fix heap overlfow bug CVE-2006-0300 (#181773)
This commit is contained in:
parent
a3310bfe6f
commit
a10de081b3
121
tar-1.15.1-heapOverflow.patch
Normal file
121
tar-1.15.1-heapOverflow.patch
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
--- src/xheader.c.orig 2004-09-06 06:31:14.000000000 -0500
|
||||||
|
+++ src/xheader.c 2006-02-08 16:59:46.000000000 -0500
|
||||||
|
@@ -783,6 +783,32 @@ code_num (uintmax_t value, char const *k
|
||||||
|
xheader_print (xhdr, keyword, sbuf);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+decode_num (uintmax_t *num, char const *arg, uintmax_t maxval,
|
||||||
|
+ char const *keyword)
|
||||||
|
+{
|
||||||
|
+ uintmax_t u;
|
||||||
|
+ char *arg_lim;
|
||||||
|
+
|
||||||
|
+ if (! (ISDIGIT (*arg)
|
||||||
|
+ && (errno = 0, u = strtoumax (arg, &arg_lim, 10), !*arg_lim)))
|
||||||
|
+ {
|
||||||
|
+ ERROR ((0, 0, _("Malformed extended header: invalid %s=%s"),
|
||||||
|
+ keyword, arg));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (! (u <= maxval && errno != ERANGE))
|
||||||
|
+ {
|
||||||
|
+ ERROR ((0, 0, _("Extended header %s=%s is out of range"),
|
||||||
|
+ keyword, arg));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *num = u;
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
dummy_coder (struct tar_stat_info const *st __attribute__ ((unused)),
|
||||||
|
char const *keyword __attribute__ ((unused)),
|
||||||
|
@@ -821,7 +847,7 @@ static void
|
||||||
|
gid_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, TYPE_MAXIMUM (gid_t), "gid"))
|
||||||
|
st->stat.st_gid = u;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -903,7 +929,7 @@ static void
|
||||||
|
size_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "size"))
|
||||||
|
st->archive_file_size = st->stat.st_size = u;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -918,7 +944,7 @@ static void
|
||||||
|
uid_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, TYPE_MAXIMUM (uid_t), "uid"))
|
||||||
|
st->stat.st_uid = u;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -946,7 +972,7 @@ static void
|
||||||
|
sparse_size_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.size"))
|
||||||
|
st->stat.st_size = u;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -962,10 +988,10 @@ static void
|
||||||
|
sparse_numblocks_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numblocks"))
|
||||||
|
{
|
||||||
|
st->sparse_map_size = u;
|
||||||
|
- st->sparse_map = calloc(st->sparse_map_size, sizeof(st->sparse_map[0]));
|
||||||
|
+ st->sparse_map = xcalloc (u, sizeof st->sparse_map[0]);
|
||||||
|
st->sparse_map_avail = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -982,8 +1008,14 @@ static void
|
||||||
|
sparse_offset_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.offset"))
|
||||||
|
+ {
|
||||||
|
+ if (st->sparse_map_avail < st->sparse_map_size)
|
||||||
|
st->sparse_map[st->sparse_map_avail].offset = u;
|
||||||
|
+ else
|
||||||
|
+ ERROR ((0, 0, _("Malformed extended header: excess %s=%s"),
|
||||||
|
+ "GNU.sparse.offset", arg));
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -998,15 +1030,13 @@ static void
|
||||||
|
sparse_numbytes_decoder (struct tar_stat_info *st, char const *arg)
|
||||||
|
{
|
||||||
|
uintmax_t u;
|
||||||
|
- if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
|
||||||
|
+ if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numbytes"))
|
||||||
|
{
|
||||||
|
if (st->sparse_map_avail == st->sparse_map_size)
|
||||||
|
- {
|
||||||
|
- st->sparse_map_size *= 2;
|
||||||
|
- st->sparse_map = xrealloc (st->sparse_map,
|
||||||
|
- st->sparse_map_size
|
||||||
|
- * sizeof st->sparse_map[0]);
|
||||||
|
- }
|
||||||
|
+ st->sparse_map = x2nrealloc (st->sparse_map,
|
||||||
|
+ &st->sparse_map_size,
|
||||||
|
+ sizeof st->sparse_map[0]);
|
||||||
|
+
|
||||||
|
st->sparse_map[st->sparse_map_avail++].numbytes = u;
|
||||||
|
}
|
||||||
|
}
|
7
tar.spec
7
tar.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: A GNU file archiving program.
|
Summary: A GNU file archiving program.
|
||||||
Name: tar
|
Name: tar
|
||||||
Version: 1.15.1
|
Version: 1.15.1
|
||||||
Release: 12.2
|
Release: 13
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: Applications/Archiving
|
Group: Applications/Archiving
|
||||||
URL: http://www.gnu.org/software/tar/
|
URL: http://www.gnu.org/software/tar/
|
||||||
@ -17,6 +17,7 @@ Patch12: tar-1.15.1-sparseTotals.patch
|
|||||||
Patch13: tar-1.15.1-newerOption.patch
|
Patch13: tar-1.15.1-newerOption.patch
|
||||||
Patch14: tar-1.15.1-padCorrectly.patch
|
Patch14: tar-1.15.1-padCorrectly.patch
|
||||||
Patch15: tar-1.15.1-vfatTruncate.patch
|
Patch15: tar-1.15.1-vfatTruncate.patch
|
||||||
|
Patch16: tar-1.15.1-heapOverflow.patch
|
||||||
|
|
||||||
Prereq: info
|
Prereq: info
|
||||||
BuildRequires: autoconf automake gzip
|
BuildRequires: autoconf automake gzip
|
||||||
@ -45,6 +46,7 @@ the rmt package.
|
|||||||
%patch13 -p1 -b .newerOption
|
%patch13 -p1 -b .newerOption
|
||||||
%patch14 -p1 -b .padCorrectly
|
%patch14 -p1 -b .padCorrectly
|
||||||
%patch15 -p1 -b .vfatTruncate
|
%patch15 -p1 -b .vfatTruncate
|
||||||
|
%patch16 -p0 -b .heapOverflow
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
@ -115,6 +117,9 @@ fi
|
|||||||
%{_infodir}/tar.info*
|
%{_infodir}/tar.info*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 17 2006 Peter Vrabec <pvrabec@redhat.com> 1.15.1-13
|
||||||
|
- fix heap overlfow bug CVE-2006-0300 (#181773)
|
||||||
|
|
||||||
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.15.1-12.2
|
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.15.1-12.2
|
||||||
- bump again for double-long bug on ppc(64)
|
- bump again for double-long bug on ppc(64)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user