[libtar/f20] fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive

Thu Oct 10 10:45:17 UTC 2013

commit 296057226e00e6767ae56432fa7fa0d673dc9fb1
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Thu Oct 10 12:32:01 2013 +0200

    fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive

 libtar-1.2.11-CVE-2013-4397.patch |   98 +++++++++++++++++++++++++++++++++++++
 libtar.spec                       |    7 ++-
 2 files changed, 104 insertions(+), 1 deletions(-)
---

diff --git a/libtar-1.2.11-CVE-2013-4397.patch b/libtar-1.2.11-CVE-2013-4397.patch
new file mode 100644
index 0000000..bb8e752
--- /dev/null
+++ b/libtar-1.2.11-CVE-2013-4397.patch
@@ -0,0 +1,98 @@
+From e5c564bd9ca47fd13c0940ecb10d0d4f21706353 Mon Sep 17 00:00:00 2001
+From: Chris Frey <cdfrey at foursquare.net>
+Date: Tue, 1 Oct 2013 15:58:52 -0400
+Subject: [PATCH] Fixed size_t overflow bug, as reported by Timo Warns
+
+[upstream commit 45448e8bae671c2f7e80b860ae0fc0cedf2bdc04]
+
+Resolves: CVE-2013-4397
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/block.c |   38 ++++++++++++++++++++++++--------------
+ 1 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/lib/block.c b/lib/block.c
+index 2917dc6..092bc28 100644
+--- a/lib/block.c
++++ b/lib/block.c
+@@ -90,8 +90,8 @@ th_read_internal(TAR *t)
+ int
+ th_read(TAR *t)
+ {
+-	int i, j;
+-	size_t sz;
++	int i;
++	size_t sz, j, blocks;
+ 	char *ptr;
+ 
+ #ifdef DEBUG
+@@ -118,21 +118,26 @@ th_read(TAR *t)
+ 	if (TH_ISLONGLINK(t))
+ 	{
+ 		sz = th_get_size(t);
+-		j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++		{
++			errno = E2BIG;
++			return -1;
++		}
+ #ifdef DEBUG
+ 		printf("    th_read(): GNU long linkname detected "
+-		       "(%ld bytes, %d blocks)\n", sz, j);
++		       "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+-		t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE);
++		t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE);
+ 		if (t->th_buf.gnu_longlink == NULL)
+ 			return -1;
+ 
+-		for (ptr = t->th_buf.gnu_longlink; j > 0;
+-		     j--, ptr += T_BLOCKSIZE)
++		for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks;
++		     j++, ptr += T_BLOCKSIZE)
+ 		{
+ #ifdef DEBUG
+ 			printf("    th_read(): reading long linkname "
+-			       "(%d blocks left, ptr == %ld)\n", j, ptr);
++			       "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ 			i = tar_block_read(t, ptr);
+ 			if (i != T_BLOCKSIZE)
+@@ -163,21 +168,26 @@ th_read(TAR *t)
+ 	if (TH_ISLONGNAME(t))
+ 	{
+ 		sz = th_get_size(t);
+-		j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++		{
++			errno = E2BIG;
++			return -1;
++		}
+ #ifdef DEBUG
+ 		printf("    th_read(): GNU long filename detected "
+-		       "(%ld bytes, %d blocks)\n", sz, j);
++		       "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+-		t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE);
++		t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE);
+ 		if (t->th_buf.gnu_longname == NULL)
+ 			return -1;
+ 
+-		for (ptr = t->th_buf.gnu_longname; j > 0;
+-		     j--, ptr += T_BLOCKSIZE)
++		for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks;
++		     j++, ptr += T_BLOCKSIZE)
+ 		{
+ #ifdef DEBUG
+ 			printf("    th_read(): reading long filename "
+-			       "(%d blocks left, ptr == %ld)\n", j, ptr);
++			       "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ 			i = tar_block_read(t, ptr);
+ 			if (i != T_BLOCKSIZE)
+-- 
+1.7.1
+
diff --git a/libtar.spec b/libtar.spec
index e2611fd..96f7cc2 100644
--- a/libtar.spec
+++ b/libtar.spec
@@ -1,7 +1,7 @@
 Summary:        Tar file manipulation API
 Name:           libtar
 Version:        1.2.11
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        MIT
 Group:          System Environment/Libraries
 URL:            http://www.feep.net/libtar/
@@ -13,6 +13,7 @@ Patch3:         libtar-1.2.11-tar_header.patch
 Patch4:         libtar-1.2.11-mem-deref.patch
 Patch5:         libtar-1.2.11-fix-memleak.patch
 Patch6:         libtar-1.2.11-bz729009.patch
+Patch8:         libtar-1.2.11-CVE-2013-4397.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildRequires:  zlib-devel libtool
 
@@ -41,6 +42,7 @@ developing applications that use %{name}.
 %patch4 -p1 -b .deref
 %patch5 -p1 -b .fixmem
 %patch6 -p1
+%patch8 -p1
 
 # set correct version for .so build
 %global ltversion %(echo %{version} | tr '.' ':')
@@ -87,6 +89,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 
 
 %changelog
+* Thu Oct 10 2013 Kamil Dudka <kdudka at redhat.com> - 1.2.11-27
+- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2.11-26
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 
