Backport fix for bz 842458 (CVE-2012-4024)

This commit is contained in:
Bruno Wolff III 2012-11-22 08:15:25 -06:00
parent 5794813e6f
commit 90e6c51507
2 changed files with 85 additions and 1 deletions

77
path-issue.patch Normal file
View File

@ -0,0 +1,77 @@
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000)
Subject: unsquashfs: fix CVE-2012-4024
X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb
unsquashfs: fix CVE-2012-4024
Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
or in an extract file) could exceed the 1024 byte sized targname
allocated on the stack.
Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
index 90ed1c2..d9d1377 100644
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -1099,15 +1099,18 @@ void squashfs_closedir(struct dir *dir)
}
-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
{
+ char *start;
+
while(*target == '/')
target ++;
+ start = target;
while(*target != '/' && *target!= '\0')
- *targname ++ = *target ++;
+ target ++;
- *targname = '\0';
+ *targname = strndup(start, target - start);
return target;
}
@@ -1133,12 +1136,12 @@ void free_path(struct pathname *paths)
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
{
- char targname[1024];
+ char *targname;
int i, error;
TRACE("add_path: adding \"%s\" extract file\n", target);
- target = get_component(target, targname);
+ target = get_component(target, &targname);
if(paths == NULL) {
paths = malloc(sizeof(struct pathname));
@@ -1162,7 +1165,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
sizeof(struct path_entry));
if(paths->name == NULL)
EXIT_UNSQUASH("Out of memory in add_path\n");
- paths->name[i].name = strdup(targname);
+ paths->name[i].name = targname;
paths->name[i].paths = NULL;
if(use_regex) {
paths->name[i].preg = malloc(sizeof(regex_t));
@@ -1195,6 +1198,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
/*
* existing matching entry
*/
+ free(targname);
+
if(paths->name[i].paths == NULL) {
/*
* No sub-directory which means this is the leaf

View File

@ -1,7 +1,7 @@
Summary: Utility for the creation of squashfs filesystems
Name: squashfs-tools
Version: 4.2
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
URL: http://squashfs.sourceforge.net/
@ -11,6 +11,9 @@ BuildRequires: zlib-devel
BuildRequires: xz-devel
BuildRequires: lzo-devel
BuildRequires: libattr-devel
# Upstream commit 19c38fba0be1ce949ab44310d7f49887576cc123 (minus version
# date change that doesn't apply cleanly)
Patch0: path-issue.patch
%description
Squashfs is a highly compressed read-only filesystem for Linux. This package
@ -18,6 +21,7 @@ contains the utilities for manipulating squashfs filesystems.
%prep
%setup -q -n squashfs4.2
%patch0 -p1 -b .pathname
%build
pushd squashfs-tools
@ -39,6 +43,9 @@ rm -rf %{buildroot}
%{_sbindir}/unsquashfs
%changelog
* Tue Nov 22 2012 Bruno Wolff III <bruno@wolff.to> - 4.2-4
- Backported fix for bz 842458 (CVE-2012-4024)
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild