Fix CVE-2022-48303

Related: #2089316 #2089298

.tar.metadata

@@ -0,0 +1,2 @@
+bb9d853e10d0753fe9063914401a7e164d51a0f0 tar-1.34.tar.xz
+ce236f2e0d7bb30c6e0394c19a02a8061bf96530 tar-1.34.tar.xz.sig

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+        - rhel-9
+decision_context: osci_compose_gate
+rules:
+        - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

rpminspect.yaml

@@ -0,0 +1,10 @@
+---
+# Forbidden function symbol found:
+#   gethostbyname
+# This is not a big problem because the function should work properly only IPv6
+# should not working well but function is used only for checking if the given
+# hostname is valid. In the worst case it could cause false negative report.
+
+badfuncs:
+  ignore:
+      - /usr/bin/tar

sources

@@ -1,2 +1,2 @@
-SHA512 (tar-1.33.tar.xz) = d7c31147fafcd815bb54e3862c078dccc3f192a9fa149c2275bd89a21fcd54a4bdaa8343cacf4f76cadc2f57fd4ed955682c1b6f23d438add5a13cc35bd25260
-SHA512 (tar-1.33.tar.xz.sig) = a8801b2a7bb135a12d7944dff6958c4ff5671e379682593eed93569220d41fbe58eb095b80c4b04d97e4b5244aabab0cc7a0b65251ab115925ef3391a292c146
+SHA512 (tar-1.34.tar.xz) = 5e77c4a7b49983ad7d15238c2bce28be7a8aa437b4b1815fc00abd13096da308b6bba196cc6e3ed79d85e62823d520ae0d8fcda2d93873842cf84dc3369fc902
+SHA512 (tar-1.34.tar.xz.sig) = 55297f41549deee511f5b14c6b5dc7bb3d9282dad52bcc85f9dddfad24b677f989ba86387ad9b133c3698feedbd6b6cd7e9f005e8e4c89f72c80543eeceb78f7

tar-1.30-disk-read-error.patch

@@ -0,0 +1,51 @@
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 13 Apr 2021 11:47:32 +0200
+Subject: [PATCH] do not report read disk error as file shrank
+
+diff --git a/src/create.c b/src/create.c
+index 181f7d9..7be10a9 100644
+--- a/src/create.c
++++ b/src/create.c
+@@ -1097,7 +1097,7 @@ dump_regular_file (int fd, struct tar_stat_info *st)
+       size_left -= count;
+       set_next_block_after (blk + (bufsize - 1) / BLOCKSIZE);
+ 
+-      if (count != bufsize)
++      if (count == 0)
+ 	{
+ 	  char buf[UINTMAX_STRSIZE_BOUND];
+ 	  memset (blk->buffer + count, 0, bufsize - count);
+diff -rup tar-1.34/tests/Makefile.am.old tar-1.34/tests/Makefile.am
+--- tar-1.34/tests/Makefile.am.old	2022-06-27 09:21:40.881574517 +0000
++++ tar-1.34/tests/Makefile.am	2022-06-27 09:23:31.444574517 +0000
+@@ -247,7 +247,6 @@ TESTSUITE_AT = \
+  sptrdiff01.at\
+  time01.at\
+  time02.at\
+- truncate.at\
+  update.at\
+  update01.at\
+  update02.at\
+diff -rup tar-1.34/tests/Makefile.in.old tar-1.34/tests/Makefile.in
+--- tar-1.34/tests/Makefile.in.old	2022-06-27 09:21:48.626574517 +0000
++++ tar-1.34/tests/Makefile.in	2022-06-27 09:22:03.127574517 +0000
+@@ -1622,7 +1622,6 @@ TESTSUITE_AT = \
+  sptrdiff01.at\
+  time01.at\
+  time02.at\
+- truncate.at\
+  update.at\
+  update01.at\
+  update02.at\
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 2a83757..52f73a6 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -424,7 +424,6 @@ m4_include([comprec.at])
+ m4_include([shortfile.at])
+ m4_include([shortupd.at])
+ 
+-m4_include([truncate.at])
+ m4_include([grow.at])
+ m4_include([sigpipe.at])
+ m4_include([comperr.at])

tar-1.30-padding-zeros.patch

@@ -0,0 +1,175 @@
+From 910d9ff829bbdfaf1455cdb2b1813507bcb855ec Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 13 Apr 2021 11:47:32 +0200
+Subject: [PATCH] add padding message, when read error occurs and tar is
+ padding with zeros
+
+---
+ lib/paxerror.c | 44 ++++++++++++++++++++++++++++++--------------
+ lib/paxlib.h   |  4 ++--
+ src/common.h   |  2 +-
+ src/create.c   |  2 +-
+ src/misc.c     |  6 +++---
+ src/sparse.c   |  6 +++---
+ 6 files changed, 40 insertions(+), 24 deletions(-)
+
+diff --git a/lib/paxerror.c b/lib/paxerror.c
+index 134cef3..929a741 100644
+--- a/lib/paxerror.c
++++ b/lib/paxerror.c
+@@ -173,29 +173,45 @@ read_error (char const *name)
+ }
+ 
+ void
+-read_error_details (char const *name, off_t offset, size_t size)
++read_error_details (char const *name, off_t offset, size_t size, bool padding)
+ {
+   char buf[UINTMAX_STRSIZE_BOUND];
+   int e = errno;
+-  ERROR ((0, e,
+-	  ngettext ("%s: Read error at byte %s, while reading %lu byte",
+-		    "%s: Read error at byte %s, while reading %lu bytes",
+-		    size),
+-	  quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
+-	  (unsigned long) size));
++  if (padding)
++    ERROR ((0, e,
++      ngettext ("%s: Read error at byte %s, while reading %lu byte; padding with zeros",
++          "%s: Read error at byte %s, while reading %lu bytes; padding with zeros",
++          size),
++      quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
++      (unsigned long) size));
++  else
++    ERROR ((0, e,
++      ngettext ("%s: Read error at byte %s, while reading %lu byte",
++          "%s: Read error at byte %s, while reading %lu bytes",
++          size),
++      quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
++      (unsigned long) size));
+ }
+ 
+ void
+-read_warn_details (char const *name, off_t offset, size_t size)
++read_warn_details (char const *name, off_t offset, size_t size, bool padding)
+ {
+   char buf[UINTMAX_STRSIZE_BOUND];
+   int e = errno;
+-  WARN ((0, e,
+-	 ngettext ("%s: Warning: Read error at byte %s, while reading %lu byte",
+-		   "%s: Warning: Read error at byte %s, while reading %lu bytes",
+-		   size),
+-	 quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
+-	 (unsigned long) size));
++  if (padding)
++    WARN ((0, e,
++      ngettext ("%s: Warning: Read error at byte %s, while reading %lu byte; padding with zeros",
++          "%s: Warning: Read error at byte %s, while reading %lu bytes; padding with zeros",
++          size),
++      quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
++      (unsigned long) size));
++  else
++    WARN ((0, e,
++      ngettext ("%s: Warning: Read error at byte %s, while reading %lu byte",
++          "%s: Warning: Read error at byte %s, while reading %lu bytes",
++          size),
++      quotearg_colon (name), STRINGIFY_BIGINT (offset, buf),
++      (unsigned long) size));
+ }
+ 
+ void
+diff --git a/lib/paxlib.h b/lib/paxlib.h
+index d4251d1..ccf826b 100644
+--- a/lib/paxlib.h
++++ b/lib/paxlib.h
+@@ -94,10 +94,10 @@ void open_error (char const *);
+ void open_fatal (char const *) __attribute__ ((noreturn));
+ void open_warn (char const *);
+ void read_error (char const *);
+-void read_error_details (char const *, off_t, size_t);
++void read_error_details (char const *, off_t, size_t, bool);
+ void read_fatal (char const *) __attribute__ ((noreturn));
+ void read_fatal_details (char const *, off_t, size_t) __attribute__ ((noreturn));
+-void read_warn_details (char const *, off_t, size_t);
++void read_warn_details (char const *, off_t, size_t, bool);
+ void readlink_error (char const *);
+ void readlink_warn (char const *);
+ void rmdir_error (char const *);
+diff --git a/src/common.h b/src/common.h
+index bbe167e..34a30ec 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -713,7 +713,7 @@ int chdir_count (void);
+ 
+ void close_diag (char const *name);
+ void open_diag (char const *name);
+-void read_diag_details (char const *name, off_t offset, size_t size);
++void read_diag_details (char const *name, off_t offset, size_t size, bool padding);
+ void readlink_diag (char const *name);
+ void savedir_diag (char const *name);
+ void seek_diag_details (char const *name, off_t offset);
+diff --git a/src/create.c b/src/create.c
+index 712ee18..181f7d9 100644
+--- a/src/create.c
++++ b/src/create.c
+@@ -1090,7 +1090,7 @@ dump_regular_file (int fd, struct tar_stat_info *st)
+       if (count == SAFE_READ_ERROR)
+ 	{
+ 	  read_diag_details (st->orig_file_name,
+-	                     st->stat.st_size - size_left, bufsize);
++	                     st->stat.st_size - size_left, bufsize, true);
+ 	  pad_archive (size_left);
+ 	  return dump_status_short;
+ 	}
+diff --git a/src/misc.c b/src/misc.c
+index eccf6f9..28c6f44 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -1069,15 +1069,15 @@ open_diag (char const *name)
+ }
+ 
+ void
+-read_diag_details (char const *name, off_t offset, size_t size)
++read_diag_details (char const *name, off_t offset, size_t size, bool padding)
+ {
+   if (ignore_failed_read_option)
+     {
+       if (WARNING_ENABLED(WARN_FAILED_READ))
+-	read_warn_details (name, offset, size);
++	read_warn_details (name, offset, size, padding);
+     }
+   else
+-    read_error_details (name, offset, size);
++    read_error_details (name, offset, size, padding);
+ }
+ 
+ void
+diff -rup tar-1.34/src/sparse.c.old tar-1.34/src/sparse.c
+--- tar-1.34/src/sparse.c.old	2022-06-27 09:15:48.580574517 +0000
++++ tar-1.34/src/sparse.c	2022-06-27 09:18:28.500574517 +0000
+@@ -424,7 +424,7 @@ sparse_dump_region (struct tar_sparse_fi
+ 	                     (file->stat_info->sparse_map[i].offset
+ 			      + file->stat_info->sparse_map[i].numbytes
+ 			      - bytes_left),
+-			     bufsize);
++			     bufsize, false);
+ 	  return false;
+ 	}
+       else if (bytes_read == 0)
+@@ -619,7 +619,7 @@ check_sparse_region (struct tar_sparse_f
+ 	{
+           read_diag_details (file->stat_info->orig_file_name,
+ 	                     beg,
+-			     rdsize);
++			     rdsize, false);
+ 	  return false;
+ 	}
+       else if (bytes_read == 0)
+@@ -674,7 +674,7 @@ check_data_region (struct tar_sparse_fil
+ 			     (file->stat_info->sparse_map[i].offset
+ 			      + file->stat_info->sparse_map[i].numbytes
+ 			      - size_left),
+-			     rdsize);
++			     rdsize, false);
+ 	  return false;
+ 	}
+       else if (bytes_read == 0)

