rpms/tar/F-13 tar-1.22-exclusion-tags.patch, NONE, 1.1 tar-1.22-rtapelib-overflow.patch, NONE, 1.1 tar.spec, 1.96, 1.97
Ondrej Vasik
ovasik at fedoraproject.org
Wed Mar 10 13:03:29 UTC 2010
- Previous message: rpms/gnome-keyring/devel gnome-keyring.spec, 1.138, 1.139 sources, 1.69, 1.70 gnome-keyring-2.29.90-dbus-setting-NULL-default.patch, 1.1, NONE gnome-keyring-2.29.90-pkcs11-value-store.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-bad-collection-identifier.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-sporadic-crash.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-value-store.patch, 1.1, NONE gnome-keyring-2.29.90-ssh-agent-disconnect-warning.patch, 1.1, NONE
- Next message: rpms/tar/F-12 tar-1.22-exclusion-tags.patch, NONE, 1.1 tar-1.22-rtapelib-overflow.patch, NONE, 1.1 tar-1.22-utimens.patch, NONE, 1.1 tar.spec, 1.92, 1.93
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: ovasik
Update of /cvs/pkgs/rpms/tar/F-13
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14654
Modified Files:
tar.spec
Added Files:
tar-1.22-exclusion-tags.patch tar-1.22-rtapelib-overflow.patch
Log Message:
CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive (#572149), realloc within check_exclusion_tags() caused invalid write (#570591)
tar-1.22-exclusion-tags.patch:
create.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- NEW FILE tar-1.22-exclusion-tags.patch ---
>From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray at gnu.org.ua>
Date: Mon, 8 Mar 2010 12:27:23 +0200
Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
Both bugs reported by Kamil Dudka.
* src/create.c (check_exclusion_tags): Do not keep
pointer to a location within tagname: it may change
after xrealloc. Use byte offset instead.
(dump_file0): Close fd before returning without
dumping the directory.
---
src/create.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/create.c b/src/create.c
index 209e428..c69d340 100644
--- a/src/create.c
+++ b/src/create.c
@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
struct exclusion_tag *tag;
size_t dlen = strlen (dirname);
int addslash = dirname[dlen-1] != '/';
- char *nptr = NULL;
+ size_t noff = 0;
for (tag = exclusion_tags; tag; tag = tag->next)
{
@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
tagname = xrealloc (tagname, tagsize);
}
- if (!nptr)
+ if (noff == 0)
{
strcpy (tagname, dirname);
- nptr = tagname + dlen;
+ noff = dlen;
if (addslash)
- *nptr++ = '/';
+ tagname[noff++] = '/';
}
- strcpy (nptr, tag->name);
+ strcpy (tagname + noff, tag->name);
if (access (tagname, F_OK) == 0
&& (!tag->predicate || tag->predicate (tagname)))
{
@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
{
exclusion_tag_warning (st->orig_file_name, tag_file_name,
_("directory not dumped"));
+ if (fd >= 0)
+ close (fd);
return;
}
--
1.6.5
tar-1.22-rtapelib-overflow.patch:
rtapelib.c | 3 +++
1 file changed, 3 insertions(+)
--- NEW FILE tar-1.22-rtapelib-overflow.patch ---
diff -urNp tar-1.22-orig/lib/rtapelib.c tar-1.22/lib/rtapelib.c
--- tar-1.22-orig/lib/rtapelib.c 2007-08-12 09:57:15.000000000 +0200
+++ tar-1.22/lib/rtapelib.c 2010-02-22 13:58:07.000000000 +0100
@@ -573,6 +573,9 @@ rmt_read__ (int handle, char *buffer, si
|| (status = get_status (handle)) == SAFE_READ_ERROR)
return SAFE_READ_ERROR;
+ if (status > length)
+ return SAFE_READ_ERROR;
+
for (counter = 0; counter < status; counter += rlen, buffer += rlen)
{
rlen = safe_read (READ_SIDE (handle), buffer, status - counter);
Index: tar.spec
===================================================================
RCS file: /cvs/pkgs/rpms/tar/F-13/tar.spec,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -p -r1.96 -r1.97
--- tar.spec 4 Feb 2010 11:48:43 -0000 1.96
+++ tar.spec 10 Mar 2010 13:03:29 -0000 1.97
@@ -5,7 +5,7 @@ Summary: A GNU file archiving program
Name: tar
Epoch: 2
Version: 1.22
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv3+
Group: Applications/Archiving
URL: http://www.gnu.org/software/tar/
@@ -38,6 +38,10 @@ Patch9: tar-1.22-nsfraction.patch
#update gnulib's utimens module to latest version to prevent utimens() bad file
#descriptor failures with POSIX2008 glibc
Patch10: tar-1.22-utimens.patch
+#Fix potential place for overflow attack via rsh/ssh (#572149)
+Patch11: tar-1.22-rtapelib-overflow.patch
+#realloc within check_exclusion_tags() causes invalid write(#570591)
+Patch12: tar-1.22-exclusion-tags.patch
Requires: info
BuildRequires: autoconf automake gzip texinfo gettext libacl-devel gawk rsh
%if %{WITH_SELINUX}
@@ -71,6 +75,8 @@ the rmt package.
%patch8 -p1 -b .xheaderleak
%patch9 -p1 -b .nsfraction
%patch10 -p1 -b .utimens
+%patch11 -p1 -b .overflow
+%patch12 -p1 -b .exclude
autoreconf
@@ -132,6 +138,15 @@ fi
%{_infodir}/tar.info*
%changelog
+* Wed Mar 10 2010 Ondrej Vasik <ovasik at redhat.com> 2:1.22-16
+- CVE-2010-0624 tar, cpio: Heap-based buffer overflow
+ by expanding a specially-crafted archive (#572149)
+- realloc within check_exclusion_tags() caused invalid write
+ (#570591)
+- not closing file descriptors for excluded files/dirs with
+ exlude-tag... options could cause descriptor exhaustion
+ (#570591)
+
* Thu Feb 04 2010 Ondrej Vasik <ovasik at redhat.com> 2:1.22-15
- fix segfault with corrupted metadata in code_ns_fraction
(#531441)
- Previous message: rpms/gnome-keyring/devel gnome-keyring.spec, 1.138, 1.139 sources, 1.69, 1.70 gnome-keyring-2.29.90-dbus-setting-NULL-default.patch, 1.1, NONE gnome-keyring-2.29.90-pkcs11-value-store.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-bad-collection-identifier.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-sporadic-crash.patch, 1.1, NONE gnome-keyring-2.29.90-secret-store-value-store.patch, 1.1, NONE gnome-keyring-2.29.90-ssh-agent-disconnect-warning.patch, 1.1, NONE
- Next message: rpms/tar/F-12 tar-1.22-exclusion-tags.patch, NONE, 1.1 tar-1.22-rtapelib-overflow.patch, NONE, 1.1 tar-1.22-utimens.patch, NONE, 1.1 tar.spec, 1.92, 1.93
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list