From a10de081b3cdcbcbbc8da19de170da0eecccf5e2 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Fri, 17 Feb 2006 10:52:23 +0000 Subject: [PATCH] fix heap overlfow bug CVE-2006-0300 (#181773) --- tar-1.15.1-heapOverflow.patch | 121 ++++++++++++++++++++++++++++++++++ tar.spec | 7 +- 2 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 tar-1.15.1-heapOverflow.patch diff --git a/tar-1.15.1-heapOverflow.patch b/tar-1.15.1-heapOverflow.patch new file mode 100644 index 0000000..679f818 --- /dev/null +++ b/tar-1.15.1-heapOverflow.patch @@ -0,0 +1,121 @@ +--- src/xheader.c.orig 2004-09-06 06:31:14.000000000 -0500 ++++ src/xheader.c 2006-02-08 16:59:46.000000000 -0500 +@@ -783,6 +783,32 @@ code_num (uintmax_t value, char const *k + xheader_print (xhdr, keyword, sbuf); + } + ++static bool ++decode_num (uintmax_t *num, char const *arg, uintmax_t maxval, ++ char const *keyword) ++{ ++ uintmax_t u; ++ char *arg_lim; ++ ++ if (! (ISDIGIT (*arg) ++ && (errno = 0, u = strtoumax (arg, &arg_lim, 10), !*arg_lim))) ++ { ++ ERROR ((0, 0, _("Malformed extended header: invalid %s=%s"), ++ keyword, arg)); ++ return false; ++ } ++ ++ if (! (u <= maxval && errno != ERANGE)) ++ { ++ ERROR ((0, 0, _("Extended header %s=%s is out of range"), ++ keyword, arg)); ++ return false; ++ } ++ ++ *num = u; ++ return true; ++} ++ + static void + dummy_coder (struct tar_stat_info const *st __attribute__ ((unused)), + char const *keyword __attribute__ ((unused)), +@@ -821,7 +847,7 @@ static void + gid_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, TYPE_MAXIMUM (gid_t), "gid")) + st->stat.st_gid = u; + } + +@@ -903,7 +929,7 @@ static void + size_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "size")) + st->archive_file_size = st->stat.st_size = u; + } + +@@ -918,7 +944,7 @@ static void + uid_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, TYPE_MAXIMUM (uid_t), "uid")) + st->stat.st_uid = u; + } + +@@ -946,7 +972,7 @@ static void + sparse_size_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.size")) + st->stat.st_size = u; + } + +@@ -962,10 +988,10 @@ static void + sparse_numblocks_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numblocks")) + { + st->sparse_map_size = u; +- st->sparse_map = calloc(st->sparse_map_size, sizeof(st->sparse_map[0])); ++ st->sparse_map = xcalloc (u, sizeof st->sparse_map[0]); + st->sparse_map_avail = 0; + } + } +@@ -982,8 +1008,14 @@ static void + sparse_offset_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.offset")) ++ { ++ if (st->sparse_map_avail < st->sparse_map_size) + st->sparse_map[st->sparse_map_avail].offset = u; ++ else ++ ERROR ((0, 0, _("Malformed extended header: excess %s=%s"), ++ "GNU.sparse.offset", arg)); ++ } + } + + static void +@@ -998,15 +1030,13 @@ static void + sparse_numbytes_decoder (struct tar_stat_info *st, char const *arg) + { + uintmax_t u; +- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK) ++ if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numbytes")) + { + if (st->sparse_map_avail == st->sparse_map_size) +- { +- st->sparse_map_size *= 2; +- st->sparse_map = xrealloc (st->sparse_map, +- st->sparse_map_size +- * sizeof st->sparse_map[0]); +- } ++ st->sparse_map = x2nrealloc (st->sparse_map, ++ &st->sparse_map_size, ++ sizeof st->sparse_map[0]); ++ + st->sparse_map[st->sparse_map_avail++].numbytes = u; + } + } diff --git a/tar.spec b/tar.spec index 865e66a..6123d48 100644 --- a/tar.spec +++ b/tar.spec @@ -1,7 +1,7 @@ Summary: A GNU file archiving program. Name: tar Version: 1.15.1 -Release: 12.2 +Release: 13 License: GPL Group: Applications/Archiving URL: http://www.gnu.org/software/tar/ @@ -17,6 +17,7 @@ Patch12: tar-1.15.1-sparseTotals.patch Patch13: tar-1.15.1-newerOption.patch Patch14: tar-1.15.1-padCorrectly.patch Patch15: tar-1.15.1-vfatTruncate.patch +Patch16: tar-1.15.1-heapOverflow.patch Prereq: info BuildRequires: autoconf automake gzip @@ -45,6 +46,7 @@ the rmt package. %patch13 -p1 -b .newerOption %patch14 -p1 -b .padCorrectly %patch15 -p1 -b .vfatTruncate +%patch16 -p0 -b .heapOverflow %build @@ -115,6 +117,9 @@ fi %{_infodir}/tar.info* %changelog +* Fri Feb 17 2006 Peter Vrabec 1.15.1-13 +- fix heap overlfow bug CVE-2006-0300 (#181773) + * Fri Feb 10 2006 Jesse Keating - 1.15.1-12.2 - bump again for double-long bug on ppc(64)