CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a
specially-crafted archive (#572149), realloc within check_exclusion_tags() caused invalid write(#570591)
This commit is contained in:
Ondrej Vasik
parent
d2ac7340c6
commit
49a6d9c8ec
59
tar-1.22-exclusion-tags.patch
Normal file
59
tar-1.22-exclusion-tags.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergey Poznyakoff <gray@gnu.org.ua>
|
||||||
|
Date: Mon, 8 Mar 2010 12:27:23 +0200
|
||||||
|
Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
|
||||||
|
Both bugs reported by Kamil Dudka.
|
||||||
|
|
||||||
|
* src/create.c (check_exclusion_tags): Do not keep
|
||||||
|
pointer to a location within tagname: it may change
|
||||||
|
after xrealloc. Use byte offset instead.
|
||||||
|
(dump_file0): Close fd before returning without
|
||||||
|
dumping the directory.
|
||||||
|
---
|
||||||
|
src/create.c | 12 +++++++-----
|
||||||
|
1 files changed, 7 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/create.c b/src/create.c
|
||||||
|
index 209e428..c69d340 100644
|
||||||
|
--- a/src/create.c
|
||||||
|
+++ b/src/create.c
|
||||||
|
@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
|
||||||
|
struct exclusion_tag *tag;
|
||||||
|
size_t dlen = strlen (dirname);
|
||||||
|
int addslash = dirname[dlen-1] != '/';
|
||||||
|
- char *nptr = NULL;
|
||||||
|
+ size_t noff = 0;
|
||||||
|
|
||||||
|
for (tag = exclusion_tags; tag; tag = tag->next)
|
||||||
|
{
|
||||||
|
@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
|
||||||
|
tagname = xrealloc (tagname, tagsize);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!nptr)
|
||||||
|
+ if (noff == 0)
|
||||||
|
{
|
||||||
|
strcpy (tagname, dirname);
|
||||||
|
- nptr = tagname + dlen;
|
||||||
|
+ noff = dlen;
|
||||||
|
if (addslash)
|
||||||
|
- *nptr++ = '/';
|
||||||
|
+ tagname[noff++] = '/';
|
||||||
|
}
|
||||||
|
- strcpy (nptr, tag->name);
|
||||||
|
+ strcpy (tagname + noff, tag->name);
|
||||||
|
if (access (tagname, F_OK) == 0
|
||||||
|
&& (!tag->predicate || tag->predicate (tagname)))
|
||||||
|
{
|
||||||
|
@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
|
||||||
|
{
|
||||||
|
exclusion_tag_warning (st->orig_file_name, tag_file_name,
|
||||||
|
_("directory not dumped"));
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ close (fd);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.6.5
|
||||||
|
|
||||||
13
tar-1.22-rtapelib-overflow.patch
Normal file
13
tar-1.22-rtapelib-overflow.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -urNp tar-1.22-orig/lib/rtapelib.c tar-1.22/lib/rtapelib.c
|
||||||
|
--- tar-1.22-orig/lib/rtapelib.c 2007-08-12 09:57:15.000000000 +0200
|
||||||
|
+++ tar-1.22/lib/rtapelib.c 2010-02-22 13:58:07.000000000 +0100
|
||||||
|
@@ -573,6 +573,9 @@ rmt_read__ (int handle, char *buffer, si
|
||||||
|
|| (status = get_status (handle)) == SAFE_READ_ERROR)
|
||||||
|
return SAFE_READ_ERROR;
|
||||||
|
|
||||||
|
+ if (status > length)
|
||||||
|
+ return SAFE_READ_ERROR;
|
||||||
|
+
|
||||||
|
for (counter = 0; counter < status; counter += rlen, buffer += rlen)
|
||||||
|
{
|
||||||
|
rlen = safe_read (READ_SIDE (handle), buffer, status - counter);
|
||||||
17
tar.spec
17
tar.spec
@ -5,7 +5,7 @@ Summary: A GNU file archiving program
|
|||||||
Name: tar
|
Name: tar
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Version: 1.22
|
Version: 1.22
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Group: Applications/Archiving
|
Group: Applications/Archiving
|
||||||
URL: http://www.gnu.org/software/tar/
|
URL: http://www.gnu.org/software/tar/
|
||||||
@ -38,6 +38,10 @@ Patch9: tar-1.22-nsfraction.patch
|
|||||||
#update gnulib's utimens module to latest version to prevent utimens() bad file
|
#update gnulib's utimens module to latest version to prevent utimens() bad file
|
||||||
#descriptor failures with POSIX2008 glibc
|
#descriptor failures with POSIX2008 glibc
|
||||||
Patch10: tar-1.22-utimens.patch
|
Patch10: tar-1.22-utimens.patch
|
||||||
|
#Fix potential place for overflow attack via rsh/ssh (#564368)
|
||||||
|
Patch11: tar-1.22-rtapelib-overflow.patch
|
||||||
|
#realloc within check_exclusion_tags() causes invalid write(#570591)
|
||||||
|
Patch12: tar-1.22-exclusion-tags.patch
|
||||||
Requires: info
|
Requires: info
|
||||||
BuildRequires: autoconf automake gzip texinfo gettext libacl-devel gawk rsh
|
BuildRequires: autoconf automake gzip texinfo gettext libacl-devel gawk rsh
|
||||||
%if %{WITH_SELINUX}
|
%if %{WITH_SELINUX}
|
||||||
@ -71,6 +75,8 @@ the rmt package.
|
|||||||
%patch8 -p1 -b .xheaderleak
|
%patch8 -p1 -b .xheaderleak
|
||||||
%patch9 -p1 -b .nsfraction
|
%patch9 -p1 -b .nsfraction
|
||||||
%patch10 -p1 -b .utimens
|
%patch10 -p1 -b .utimens
|
||||||
|
%patch11 -p1 -b .overflow
|
||||||
|
%patch12 -p1 -b .exclude
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
|
|
||||||
@ -132,6 +138,15 @@ fi
|
|||||||
%{_infodir}/tar.info*
|
%{_infodir}/tar.info*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 10 2010 Ondrej Vasik <ovasik@redhat.com> 2:1.22-17
|
||||||
|
- CVE-2010-0624 tar, cpio: Heap-based buffer overflow
|
||||||
|
by expanding a specially-crafted archive (#572149)
|
||||||
|
- realloc within check_exclusion_tags() caused invalid write
|
||||||
|
(#570591)
|
||||||
|
- not closing file descriptors for excluded files/dirs with
|
||||||
|
exlude-tag... options could cause descriptor exhaustion
|
||||||
|
(#570591)
|
||||||
|
|
||||||
* Sat Feb 20 2010 Kamil Dudka <kdudka@redhat.com> 2:1.22-16
|
* Sat Feb 20 2010 Kamil Dudka <kdudka@redhat.com> 2:1.22-16
|
||||||
- support for "lustre.*" extended attributes (#561855)
|
- support for "lustre.*" extended attributes (#561855)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user