Backport fix for bz 842458 (CVE-2012-4024)
This commit is contained in:
parent
5794813e6f
commit
90e6c51507
77
path-issue.patch
Normal file
77
path-issue.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From: Phillip Lougher <phillip@squashfs.org.uk>
|
||||
Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000)
|
||||
Subject: unsquashfs: fix CVE-2012-4024
|
||||
X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb
|
||||
|
||||
unsquashfs: fix CVE-2012-4024
|
||||
|
||||
Fix potential stack overflow in get_component() where an individual
|
||||
pathname component in an extract file (specified on the command line
|
||||
or in an extract file) could exceed the 1024 byte sized targname
|
||||
allocated on the stack.
|
||||
|
||||
Fix by dynamically allocating targname rather than storing it as
|
||||
a fixed size on the stack.
|
||||
|
||||
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
|
||||
---
|
||||
|
||||
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
|
||||
index 90ed1c2..d9d1377 100644
|
||||
--- a/squashfs-tools/unsquashfs.c
|
||||
+++ b/squashfs-tools/unsquashfs.c
|
||||
@@ -1099,15 +1099,18 @@ void squashfs_closedir(struct dir *dir)
|
||||
}
|
||||
|
||||
|
||||
-char *get_component(char *target, char *targname)
|
||||
+char *get_component(char *target, char **targname)
|
||||
{
|
||||
+ char *start;
|
||||
+
|
||||
while(*target == '/')
|
||||
target ++;
|
||||
|
||||
+ start = target;
|
||||
while(*target != '/' && *target!= '\0')
|
||||
- *targname ++ = *target ++;
|
||||
+ target ++;
|
||||
|
||||
- *targname = '\0';
|
||||
+ *targname = strndup(start, target - start);
|
||||
|
||||
return target;
|
||||
}
|
||||
@@ -1133,12 +1136,12 @@ void free_path(struct pathname *paths)
|
||||
|
||||
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
|
||||
{
|
||||
- char targname[1024];
|
||||
+ char *targname;
|
||||
int i, error;
|
||||
|
||||
TRACE("add_path: adding \"%s\" extract file\n", target);
|
||||
|
||||
- target = get_component(target, targname);
|
||||
+ target = get_component(target, &targname);
|
||||
|
||||
if(paths == NULL) {
|
||||
paths = malloc(sizeof(struct pathname));
|
||||
@@ -1162,7 +1165,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
|
||||
sizeof(struct path_entry));
|
||||
if(paths->name == NULL)
|
||||
EXIT_UNSQUASH("Out of memory in add_path\n");
|
||||
- paths->name[i].name = strdup(targname);
|
||||
+ paths->name[i].name = targname;
|
||||
paths->name[i].paths = NULL;
|
||||
if(use_regex) {
|
||||
paths->name[i].preg = malloc(sizeof(regex_t));
|
||||
@@ -1195,6 +1198,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
|
||||
/*
|
||||
* existing matching entry
|
||||
*/
|
||||
+ free(targname);
|
||||
+
|
||||
if(paths->name[i].paths == NULL) {
|
||||
/*
|
||||
* No sub-directory which means this is the leaf
|
@ -1,7 +1,7 @@
|
||||
Summary: Utility for the creation of squashfs filesystems
|
||||
Name: squashfs-tools
|
||||
Version: 4.2
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
URL: http://squashfs.sourceforge.net/
|
||||
@ -11,6 +11,9 @@ BuildRequires: zlib-devel
|
||||
BuildRequires: xz-devel
|
||||
BuildRequires: lzo-devel
|
||||
BuildRequires: libattr-devel
|
||||
# Upstream commit 19c38fba0be1ce949ab44310d7f49887576cc123 (minus version
|
||||
# date change that doesn't apply cleanly)
|
||||
Patch0: path-issue.patch
|
||||
|
||||
%description
|
||||
Squashfs is a highly compressed read-only filesystem for Linux. This package
|
||||
@ -18,6 +21,7 @@ contains the utilities for manipulating squashfs filesystems.
|
||||
|
||||
%prep
|
||||
%setup -q -n squashfs4.2
|
||||
%patch0 -p1 -b .pathname
|
||||
|
||||
%build
|
||||
pushd squashfs-tools
|
||||
@ -39,6 +43,9 @@ rm -rf %{buildroot}
|
||||
%{_sbindir}/unsquashfs
|
||||
|
||||
%changelog
|
||||
* Tue Nov 22 2012 Bruno Wolff III <bruno@wolff.to> - 4.2-4
|
||||
- Backported fix for bz 842458 (CVE-2012-4024)
|
||||
|
||||
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user