[libtar/el5] fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive

[Kamil Dudka]

commit 8e528647652411879c25900cabcd78966e06fcfa
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Thu Oct 10 12:32:01 2013 +0200

    fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive

 libtar-1.2.11-CVE-2013-4397.patch |   98 +++++++++++++++++++++++++++++++++++++
 libtar.spec                       |   10 +++-
 2 files changed, 106 insertions(+), 2 deletions(-)
---
diff --git a/libtar-1.2.11-CVE-2013-4397.patch b/libtar-1.2.11-CVE-2013-4397.patch
new file mode 100644
index 0000000..bb8e752
--- /dev/null
+++ b/libtar-1.2.11-CVE-2013-4397.patch
@@ -0,0 +1,98 @@
+From e5c564bd9ca47fd13c0940ecb10d0d4f21706353 Mon Sep 17 00:00:00 2001
+From: Chris Frey <cdfrey at foursquare.net>
+Date: Tue, 1 Oct 2013 15:58:52 -0400
+Subject: [PATCH] Fixed size_t overflow bug, as reported by Timo Warns
+
+[upstream commit 45448e8bae671c2f7e80b860ae0fc0cedf2bdc04]
+
+Resolves: CVE-2013-4397
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/block.c |   38 ++++++++++++++++++++++++--------------
+ 1 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/lib/block.c b/lib/block.c
+index 2917dc6..092bc28 100644
+--- a/lib/block.c
++++ b/lib/block.c
+@@ -90,8 +90,8 @@ th_read_internal(TAR *t)
+ int
+ th_read(TAR *t)
+ {
+-	int i, j;
+-	size_t sz;
++	int i;
++	size_t sz, j, blocks;
+ 	char *ptr;
+ 
+ #ifdef DEBUG
+@@ -118,21 +118,26 @@ th_read(TAR *t)
+ 	if (TH_ISLONGLINK(t))
+ 	{
+ 		sz = th_get_size(t);
+-		j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++		{
++			errno = E2BIG;
++			return -1;
++		}
+ #ifdef DEBUG
+ 		printf("    th_read(): GNU long linkname detected "
+-		       "(%ld bytes, %d blocks)\n", sz, j);
++		       "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+-		t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE);
++		t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE);
+ 		if (t->th_buf.gnu_longlink == NULL)
+ 			return -1;
+ 
+-		for (ptr = t->th_buf.gnu_longlink; j > 0;
+-		     j--, ptr += T_BLOCKSIZE)
++		for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks;
++		     j++, ptr += T_BLOCKSIZE)
+ 		{
+ #ifdef DEBUG
+ 			printf("    th_read(): reading long linkname "
+-			       "(%d blocks left, ptr == %ld)\n", j, ptr);
++			       "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ 			i = tar_block_read(t, ptr);
+ 			if (i != T_BLOCKSIZE)
+@@ -163,21 +168,26 @@ th_read(TAR *t)
+ 	if (TH_ISLONGNAME(t))
+ 	{
+ 		sz = th_get_size(t);
+-		j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
++		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
++		{
++			errno = E2BIG;
++			return -1;
++		}
+ #ifdef DEBUG
+ 		printf("    th_read(): GNU long filename detected "
+-		       "(%ld bytes, %d blocks)\n", sz, j);
++		       "(%ld bytes, %d blocks)\n", sz, blocks);
+ #endif
+-		t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE);
++		t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE);
+ 		if (t->th_buf.gnu_longname == NULL)
+ 			return -1;
+ 
+-		for (ptr = t->th_buf.gnu_longname; j > 0;
+-		     j--, ptr += T_BLOCKSIZE)
++		for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks;
++		     j++, ptr += T_BLOCKSIZE)
+ 		{
+ #ifdef DEBUG
+ 			printf("    th_read(): reading long filename "
+-			       "(%d blocks left, ptr == %ld)\n", j, ptr);
++			       "(%d blocks left, ptr == %ld)\n", blocks-j, ptr);
+ #endif
+ 			i = tar_block_read(t, ptr);
+ 			if (i != T_BLOCKSIZE)
+-- 
+1.7.1
+
diff --git a/libtar.spec b/libtar.spec
index 2e2752d..8cb08e0 100644
--- a/libtar.spec
+++ b/libtar.spec
@@ -1,14 +1,15 @@
 Summary:        Tar file manipulation API
 Name:           libtar
 Version:        1.2.11
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MIT
 Group:          System Environment/Libraries
 URL:            http://www.feep.net/libtar/
 Source0:        ftp://ftp.feep.net/pub/software/libtar/libtar-%{version}.tar.gz
 Patch0:         http://ftp.debian.org/debian/pool/main/libt/libtar/libtar_1.2.11-4.diff.gz
 Patch1:         libtar-1.2.11-missing-protos.patch
-Patch2:		libtar-1.2.11-tar_header.patch
+Patch2:         libtar-1.2.11-tar_header.patch
+Patch8:         libtar-1.2.11-CVE-2013-4397.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildRequires:  zlib-devel libtool
 
@@ -33,6 +34,8 @@ developing applications that use %{name}.
 %patch0 -p1 -z .deb
 %patch1 -p1
 %patch2 -p1 -z .tar_header
+%patch8 -p1
+
 # set correct version for .so build
 %define ltversion %(echo %{version} | tr '.' ':')
 sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \
@@ -79,6 +82,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Oct 10 2013 Kamil Dudka <kdudka at redhat.com> - 1.2.11-14
+- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive
+
 * Tue Nov 24 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1.2.11-13
 - Version bump so that it builds