gnu: libtar: Patch CVEs. [security fixes]

This fixes CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646. * gnu/packages/compression.scm (libtar)[source]<patches>: Add patches here... * gnu/local.mk (dist_patch_DATA): ...and here. * gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch, gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch: New files. Signed-off-by: Andreas Enge <andreas@enge.fr> Change-Id: I60a6b753fddc1a0d08f96010ef3d57ec66c2251b
2025-02-01 07:16:39 +01:00 · 2024-10-25 09:39:45 +02:00 · 2024-10-25 09:39:45 +02:00 · 386399296a
commit 386399296a
parent 3566cabecc
4 changed files with 182 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1699,6 +1699,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/libquicktime-ffmpeg.patch 		\
  %D%/packages/patches/libsepol-versioned-docbook.patch		\
  %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
+  %D%/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch	\
+  %D%/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch	\
  %D%/packages/patches/libtgvoip-disable-sse2.patch 		\
  %D%/packages/patches/libtgvoip-disable-webrtc.patch 		\
  %D%/packages/patches/libtheora-config-guess.patch		\
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@ -240,7 +240,10 @@ (define-public libtar
            (sha256
             (base32
              "02cihzl77ia0dcz7z2cga2412vyhhs5pa2355q4wpwbyga2lrwjh"))
-            (patches (search-patches "libtar-CVE-2013-4420.patch"))))
+            (patches
+             (search-patches "libtar-CVE-2013-4420.patch"
+                             "libtar-CVE-2021-33643-CVE-2021-33644.patch"
+                             "libtar-CVE-2021-33645-CVE-2021-33646.patch"))))
   (build-system gnu-build-system)
   (arguments `(#:tests? #f)) ; no "check" target
   (native-inputs
--- a/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
+++ b/gnu/packages/patches/libtar-CVE-2021-33643-CVE-2021-33644.patch
@ -0,0 +1,57 @@
+From 8b0aae25e85fafcf65545dbdbd1a42a183485a91 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Aug 26 2022 13:55:09 +0000
+Subject: fix out-of-bounds read in gnu_long{name,link}
+
+
+Resolves: CVE-2021-33643
+Resolves: CVE-2021-33644
+
+---
+
+diff --git a/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+new file mode 100644
+index 0000000..f6692c3
+--- /dev/null
+++ b/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
+@@ -0,0 +1,40 @@
+From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001
+From: shixuantong <1726671442@qq.com>
+Date: Wed, 6 Apr 2022 17:40:57 +0800
+Subject: [PATCH 1/2] Ensure that sz is greater than 0.
+
+---
+ lib/block.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/block.c b/lib/block.c
+index 092bc28..f12c4bc 100644
+--- a/lib/block.c
++++ b/lib/block.c
+@@ -118,6 +118,11 @@ th_read(TAR *t)
+ 	if (TH_ISLONGLINK(t))
+ 	{
+ 		sz = th_get_size(t);
++		if ((int)sz <= 0)
++		{
++			errno = EINVAL;
++			return -1;
++		}
+ 		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
+ 		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
+ 		{
+@@ -168,6 +173,11 @@ th_read(TAR *t)
+ 	if (TH_ISLONGNAME(t))
+ 	{
+ 		sz = th_get_size(t);
++		if ((int)sz <= 0)
++		{
++			errno = EINVAL;
++			return -1;
++		}
+ 		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
+ 		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
+ 		{
+-- 
+2.37.1
+
--- a/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
+++ b/gnu/packages/patches/libtar-CVE-2021-33645-CVE-2021-33646.patch
@ -0,0 +1,119 @@
+From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong@h-partners.com>
+Date: Sat, 7 May 2022 17:04:46 +0800
+Subject: [PATCH 2/2] fix memory leak
+
+---
+ lib/libtar.h    |  1 +
+ lib/util.c      |  9 ++++++++-
+ lib/wrapper.c   | 11 +++++++++++
+ libtar/libtar.c |  3 +++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 08a8e0f..8b00e93 100644
+--- a/lib/libtar.h
+++ b/lib/libtar.h
+@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
+ /* integer to string-octal conversion, no NULL */
+ void int_to_oct_nonull(int num, char *oct, size_t octlen);
+ 
+void free_longlink_longname(struct tar_header th_buf);
+ 
+ /***** wrapper.c **********************************************************/
+ 
+diff --git a/lib/util.c b/lib/util.c
+index 11438ef..8a42e62 100644
+--- a/lib/util.c
+++ b/lib/util.c
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <sys/param.h>
+ #include <errno.h>
+#include <stdlib.h>
+ 
+ #ifdef STDC_HEADERS
+ # include <string.h>
+@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
+ 	oct[octlen - 1] = ' ';
+ }
+ 
+-
+void free_longlink_longname(struct tar_header th_buf)
+{
+	if (th_buf.gnu_longname != NULL)
+		free(th_buf.gnu_longname);
+	if (th_buf.gnu_longlink !=NULL)
+		free(th_buf.gnu_longlink);
+}
+diff --git a/lib/wrapper.c b/lib/wrapper.c
+index 2d3f5b9..9d2f3bf 100644
+--- a/lib/wrapper.c
+++ b/lib/wrapper.c
+@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ 		if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
+ 		{
+ 			if (TH_ISREG(t) && tar_skip_regfile(t))
+			{
+				free_longlink_longname(t->th_buf);
+ 				return -1;
+			}
+ 			continue;
+ 		}
+ 		if (t->options & TAR_VERBOSE)
+@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ 		else
+ 			strlcpy(buf, filename, sizeof(buf));
+ 		if (tar_extract_file(t, buf) != 0)
+		{
+			free_longlink_longname(t->th_buf);
+ 			return -1;
+		}
+ 	}
+ 
+	free_longlink_longname(t->th_buf);
+ 	return (i == 1 ? 0 : -1);
+ }
+ 
+@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
+ 		       "\"%s\")\n", buf);
+ #endif
+ 		if (tar_extract_file(t, buf) != 0)
+		{
+			free_longlink_longname(t->th_buf);
+ 			return -1;
+		}
+ 	}
+ 
+	free_longlink_longname(t->th_buf);
+ 	return (i == 1 ? 0 : -1);
+ }
+ 
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index ac339e7..b992abb 100644
+--- a/libtar/libtar.c
+++ b/libtar/libtar.c
+@@ -197,6 +197,7 @@ list(char *tarfile)
+ 		{
+ 			fprintf(stderr, "tar_skip_regfile(): %s\n",
+ 				strerror(errno));
+			free_longlink_longname(t->th_buf);
+ 			return -1;
+ 		}
+ 	}
+@@ -218,10 +219,12 @@ list(char *tarfile)
+ 
+ 	if (tar_close(t) != 0)
+ 	{
+		free_longlink_longname(t->th_buf);
+ 		fprintf(stderr, "tar_close(): %s\n", strerror(errno));
+ 		return -1;
+ 	}
+ 
+	free_longlink_longname(t->th_buf);
+ 	return 0;
+ }
+ 
+-- 
+2.37.1
+