CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a

specially-crafted archive (#572149), realloc within check_exclusion_tags() caused invalid write(#570591)
2010-03-10 12:50:14 +00:00 · 2010-03-10 12:50:14 +00:00 · 49a6d9c8ec
commit 49a6d9c8ec
parent d2ac7340c6
3 changed files with 88 additions and 1 deletions
--- a/tar-1.22-exclusion-tags.patch
+++ b/tar-1.22-exclusion-tags.patch
@ -0,0 +1,59 @@
+From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Mon, 8 Mar 2010 12:27:23 +0200
+Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
+ Both bugs reported by Kamil Dudka.
+
+* src/create.c (check_exclusion_tags): Do not keep
+pointer to a location within tagname: it may change
+after xrealloc. Use byte offset instead.
+(dump_file0): Close fd before returning without
+dumping the directory.
+---
+ src/create.c |   12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/create.c b/src/create.c
+index 209e428..c69d340 100644
+--- a/src/create.c
+++ b/src/create.c
+@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
+   struct exclusion_tag *tag;
+   size_t dlen = strlen (dirname);
+   int addslash = dirname[dlen-1] != '/';
+-  char *nptr = NULL;
+  size_t noff = 0;
+   
+   for (tag = exclusion_tags; tag; tag = tag->next)
+     {
+@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
+ 	  tagname = xrealloc (tagname, tagsize);
+ 	}
+ 
+-      if (!nptr)
+      if (noff == 0)
+ 	{
+ 	  strcpy (tagname, dirname);
+-	  nptr = tagname + dlen;
+	  noff = dlen;
+ 	  if (addslash)
+-	    *nptr++ = '/';
+	    tagname[noff++] = '/';
+ 	}
+-      strcpy (nptr, tag->name);
+      strcpy (tagname + noff, tag->name);
+       if (access (tagname, F_OK) == 0
+ 	  && (!tag->predicate || tag->predicate (tagname)))
+ 	{
+@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
+ 	    {
+ 	      exclusion_tag_warning (st->orig_file_name, tag_file_name,
+ 				     _("directory not dumped"));
+	      if (fd >= 0)
+		close (fd);
+ 	      return;
+ 	    }
+ 	  
+-- 
+1.6.5
+
--- a/tar-1.22-rtapelib-overflow.patch
+++ b/tar-1.22-rtapelib-overflow.patch
@ -0,0 +1,13 @@
+diff -urNp tar-1.22-orig/lib/rtapelib.c tar-1.22/lib/rtapelib.c
+--- tar-1.22-orig/lib/rtapelib.c	2007-08-12 09:57:15.000000000 +0200
+++ tar-1.22/lib/rtapelib.c	2010-02-22 13:58:07.000000000 +0100
+@@ -573,6 +573,9 @@ rmt_read__ (int handle, char *buffer, si
+       || (status = get_status (handle)) == SAFE_READ_ERROR)
+     return SAFE_READ_ERROR;
+ 
+  if (status > length)
+    return SAFE_READ_ERROR;
+
+   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
+     {
+       rlen = safe_read (READ_SIDE (handle), buffer, status - counter);
--- a/tar.spec
+++ b/tar.spec
@ -5,7 +5,7 @@ Summary: A GNU file archiving program
 Name: tar
 Epoch: 2
 Version: 1.22
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: GPLv3+
 Group: Applications/Archiving
 URL: http://www.gnu.org/software/tar/
@ -38,6 +38,10 @@ Patch9: tar-1.22-nsfraction.patch
 #update gnulib's utimens module to latest version to prevent utimens() bad file
 #descriptor failures with POSIX2008 glibc
 Patch10: tar-1.22-utimens.patch
+#Fix potential place for overflow attack via rsh/ssh (#564368)
+Patch11: tar-1.22-rtapelib-overflow.patch
+#realloc within check_exclusion_tags() causes invalid write(#570591)
+Patch12: tar-1.22-exclusion-tags.patch
 Requires: info
 BuildRequires: autoconf automake gzip texinfo gettext libacl-devel gawk rsh
 %if %{WITH_SELINUX}
@ -71,6 +75,8 @@ the rmt package.
 %patch8 -p1 -b .xheaderleak
 %patch9 -p1 -b .nsfraction
 %patch10 -p1 -b .utimens
+%patch11 -p1 -b .overflow
+%patch12 -p1 -b .exclude

 autoreconf

@ -132,6 +138,15 @@ fi
 %{_infodir}/tar.info*

 %changelog
+* Wed Mar 10 2010 Ondrej Vasik <ovasik@redhat.com> 2:1.22-17
+- CVE-2010-0624 tar, cpio: Heap-based buffer overflow
+  by expanding a specially-crafted archive (#572149)
+- realloc within check_exclusion_tags() caused invalid write
+  (#570591)
+- not closing file descriptors for excluded files/dirs with
+  exlude-tag... options could cause descriptor exhaustion
+  (#570591)
+
 * Sat Feb 20 2010 Kamil Dudka <kdudka@redhat.com> 2:1.22-16
 - support for "lustre.*" extended attributes (#561855)