74008
[PATCH] gnu: libtar: Patch CVEs. [security fixes]
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Fri, 25 Oct 2024 07:43:01 UTC
Severity: normal
Tags: patch
Done: Andreas Enge <andreas <at> enge.fr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74008 in the body.
You can then email your comments to 74008 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#74008; Package
guix-patches.
(Fri, 25 Oct 2024 07:43:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 25 Oct 2024 07:43:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This fixes CVE-2021-33643, CVE-2021-33644, CVE-2021-33645,
CVE-2021-33646.
* gnu/packages/compression.scm (libtar)
[source]<patches>: Add patches here...
* gnu/local.mk: ...here...
* gnu/packages/patches/: ... and here.
---
gnu/local.mk | 2 +
gnu/packages/compression.scm | 5 +-
...libtar-CVE-2021-33643-CVE-2021-33644.patch | 91 ++++++++++++++
...libtar-CVE-2021-33645-CVE-2021-33646.patch | 119 ++++++++++++++++++
4 files changed, 216 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
create mode 100644 gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 89a795bfbd..a33550dc99 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1698,6 +1698,8 @@ dist_patch_DATA = \
%D%/packages/patches/libquicktime-ffmpeg.patch \
%D%/packages/patches/libsepol-versioned-docbook.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
+ %D%/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch \
+ %D%/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
%D%/packages/patches/libtheora-config-guess.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index b07a21432c..4a82c27c09 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -240,7 +240,10 @@ (define-public libtar
(sha256
(base32
"02cihzl77ia0dcz7z2cga2412vyhhs5pa2355q4wpwbyga2lrwjh"))
- (patches (search-patches "libtar-CVE-2013-4420.patch"))))
+ (patches
+ (search-patches "libtar-CVE-2013-4420.patch"
+ "libtar-CVE-2021-33643-CVE-2021-33644.patch"
+ "libtar-CVE-2021-33645-CVE-2021-33646.patch"))))
(build-system gnu-build-system)
(arguments `(#:tests? #f)) ; no "check" target
(native-inputs
diff --git a/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
new file mode 100644
index 0000000000..d049204338
--- /dev/null
+++ b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
@@ -0,0 +1,91 @@
+From 8b0aae25e85fafcf65545dbdbd1a42a183485a91 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka <at> redhat.com>
+Date: Aug 26 2022 13:55:09 +0000
+Subject: fix out-of-bounds read in gnu_long{name,link}
+
+
+Resolves: CVE-2021-33643
+Resolves: CVE-2021-33644
+
+---
+
+diff --git a/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+new file mode 100644
+index 0000000..f6692c3
+--- /dev/null
++++ b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+@@ -0,0 +1,40 @@
++From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001
++From: shixuantong <1726671442 <at> qq.com>
++Date: Wed, 6 Apr 2022 17:40:57 +0800
++Subject: [PATCH 1/2] Ensure that sz is greater than 0.
++
++---
++ lib/block.c | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/lib/block.c b/lib/block.c
++index 092bc28..f12c4bc 100644
++--- a/lib/block.c
+++++ b/lib/block.c
++@@ -118,6 +118,11 @@ th_read(TAR *t)
++ if (TH_ISLONGLINK(t))
++ {
++ sz = th_get_size(t);
+++ if ((int)sz <= 0)
+++ {
+++ errno = EINVAL;
+++ return -1;
+++ }
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++@@ -168,6 +173,11 @@ th_read(TAR *t)
++ if (TH_ISLONGNAME(t))
++ {
++ sz = th_get_size(t);
+++ if ((int)sz <= 0)
+++ {
+++ errno = EINVAL;
+++ return -1;
+++ }
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++--
++2.37.1
++
+diff --git a/libtar.spec b/libtar.spec
+index ffa5512..89b33f5 100644
+--- a/libtar.spec
++++ b/libtar.spec
+@@ -1,7 +1,7 @@
+ Summary: Tar file manipulation API
+ Name: libtar
+ Version: 1.2.20
+-Release: 24%{?dist}
++Release: 25%{?dist}
+ License: MIT
+ URL: http://repo.or.cz/libtar.git
+ Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz
+@@ -14,6 +14,9 @@ Patch7: libtar-1.2.20-no-static-buffer.patch
+ # fix programming mistakes detected by static analysis
+ Patch8: libtar-1.2.20-static-analysis.patch
+
++# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
++Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
++
+ BuildRequires: libtool
+ BuildRequires: make
+ BuildRequires: zlib-devel
+@@ -72,6 +75,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
+
+
+ %changelog
++* Fri Aug 26 2022 Kamil Dudka <kdudka <at> redhat.com> - 1.2.20-25
++- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
++
+ * Thu Jul 21 2022 Fedora Release Engineering <releng <at> fedoraproject.org> - 1.2.20-24
+ - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+
diff --git a/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
new file mode 100644
index 0000000000..86d5124953
--- /dev/null
+++ b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
@@ -0,0 +1,119 @@
+From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong <at> h-partners.com>
+Date: Sat, 7 May 2022 17:04:46 +0800
+Subject: [PATCH 2/2] fix memory leak
+
+---
+ lib/libtar.h | 1 +
+ lib/util.c | 9 ++++++++-
+ lib/wrapper.c | 11 +++++++++++
+ libtar/libtar.c | 3 +++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 08a8e0f..8b00e93 100644
+--- a/lib/libtar.h
++++ b/lib/libtar.h
+@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
+ /* integer to string-octal conversion, no NULL */
+ void int_to_oct_nonull(int num, char *oct, size_t octlen);
+
++void free_longlink_longname(struct tar_header th_buf);
+
+ /***** wrapper.c **********************************************************/
+
+diff --git a/lib/util.c b/lib/util.c
+index 11438ef..8a42e62 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <sys/param.h>
+ #include <errno.h>
++#include <stdlib.h>
+
+ #ifdef STDC_HEADERS
+ # include <string.h>
+@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
+ oct[octlen - 1] = ' ';
+ }
+
+-
++void free_longlink_longname(struct tar_header th_buf)
++{
++ if (th_buf.gnu_longname != NULL)
++ free(th_buf.gnu_longname);
++ if (th_buf.gnu_longlink !=NULL)
++ free(th_buf.gnu_longlink);
++}
+diff --git a/lib/wrapper.c b/lib/wrapper.c
+index 2d3f5b9..9d2f3bf 100644
+--- a/lib/wrapper.c
++++ b/lib/wrapper.c
+@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
+ {
+ if (TH_ISREG(t) && tar_skip_regfile(t))
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ continue;
+ }
+ if (t->options & TAR_VERBOSE)
+@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ else
+ strlcpy(buf, filename, sizeof(buf));
+ if (tar_extract_file(t, buf) != 0)
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ }
+
++ free_longlink_longname(t->th_buf);
+ return (i == 1 ? 0 : -1);
+ }
+
+@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
+ "\"%s\")\n", buf);
+ #endif
+ if (tar_extract_file(t, buf) != 0)
++ {
++ free_longlink_longname(t->th_buf);
+ return -1;
++ }
+ }
+
++ free_longlink_longname(t->th_buf);
+ return (i == 1 ? 0 : -1);
+ }
+
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index ac339e7..b992abb 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -197,6 +197,7 @@ list(char *tarfile)
+ {
+ fprintf(stderr, "tar_skip_regfile(): %s\n",
+ strerror(errno));
++ free_longlink_longname(t->th_buf);
+ return -1;
+ }
+ }
+@@ -218,10 +219,12 @@ list(char *tarfile)
+
+ if (tar_close(t) != 0)
+ {
++ free_longlink_longname(t->th_buf);
+ fprintf(stderr, "tar_close(): %s\n", strerror(errno));
+ return -1;
+ }
+
++ free_longlink_longname(t->th_buf);
+ return 0;
+ }
+
+--
+2.37.1
+
--
2.46.0
Reply sent
to
Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility.
(Mon, 28 Oct 2024 09:12:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug acknowledged by developer.
(Mon, 28 Oct 2024 09:12:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 74008-done <at> debbugs.gnu.org (full text, mbox):
Part of one patch changes a libtar.spec file, which is, I suppose, Fedora
specific; it did not apply to our source code. After removing the hunk,
the package builds. I have pushed the commit.
I wonder if this is not actually a good candidate for removal: last commit
in the official repo since 2013, no dependencies.
What do you think?
Andreas
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 25 Nov 2024 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 202 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.