[libtar/el5] fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
Kamil Dudka
kdudka at fedoraproject.org
Thu Oct 10 10:56:14 UTC 2013
commit 8e528647652411879c25900cabcd78966e06fcfa
Author: Kamil Dudka <kdudka at redhat.com>
Date: Thu Oct 10 12:32:01 2013 +0200
fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
libtar-1.2.11-CVE-2013-4397.patch | 98 +++++++++++++++++++++++++++++++++++++
libtar.spec | 10 +++-
2 files changed, 106 insertions(+), 2 deletions(-)
---
diff --git a/libtar-1.2.11-CVE-2013-4397.patch b/libtar-1.2.11-CVE-2013-4397.patch
new file mode 100644
index 0000000..bb8e752
--- /dev/null
+++ b/libtar-1.2.11-CVE-2013-4397.patch
@@ -0,0 +1,98 @@
+From e5c564bd9ca47fd13c0940ecb10d0d4f21706353 Mon Sep 17 00:00:00 2001
+From: Chris Frey <cdfrey at foursquare.net>
+Date: Tue, 1 Oct 2013 15:58:52 -0400
+Subject: [PATCH] Fixed size_t overflow bug, as reported by Timo Warns
+
+[upstream commit 45448e8bae671c2f7e80b860ae0fc0cedf2bdc04]
+
+Resolves: CVE-2013-4397
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/block.c | 38 ++++++++++++++++++++++++--------------
+ 1 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/lib/block.c b/lib/block.c
+index 2917dc6..092bc28 100644
+--- a/lib/block.c
++++ b/lib/block.c
+@@ -90,8 +90,8 @@ th_read_internal(TAR *t)
+ int
+ th_read(TAR *t)
+ {
+- int i, j;
+- size_t sz;
++ int i;
++ size_t sz, j, blocks;
+ char *ptr;
+
+ #ifdef DEBUG
+@@ -118,21 +118,26 @@ th_read(TAR *t)
+ if (TH_ISLONGLINK(t))
+ {
+ sz = th_get_size(t);
+- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++ errno = E2BIG;
++ return -1;
++ }
+ #ifdef DEBUG
+ printf(" th_read(): GNU long linkname detected "
+- "(%ld bytes, %d blocks)\n", sz, j);
++ "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+- t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE);
++ t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE);
+ if (t->th_buf.gnu_longlink == NULL)
+ return -1;
+
+- for (ptr = t->th_buf.gnu_longlink; j > 0;
+- j--, ptr += T_BLOCKSIZE)
++ for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks;
++ j++, ptr += T_BLOCKSIZE)
+ {
+ #ifdef DEBUG
+ printf(" th_read(): reading long linkname "
+- "(%d blocks left, ptr == %ld)\n", j, ptr);
++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ i = tar_block_read(t, ptr);
+ if (i != T_BLOCKSIZE)
+@@ -163,21 +168,26 @@ th_read(TAR *t)
+ if (TH_ISLONGNAME(t))
+ {
+ sz = th_get_size(t);
+- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++ if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++ {
++ errno = E2BIG;
++ return -1;
++ }
+ #ifdef DEBUG
+ printf(" th_read(): GNU long filename detected "
+- "(%ld bytes, %d blocks)\n", sz, j);
++ "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+- t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE);
++ t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE);
+ if (t->th_buf.gnu_longname == NULL)
+ return -1;
+
+- for (ptr = t->th_buf.gnu_longname; j > 0;
+- j--, ptr += T_BLOCKSIZE)
++ for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks;
++ j++, ptr += T_BLOCKSIZE)
+ {
+ #ifdef DEBUG
+ printf(" th_read(): reading long filename "
+- "(%d blocks left, ptr == %ld)\n", j, ptr);
++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ i = tar_block_read(t, ptr);
+ if (i != T_BLOCKSIZE)
+--
+1.7.1
+
diff --git a/libtar.spec b/libtar.spec
index 2e2752d..8cb08e0 100644
--- a/libtar.spec
+++ b/libtar.spec
@@ -1,14 +1,15 @@
Summary: Tar file manipulation API
Name: libtar
Version: 1.2.11
-Release: 13%{?dist}
+Release: 14%{?dist}
License: MIT
Group: System Environment/Libraries
URL: http://www.feep.net/libtar/
Source0: ftp://ftp.feep.net/pub/software/libtar/libtar-%{version}.tar.gz
Patch0: http://ftp.debian.org/debian/pool/main/libt/libtar/libtar_1.2.11-4.diff.gz
Patch1: libtar-1.2.11-missing-protos.patch
-Patch2: libtar-1.2.11-tar_header.patch
+Patch2: libtar-1.2.11-tar_header.patch
+Patch8: libtar-1.2.11-CVE-2013-4397.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: zlib-devel libtool
@@ -33,6 +34,8 @@ developing applications that use %{name}.
%patch0 -p1 -z .deb
%patch1 -p1
%patch2 -p1 -z .tar_header
+%patch8 -p1
+
# set correct version for .so build
%define ltversion %(echo %{version} | tr '.' ':')
sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \
@@ -79,6 +82,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Oct 10 2013 Kamil Dudka <kdudka at redhat.com> - 1.2.11-14
+- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
+
* Tue Nov 24 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1.2.11-13
- Version bump so that it builds
More information about the scm-commits
mailing list