[libtar/f20] fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
Kamil Dudka
kdudka at fedoraproject.org
Thu Oct 10 10:45:17 UTC 2013
commit 296057226e00e6767ae56432fa7fa0d673dc9fb1
Author: Kamil Dudka <kdudka at redhat.com>
Date: Thu Oct 10 12:32:01 2013 +0200
fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
libtar-1.2.11-CVE-2013-4397.patch | 98 +++++++++++++++++++++++++++++++++++++
libtar.spec | 7 ++-
2 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/libtar-1.2.11-CVE-2013-4397.patch b/libtar-1.2.11-CVE-2013-4397.patch
new file mode 100644
index 0000000..bb8e752
--- /dev/null
+++ b/libtar-1.2.11-CVE-2013-4397.patch
@@ -0,0 +1,98 @@
+From e5c564bd9ca47fd13c0940ecb10d0d4f21706353 Mon Sep 17 00:00:00 2001
+From: Chris Frey <cdfrey at foursquare.net>
+Date: Tue, 1 Oct 2013 15:58:52 -0400
+Subject: [PATCH] Fixed size_t overflow bug, as reported by Timo Warns
+
+[upstream commit 45448e8bae671c2f7e80b860ae0fc0cedf2bdc04]
+
+Resolves: CVE-2013-4397
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/block.c | 38 ++++++++++++++++++++++++--------------
+ 1 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/lib/block.c b/lib/block.c
+index 2917dc6..092bc28 100644
+--- a/lib/block.c
++++ b/lib/block.c
+@@ -90,8 +90,8 @@ th_read_internal(TAR *t)
+ int
+ th_read(TAR *t)
+ {
+- int i, j;
+- size_t sz;
++ int i;
++ size_t sz, j, blocks;
+ char *ptr;
+
+ #ifdef DEBUG
+@@ -118,21 +118,26 @@ th_read(TAR *t)
+ if (TH_ISLONGLINK(t))
+ {
+ sz = th_get_size(t);
+- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++ errno = E2BIG;
++ return -1;
++ }
+ #ifdef DEBUG
+ printf(" th_read(): GNU long linkname detected "
+- "(%ld bytes, %d blocks)\n", sz, j);
++ "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+- t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE);
++ t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE);
+ if (t->th_buf.gnu_longlink == NULL)
+ return -1;
+
+- for (ptr = t->th_buf.gnu_longlink; j > 0;
+- j--, ptr += T_BLOCKSIZE)
++ for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks;
++ j++, ptr += T_BLOCKSIZE)
+ {
+ #ifdef DEBUG
+ printf(" th_read(): reading long linkname "
+- "(%d blocks left, ptr == %ld)\n", j, ptr);
++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ i = tar_block_read(t, ptr);
+ if (i != T_BLOCKSIZE)
+@@ -163,21 +168,26 @@ th_read(TAR *t)
+ if (TH_ISLONGNAME(t))
+ {
+ sz = th_get_size(t);
+- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++ errno = E2BIG;
++ return -1;
++ }
+ #ifdef DEBUG
+ printf(" th_read(): GNU long filename detected "
+- "(%ld bytes, %d blocks)\n", sz, j);
++ "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+- t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE);
++ t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE);
+ if (t->th_buf.gnu_longname == NULL)
+ return -1;
+
+- for (ptr = t->th_buf.gnu_longname; j > 0;
+- j--, ptr += T_BLOCKSIZE)
++ for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks;
++ j++, ptr += T_BLOCKSIZE)
+ {
+ #ifdef DEBUG
+ printf(" th_read(): reading long filename "
+- "(%d blocks left, ptr == %ld)\n", j, ptr);
++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ i = tar_block_read(t, ptr);
+ if (i != T_BLOCKSIZE)
+--
+1.7.1
+
diff --git a/libtar.spec b/libtar.spec
index e2611fd..96f7cc2 100644
--- a/libtar.spec
+++ b/libtar.spec
@@ -1,7 +1,7 @@
Summary: Tar file manipulation API
Name: libtar
Version: 1.2.11
-Release: 26%{?dist}
+Release: 27%{?dist}
License: MIT
Group: System Environment/Libraries
URL: http://www.feep.net/libtar/
@@ -13,6 +13,7 @@ Patch3: libtar-1.2.11-tar_header.patch
Patch4: libtar-1.2.11-mem-deref.patch
Patch5: libtar-1.2.11-fix-memleak.patch
Patch6: libtar-1.2.11-bz729009.patch
+Patch8: libtar-1.2.11-CVE-2013-4397.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: zlib-devel libtool
@@ -41,6 +42,7 @@ developing applications that use %{name}.
%patch4 -p1 -b .deref
%patch5 -p1 -b .fixmem
%patch6 -p1
+%patch8 -p1
# set correct version for .so build
%global ltversion %(echo %{version} | tr '.' ':')
@@ -87,6 +89,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
%changelog
+* Thu Oct 10 2013 Kamil Dudka <kdudka at redhat.com> - 1.2.11-27
+- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
+
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2.11-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list