CVE-2007-4476

cpio-2.9-safer_name_suffix.patch

@@ -0,0 +1,89 @@
+diff -up tar-1.17/lib/paxnames.c.safer_name_suffix tar-1.17/lib/paxnames.c
+--- tar-1.17/lib/paxnames.c.safer_name_suffix	2005-05-22 00:55:55.000000000 +0200
++++ tar-1.17/lib/paxnames.c	2007-10-22 17:32:54.000000000 +0200
+@@ -36,15 +36,27 @@ hash_string_compare (void const *name1, 
+   return strcmp (name1, name2) == 0;
+ }
+ 
+-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
+-   copy of STRING to TABLE and return 1.  */
+-bool
+-hash_string_insert (Hash_table **table, char const *string)
++/* Return zero if TABLE contains a LEN-character long prefix of STRING,
++   otherwise, insert a newly allocated copy of this prefix to TABLE and
++   return 1.  If RETURN_PREFIX is not NULL, point it to the allocated
++   copy. */
++static bool
++hash_string_insert_prefix (Hash_table **table, char const *string, size_t len,
++			   const char **return_prefix)
+ {
+   Hash_table *t = *table;
+-  char *s = xstrdup (string);
++  char *s;
+   char *e;
+ 
++  if (len)
++    {
++      s = xmalloc (len + 1);
++      memcpy (s, string, len);
++      s[len] = 0;
++    }
++  else
++    s = xstrdup (string);
++  
+   if (! ((t
+ 	  || (*table = t = hash_initialize (0, 0, hash_string_hasher,
+ 					    hash_string_compare, 0)))
+@@ -52,7 +64,11 @@ hash_string_insert (Hash_table **table, 
+     xalloc_die ();
+ 
+   if (e == s)
+-    return 1;
++    {
++      if (return_prefix)
++	*return_prefix = s;
++      return 1;
++    }
+   else
+     {
+       free (s);
+@@ -60,6 +76,14 @@ hash_string_insert (Hash_table **table, 
+     }
+ }
+ 
++/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
++   copy of STRING to TABLE and return 1.  */
++bool
++hash_string_insert (Hash_table **table, char const *string)
++{
++  return hash_string_insert_prefix (table, string, 0, NULL);
++}
++
+ /* Return 1 if TABLE contains STRING.  */
+ bool
+ hash_string_lookup (Hash_table const *table, char const *string)
+@@ -88,7 +112,8 @@ removed_prefixes_p (void)
+    If ABSOLUTE_NAMES is 0, strip filesystem prefix from the file name. */
+ 
+ char *
+-safer_name_suffix (char const *file_name, bool link_target, bool absolute_names)
++safer_name_suffix (char const *file_name, bool link_target,
++		   bool absolute_names)
+ {
+   char const *p;
+ 
+@@ -121,11 +146,9 @@ safer_name_suffix (char const *file_name
+ 
+       if (prefix_len)
+ 	{
+-	  char *prefix = alloca (prefix_len + 1);
+-	  memcpy (prefix, file_name, prefix_len);
+-	  prefix[prefix_len] = '\0';
+-
+-	  if (hash_string_insert (&prefix_table[link_target], prefix))
++	  const char *prefix;
++	  if (hash_string_insert_prefix (&prefix_table[link_target], file_name,
++					 prefix_len, &prefix))
+ 	    {
+ 	      static char const *const diagnostic[] =
+ 	      {

cpio.spec

@@ -3,7 +3,7 @@
 Summary: A GNU archiving program
 Name: cpio
 Version: 2.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+
 Group: Applications/Archiving
 URL: http://www.gnu.org/software/cpio/
@@ -13,6 +13,7 @@ Patch1: cpio-2.6-setLocale.patch
 Patch2: cpio-2.9-rh.patch
 Patch3: cpio-2.9-chmodRaceC.patch
 Patch4: cpio-2.9-exitCode.patch
+Patch5: cpio-2.9-safer_name_suffix.patch
 Requires(post): /sbin/install-info
 Requires(preun): /sbin/install-info
 BuildRequires: texinfo, autoconf, gettext
@@ -38,6 +39,7 @@ Install cpio if you need a program to manage file archives.
 %patch2  -p1 -b .rh
 %patch3  -p1 -b .chmodRaceC
 %patch4  -p1 -b .exitCode
+%patch5  -p1 -b .safer_name_suffix
 
 autoheader
 
@@ -78,6 +80,9 @@ fi
 %{_infodir}/*.info*
 
 %changelog
+* Thu Nov 01 2007 Radek Brich <rbrich@redhat.com> 2.9-5
+- upstream patch for CVE-2007-4476 (stack crashing in safer_name_suffix)
+
 * Tue Sep 04 2007 Radek Brich <rbrich@redhat.com> 2.9-4
 - Updated license tag