From 90e6c515074724273887a6e134e2ddd8c353a1ab Mon Sep 17 00:00:00 2001
From: Bruno Wolff III <bruno@wolff.to>
Date: Thu, 22 Nov 2012 08:15:25 -0600
Subject: [PATCH] Backport fix for bz 842458 (CVE-2012-4024)

---
 path-issue.patch    | 77 +++++++++++++++++++++++++++++++++++++++++++++
 squashfs-tools.spec |  9 +++++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 path-issue.patch

diff --git a/path-issue.patch b/path-issue.patch
new file mode 100644
index 0000000..7058241
--- /dev/null
+++ b/path-issue.patch
@@ -0,0 +1,77 @@
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000)
+Subject: unsquashfs: fix CVE-2012-4024
+X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb
+
+unsquashfs: fix CVE-2012-4024
+
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+
+diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
+index 90ed1c2..d9d1377 100644
+--- a/squashfs-tools/unsquashfs.c
++++ b/squashfs-tools/unsquashfs.c
+@@ -1099,15 +1099,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+ 
+ 
+-char *get_component(char *target, char *targname)
++char *get_component(char *target, char **targname)
+ {
++	char *start;
++
+ 	while(*target == '/')
+ 		target ++;
+ 
++	start = target;
+ 	while(*target != '/' && *target!= '\0')
+-		*targname ++ = *target ++;
++		target ++;
+ 
+-	*targname = '\0';
++	*targname = strndup(start, target - start);
+ 
+ 	return target;
+ }
+@@ -1133,12 +1136,12 @@ void free_path(struct pathname *paths)
+ 
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+-	char targname[1024];
++	char *targname;
+ 	int i, error;
+ 
+ 	TRACE("add_path: adding \"%s\" extract file\n", target);
+ 
+-	target = get_component(target, targname);
++	target = get_component(target, &targname);
+ 
+ 	if(paths == NULL) {
+ 		paths = malloc(sizeof(struct pathname));
+@@ -1162,7 +1165,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ 			sizeof(struct path_entry));
+ 		if(paths->name == NULL)
+ 			EXIT_UNSQUASH("Out of memory in add_path\n");	
+-		paths->name[i].name = strdup(targname);
++		paths->name[i].name = targname;
+ 		paths->name[i].paths = NULL;
+ 		if(use_regex) {
+ 			paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1195,6 +1198,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ 		/*
+ 		 * existing matching entry
+ 		 */
++		free(targname);
++
+ 		if(paths->name[i].paths == NULL) {
+ 			/*
+ 			 * No sub-directory which means this is the leaf
diff --git a/squashfs-tools.spec b/squashfs-tools.spec
index d1043bb..b3654e2 100644
--- a/squashfs-tools.spec
+++ b/squashfs-tools.spec
@@ -1,7 +1,7 @@
 Summary: Utility for the creation of squashfs filesystems
 Name: squashfs-tools
 Version: 4.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 URL: http://squashfs.sourceforge.net/
@@ -11,6 +11,9 @@ BuildRequires: zlib-devel
 BuildRequires: xz-devel
 BuildRequires: lzo-devel
 BuildRequires: libattr-devel
+# Upstream commit 19c38fba0be1ce949ab44310d7f49887576cc123 (minus version 
+# date change that doesn't apply cleanly)
+Patch0: path-issue.patch
 
 %description
 Squashfs is a highly compressed read-only filesystem for Linux.  This package
@@ -18,6 +21,7 @@ contains the utilities for manipulating squashfs filesystems.
 
 %prep
 %setup -q -n squashfs4.2
+%patch0 -p1 -b .pathname
 
 %build
 pushd squashfs-tools
@@ -39,6 +43,9 @@ rm -rf %{buildroot}
 %{_sbindir}/unsquashfs
 
 %changelog
+* Tue Nov 22 2012 Bruno Wolff III <bruno@wolff.to> - 4.2-4
+- Backported fix for bz 842458 (CVE-2012-4024)
+
 * Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild