Package: guix-patches;
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Fri, 25 Oct 2024 07:43:01 UTC
Severity: normal
Tags: patch
Done: Andreas Enge <andreas <at> enge.fr>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Andreas Enge <andreas <at> enge.fr> Cc: tracker <at> debbugs.gnu.org Subject: bug#74008: closed ([PATCH] gnu: libtar: Patch CVEs. [security fixes]) Date: Mon, 28 Oct 2024 09:12:02 +0000
[Message part 1 (text/plain, inline)]
Your message dated Mon, 28 Oct 2024 10:10:07 +0100 with message-id <Zx9U78aUBANvoKFt <at> jurong> and subject line Close has caused the debbugs.gnu.org bug report #74008, regarding [PATCH] gnu: libtar: Patch CVEs. [security fixes] to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 74008: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=74008 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Nicolas Graves <ngraves <at> ngraves.fr> To: guix-patches <at> gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH] gnu: libtar: Patch CVEs. [security fixes] Date: Fri, 25 Oct 2024 09:39:45 +0200This fixes CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646. * gnu/packages/compression.scm (libtar) [source]<patches>: Add patches here... * gnu/local.mk: ...here... * gnu/packages/patches/: ... and here. --- gnu/local.mk | 2 + gnu/packages/compression.scm | 5 +- ...libtar-CVE-2021-33643-CVE-2021-33644.patch | 91 ++++++++++++++ ...libtar-CVE-2021-33645-CVE-2021-33646.patch | 119 ++++++++++++++++++ 4 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch create mode 100644 gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch diff --git a/gnu/local.mk b/gnu/local.mk index 89a795bfbd..a33550dc99 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1698,6 +1698,8 @@ dist_patch_DATA = \ %D%/packages/patches/libquicktime-ffmpeg.patch \ %D%/packages/patches/libsepol-versioned-docbook.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ + %D%/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch \ + %D%/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch \ %D%/packages/patches/libtgvoip-disable-sse2.patch \ %D%/packages/patches/libtgvoip-disable-webrtc.patch \ %D%/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index b07a21432c..4a82c27c09 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -240,7 +240,10 @@ (define-public libtar (sha256 (base32 "02cihzl77ia0dcz7z2cga2412vyhhs5pa2355q4wpwbyga2lrwjh")) - (patches (search-patches "libtar-CVE-2013-4420.patch")))) + (patches + (search-patches "libtar-CVE-2013-4420.patch" + "libtar-CVE-2021-33643-CVE-2021-33644.patch" + "libtar-CVE-2021-33645-CVE-2021-33646.patch")))) (build-system gnu-build-system) (arguments `(#:tests? #f)) ; no "check" target (native-inputs diff --git a/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000000..d049204338 --- /dev/null +++ b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,91 @@ +From 8b0aae25e85fafcf65545dbdbd1a42a183485a91 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka <at> redhat.com> +Date: Aug 26 2022 13:55:09 +0000 +Subject: fix out-of-bounds read in gnu_long{name,link} + + +Resolves: CVE-2021-33643 +Resolves: CVE-2021-33644 + +--- + +diff --git a/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch +new file mode 100644 +index 0000000..f6692c3 +--- /dev/null ++++ b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch +@@ -0,0 +1,40 @@ ++From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001 ++From: shixuantong <1726671442 <at> qq.com> ++Date: Wed, 6 Apr 2022 17:40:57 +0800 ++Subject: [PATCH 1/2] Ensure that sz is greater than 0. ++ ++--- ++ lib/block.c | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/lib/block.c b/lib/block.c ++index 092bc28..f12c4bc 100644 ++--- a/lib/block.c +++++ b/lib/block.c ++@@ -118,6 +118,11 @@ th_read(TAR *t) ++ if (TH_ISLONGLINK(t)) ++ { ++ sz = th_get_size(t); +++ if ((int)sz <= 0) +++ { +++ errno = EINVAL; +++ return -1; +++ } ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++@@ -168,6 +173,11 @@ th_read(TAR *t) ++ if (TH_ISLONGNAME(t)) ++ { ++ sz = th_get_size(t); +++ if ((int)sz <= 0) +++ { +++ errno = EINVAL; +++ return -1; +++ } ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++-- ++2.37.1 ++ +diff --git a/libtar.spec b/libtar.spec +index ffa5512..89b33f5 100644 +--- a/libtar.spec ++++ b/libtar.spec +@@ -1,7 +1,7 @@ + Summary: Tar file manipulation API + Name: libtar + Version: 1.2.20 +-Release: 24%{?dist} ++Release: 25%{?dist} + License: MIT + URL: http://repo.or.cz/libtar.git + Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz +@@ -14,6 +14,9 @@ Patch7: libtar-1.2.20-no-static-buffer.patch + # fix programming mistakes detected by static analysis + Patch8: libtar-1.2.20-static-analysis.patch + ++# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) ++Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch ++ + BuildRequires: libtool + BuildRequires: make + BuildRequires: zlib-devel +@@ -72,6 +75,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la + + + %changelog ++* Fri Aug 26 2022 Kamil Dudka <kdudka <at> redhat.com> - 1.2.20-25 ++- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) ++ + * Thu Jul 21 2022 Fedora Release Engineering <releng <at> fedoraproject.org> - 1.2.20-24 + - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + + diff --git a/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000000..86d5124953 --- /dev/null +++ b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,119 @@ +From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001 +From: shixuantong <shixuantong <at> h-partners.com> +Date: Sat, 7 May 2022 17:04:46 +0800 +Subject: [PATCH 2/2] fix memory leak + +--- + lib/libtar.h | 1 + + lib/util.c | 9 ++++++++- + lib/wrapper.c | 11 +++++++++++ + libtar/libtar.c | 3 +++ + 4 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/lib/libtar.h b/lib/libtar.h +index 08a8e0f..8b00e93 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -285,6 +285,7 @@ int oct_to_int(char *oct); + /* integer to string-octal conversion, no NULL */ + void int_to_oct_nonull(int num, char *oct, size_t octlen); + ++void free_longlink_longname(struct tar_header th_buf); + + /***** wrapper.c **********************************************************/ + +diff --git a/lib/util.c b/lib/util.c +index 11438ef..8a42e62 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <sys/param.h> + #include <errno.h> ++#include <stdlib.h> + + #ifdef STDC_HEADERS + # include <string.h> +@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen) + oct[octlen - 1] = ' '; + } + +- ++void free_longlink_longname(struct tar_header th_buf) ++{ ++ if (th_buf.gnu_longname != NULL) ++ free(th_buf.gnu_longname); ++ if (th_buf.gnu_longlink !=NULL) ++ free(th_buf.gnu_longlink); ++} +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 2d3f5b9..9d2f3bf 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD)) + { + if (TH_ISREG(t) && tar_skip_regfile(t)) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + continue; + } + if (t->options & TAR_VERBOSE) +@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + else + strlcpy(buf, filename, sizeof(buf)); + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix) + "\"%s\")\n", buf); + #endif + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index ac339e7..b992abb 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -197,6 +197,7 @@ list(char *tarfile) + { + fprintf(stderr, "tar_skip_regfile(): %s\n", + strerror(errno)); ++ free_longlink_longname(t->th_buf); + return -1; + } + } +@@ -218,10 +219,12 @@ list(char *tarfile) + + if (tar_close(t) != 0) + { ++ free_longlink_longname(t->th_buf); + fprintf(stderr, "tar_close(): %s\n", strerror(errno)); + return -1; + } + ++ free_longlink_longname(t->th_buf); + return 0; + } + +-- +2.37.1 + -- 2.46.0
[Message part 3 (message/rfc822, inline)]
From: Andreas Enge <andreas <at> enge.fr> To: 74008-done <at> debbugs.gnu.org Subject: Close Date: Mon, 28 Oct 2024 10:10:07 +0100Part of one patch changes a libtar.spec file, which is, I suppose, Fedora specific; it did not apply to our source code. After removing the hunk, the package builds. I have pushed the commit. I wonder if this is not actually a good candidate for removal: last commit in the official repo since 2013, no dependencies. What do you think? Andreas
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.