tar-1.33-fix-capabilities-test.patch

@@ -1,9 +1,7 @@
 From: Pavel Raiskup <praiskup@redhat.com>
-Date: Tue, 19 Jan 2021 16:45:23 +0100
-Subject: [PATCH] xattrs: fix capabilities root test
-
-Related discussion in the Fedora pull-request:
-https://src.fedoraproject.org/rpms/tar/pull-request/8
+Date: Tue, 16 Feb 2021 08:10:22 +0100
+Subject: [PATCH] Related discussion in the Fedora pull-request:
+ https://src.fedoraproject.org/rpms/tar/pull-request/8
 
 Upstream report:
 https://www.mail-archive.com/bug-tar@gnu.org/msg05943.html
@@ -11,29 +9,26 @@ https://www.mail-archive.com/bug-tar@gnu.org/msg05943.html
 * tests/capabs_raw01.at: Newer systems (currently e.g. Fedora 34)
 print getcap output in format CAP=VAL, not CAP+VAL.
 ---
- tests/capabs_raw01.at | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
+ tests/capabs_raw01.at | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/tests/capabs_raw01.at b/tests/capabs_raw01.at
-index f9b97736..988251cf 100644
+index a1d9411..d3da923 100644
 --- a/tests/capabs_raw01.at
 +++ b/tests/capabs_raw01.at
-@@ -44,10 +44,13 @@ rm -rf dir
- # restore _all_ xattrs (not just the user.* domain)
+@@ -45,10 +45,10 @@ rm -rf dir
  tar --xattrs --xattrs-include='*' -xf archive.tar
  
--getcap dir/file
-+# Newer systems switched to different format:
-+# - dir/file = cap_chown+ei
-+# + dir/file cap_chown=ei
+ # Newer systems print = instead of + here
+-getcap dir/file | sed 's/+/=/'
 +getcap dir/file | sed -e 's/+/=/' -e 's|dir/file = |dir/file |'
  ],
  [0],
--[dir/file = cap_chown+ei
+-[dir/file = cap_chown=ei
 +[dir/file cap_chown=ei
  ])
  
  AT_CLEANUP
 -- 
-2.29.2
+2.26.0
 

tar-1.33-fix-read-header-mem-leak.patch

@@ -1,122 +0,0 @@
-From: Sergey Poznyakoff <gray@gnu.org>
-Subject: [PATCH] Bug reported in https://savannah.gnu.org/bugs/?59897
-
-* src/list.c (read_header): Don't return directly from the loop.
-Instead set the status and break.  Return the status.  Free
-next_long_name and next_long_link before returning.
----
- src/list.c | 38 +++++++++++++++++++++++++++-----------
- 1 file changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/src/list.c b/src/list.c
-index 95b53f8..6ad2ef2 100644
---- a/src/list.c
-+++ b/src/list.c
-@@ -419,26 +419,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	     enum read_header_mode mode)
- {
-   union block *header;
--  union block *header_copy;
-   char *bp;
-   union block *data_block;
-   size_t size, written;
--  union block *next_long_name = 0;
--  union block *next_long_link = 0;
-+  union block *next_long_name = NULL;
-+  union block *next_long_link = NULL;
-   size_t next_long_name_blocks = 0;
-   size_t next_long_link_blocks = 0;
-+  enum read_header status = HEADER_SUCCESS;
- 
-   while (1)
-     {
--      enum read_header status;
--
-       header = find_next_block ();
-       *return_block = header;
-       if (!header)
--	return HEADER_END_OF_FILE;
-+        {
-+          status = HEADER_END_OF_FILE;
-+          break;
-+        }
- 
-       if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
--	return status;
-+	      break;
- 
-       /* Good block.  Decode file size and return.  */
- 
-@@ -448,7 +449,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	{
- 	  info->stat.st_size = OFF_FROM_HEADER (header->header.size);
- 	  if (info->stat.st_size < 0)
--	    return HEADER_FAILURE;
-+	    {
-+	      status = HEADER_FAILURE;
-+	      break;
-+	    }
- 	}
- 
-       if (header->header.typeflag == GNUTYPE_LONGNAME
-@@ -458,10 +462,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	  || header->header.typeflag == SOLARIS_XHDTYPE)
- 	{
- 	  if (mode == read_header_x_raw)
--	    return HEADER_SUCCESS_EXTENDED;
-+	    {
-+	      status = HEADER_SUCCESS_EXTENDED;
-+	      break;
-+	    }
- 	  else if (header->header.typeflag == GNUTYPE_LONGNAME
- 		   || header->header.typeflag == GNUTYPE_LONGLINK)
- 	    {
-+        union block *header_copy;
- 	      size_t name_size = info->stat.st_size;
- 	      size_t n = name_size % BLOCKSIZE;
- 	      size = name_size + BLOCKSIZE;
-@@ -528,7 +536,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	      xheader_decode_global (&xhdr);
- 	      xheader_destroy (&xhdr);
- 	      if (mode == read_header_x_global)
--		return HEADER_SUCCESS_EXTENDED;
-+          {
-+            status = HEADER_SUCCESS_EXTENDED;
-+            break;
-+          }
- 	    }
- 
- 	  /* Loop!  */
-@@ -547,6 +558,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	      name = next_long_name->buffer + BLOCKSIZE;
- 	      recent_long_name = next_long_name;
- 	      recent_long_name_blocks = next_long_name_blocks;
-+        next_long_name = NULL;
- 	    }
- 	  else
- 	    {
-@@ -578,6 +590,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	      name = next_long_link->buffer + BLOCKSIZE;
- 	      recent_long_link = next_long_link;
- 	      recent_long_link_blocks = next_long_link_blocks;
-+	      next_long_link = NULL;
- 	    }
- 	  else
- 	    {
-@@ -589,9 +602,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
- 	    }
- 	  assign_string (&info->link_name, name);
- 
--	  return HEADER_SUCCESS;
-+	  break;
- 	}
-     }
-+  free (next_long_name);
-+  free (next_long_link);
-+  return status;
- }
- 
- #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
--- 
-2.26.0
-

