rpms/tar/F-13 tar-1.22-exclusion-tags.patch, NONE, 1.1 tar-1.22-rtapelib-overflow.patch, NONE, 1.1 tar.spec, 1.96, 1.97

Ondrej Vasik ovasik at fedoraproject.org
Wed Mar 10 13:03:29 UTC 2010 

Author: ovasik

Update of /cvs/pkgs/rpms/tar/F-13
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14654

Modified Files:
	tar.spec 
Added Files:
	tar-1.22-exclusion-tags.patch tar-1.22-rtapelib-overflow.patch 
Log Message:
CVE-2010-0624 tar, cpio: Heap-based buffer overflow  by expanding a specially-crafted archive (#572149), realloc within check_exclusion_tags() caused invalid write (#570591)

tar-1.22-exclusion-tags.patch:
 create.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- NEW FILE tar-1.22-exclusion-tags.patch ---
>From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray at gnu.org.ua>
Date: Mon, 8 Mar 2010 12:27:23 +0200
Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
 Both bugs reported by Kamil Dudka.

* src/create.c (check_exclusion_tags): Do not keep
pointer to a location within tagname: it may change
after xrealloc. Use byte offset instead.
(dump_file0): Close fd before returning without
dumping the directory.
---
 src/create.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/create.c b/src/create.c
index 209e428..c69d340 100644
--- a/src/create.c
+++ b/src/create.c
@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
   struct exclusion_tag *tag;
   size_t dlen = strlen (dirname);
   int addslash = dirname[dlen-1] != '/';
-  char *nptr = NULL;
+  size_t noff = 0;
   
   for (tag = exclusion_tags; tag; tag = tag->next)
     {
@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
 	  tagname = xrealloc (tagname, tagsize);
 	}
 
-      if (!nptr)
+      if (noff == 0)
 	{
 	  strcpy (tagname, dirname);
-	  nptr = tagname + dlen;
+	  noff = dlen;
 	  if (addslash)
-	    *nptr++ = '/';
+	    tagname[noff++] = '/';
 	}
-      strcpy (nptr, tag->name);
+      strcpy (tagname + noff, tag->name);
       if (access (tagname, F_OK) == 0
 	  && (!tag->predicate || tag->predicate (tagname)))
 	{
@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
 	    {
 	      exclusion_tag_warning (st->orig_file_name, tag_file_name,
 				     _("directory not dumped"));
+	      if (fd >= 0)
+		close (fd);
 	      return;
 	    }
 	  
-- 
1.6.5


tar-1.22-rtapelib-overflow.patch:
 rtapelib.c |    3 +++
 1 file changed, 3 insertions(+)

--- NEW FILE tar-1.22-rtapelib-overflow.patch ---
diff -urNp tar-1.22-orig/lib/rtapelib.c tar-1.22/lib/rtapelib.c
--- tar-1.22-orig/lib/rtapelib.c	2007-08-12 09:57:15.000000000 +0200
+++ tar-1.22/lib/rtapelib.c	2010-02-22 13:58:07.000000000 +0100
@@ -573,6 +573,9 @@ rmt_read__ (int handle, char *buffer, si
       || (status = get_status (handle)) == SAFE_READ_ERROR)
     return SAFE_READ_ERROR;
 
+  if (status > length)
+    return SAFE_READ_ERROR;
+
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
     {
       rlen = safe_read (READ_SIDE (handle), buffer, status - counter);


Index: tar.spec
===================================================================
RCS file: /cvs/pkgs/rpms/tar/F-13/tar.spec,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -p -r1.96 -r1.97
--- tar.spec	4 Feb 2010 11:48:43 -0000	1.96
+++ tar.spec	10 Mar 2010 13:03:29 -0000	1.97
@@ -5,7 +5,7 @@ Summary: A GNU file archiving program
 Name: tar
 Epoch: 2
 Version: 1.22
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv3+
 Group: Applications/Archiving
 URL: http://www.gnu.org/software/tar/
@@ -38,6 +38,10 @@ Patch9: tar-1.22-nsfraction.patch
 #update gnulib's utimens module to latest version to prevent utimens() bad file
 #descriptor failures with POSIX2008 glibc
 Patch10: tar-1.22-utimens.patch
+#Fix potential place for overflow attack via rsh/ssh (#572149)
+Patch11: tar-1.22-rtapelib-overflow.patch
+#realloc within check_exclusion_tags() causes invalid write(#570591)
+Patch12: tar-1.22-exclusion-tags.patch
 Requires: info
 BuildRequires: autoconf automake gzip texinfo gettext libacl-devel gawk rsh
 %if %{WITH_SELINUX}
@@ -71,6 +75,8 @@ the rmt package.
 %patch8 -p1 -b .xheaderleak
 %patch9 -p1 -b .nsfraction
 %patch10 -p1 -b .utimens
+%patch11 -p1 -b .overflow
+%patch12 -p1 -b .exclude
 
 autoreconf
 
@@ -132,6 +138,15 @@ fi
 %{_infodir}/tar.info*
 
 %changelog
+* Wed Mar 10 2010 Ondrej Vasik <ovasik at redhat.com> 2:1.22-16
+- CVE-2010-0624 tar, cpio: Heap-based buffer overflow
+  by expanding a specially-crafted archive (#572149)
+- realloc within check_exclusion_tags() caused invalid write
+  (#570591)
+- not closing file descriptors for excluded files/dirs with
+  exlude-tag... options could cause descriptor exhaustion
+  (#570591)
+
 * Thu Feb 04 2010 Ondrej Vasik <ovasik at redhat.com> 2:1.22-15
 - fix segfault with corrupted metadata in code_ns_fraction
   (#531441)

More information about the scm-commits mailing list