tar-1.34-CVE-2022-48303.patch

@@ -0,0 +1,30 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: [PATCH] Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..86bcfdd1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+2.38.1
+

tar.spec

@@ -4,8 +4,8 @@
 Summary: GNU file archiving program
 Name: tar
 Epoch: 2
-Version: 1.33
-Release: 2%{?dist}
+Version: 1.34
+Release: 6%{?dist}
 License: GPLv3+
 URL: https://www.gnu.org/software/tar/
 
@@ -19,7 +19,9 @@ Patch3:  tar-1.29-wildcards.patch
 Patch4:  tar-1.28-atime-rofs.patch
 Patch9:  tar-1.28-document-exclude-mistakes.patch
 Patch10: tar-1.33-fix-capabilities-test.patch
-Patch11: tar-1.33-fix-read-header-mem-leak.patch
+Patch11: tar-1.30-padding-zeros.patch
+Patch12: tar-1.30-disk-read-error.patch
+Patch13: tar-1.34-CVE-2022-48303.patch
 
 BuildRequires: make
 BuildRequires:  gcc
@@ -114,6 +116,30 @@ make check || (
 
 
 %changelog
+* Thu Feb 09 2023 Matej Mužila <mmuzila@redhat.com> - 2:1.34-6
+- Fix CVE-2022-48303
+- Resolves: CVE-2022-48303
+
+* Fri Jul 01 2022 Lukas Javorsky <ljavorsk@redhat.com> - 2:1.34-5
+- Release bump
+
+* Mon Jun 27 2022 Lukas Javorsky <ljavorsk@redhat.com> - 2:1.34-4
+- added "padding with zeros" info message (#2089298)
+- do not report disk error as file shrank (#2089316)
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.34-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:1.34-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Sat Feb 13 2021 Ondrej Dubaj <odubaj@redhat.com> - 1.34-1
+- Rebase to version 1.34
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.33-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Mon Jan 25 2021 Ondrej Dubaj <odubaj@redhat.com> - 1.33-2
 - Fixed memory leak in read_header() in list.c (#1917631)