Browse code
libtar : Fix CVE-2013-4420
Change-Id: Id3e2836a79769d82c755b30e6f1ffc8f8e5b2b5a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4102
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
xiaolin-vmware authored on 2017/10/21 03:05:14Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,100 @@ |
| 0 |
+diff --git a/decode.c b/decode2.c |
|
| 1 |
+index c16ea2d..2e290d1 100644 |
|
| 2 |
+--- a/lib/decode.c |
|
| 3 |
+@@ -21,24 +21,54 @@ |
|
| 4 |
+ # include <string.h> |
|
| 5 |
+ #endif |
|
| 6 |
+ |
|
| 7 |
++char * |
|
| 8 |
++safer_name_suffix (char const *file_name) |
|
| 9 |
++{
|
|
| 10 |
++ char const *p, *t; |
|
| 11 |
++ p = t = file_name; |
|
| 12 |
++ while (*p) |
|
| 13 |
++ {
|
|
| 14 |
++ if (p[0] == '.' && p[0] == p[1] && p[2] == '/') |
|
| 15 |
++ {
|
|
| 16 |
++ p += 3; |
|
| 17 |
++ t = p; |
|
| 18 |
++ } |
|
| 19 |
++ /* advance pointer past the next slash */ |
|
| 20 |
++ while (*p && (p++)[0] != '/'); |
|
| 21 |
++ } |
|
| 22 |
++ |
|
| 23 |
++ if (!*t) |
|
| 24 |
++ {
|
|
| 25 |
++ t = "."; |
|
| 26 |
++ } |
|
| 27 |
++ |
|
| 28 |
++ if (t != file_name) |
|
| 29 |
++ {
|
|
| 30 |
++ /* TODO: warn somehow that the path was modified */ |
|
| 31 |
++ } |
|
| 32 |
++ return (char*)t; |
|
| 33 |
++} |
|
| 34 |
+ |
|
| 35 |
+ /* determine full path name */ |
|
| 36 |
+ char * |
|
| 37 |
+ th_get_pathname(TAR *t) |
|
| 38 |
+ {
|
|
| 39 |
+ static TLS_THREAD char filename[MAXPATHLEN]; |
|
| 40 |
++ char *safer_name; |
|
| 41 |
+ |
|
| 42 |
+ if (t->th_buf.gnu_longname) |
|
| 43 |
+- return t->th_buf.gnu_longname; |
|
| 44 |
++ return safer_name_suffix(t->th_buf.gnu_longname); |
|
| 45 |
++ |
|
| 46 |
++ safer_name = safer_name_suffix(t->th_buf.name); |
|
| 47 |
+ |
|
| 48 |
+ if (t->th_buf.prefix[0] != '\0') |
|
| 49 |
+ {
|
|
| 50 |
+ snprintf(filename, sizeof(filename), "%.155s/%.100s", |
|
| 51 |
+- t->th_buf.prefix, t->th_buf.name); |
|
| 52 |
++ t->th_buf.prefix, safer_name); |
|
| 53 |
+ return filename; |
|
| 54 |
+ } |
|
| 55 |
+ |
|
| 56 |
+- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); |
|
| 57 |
++ snprintf(filename, sizeof(filename), "%.100s", safer_name); |
|
| 58 |
+ return filename; |
|
| 59 |
+ } |
|
| 60 |
+ |
|
| 61 |
+Index: libtar-1.2.16/lib/extract.c |
|
| 62 |
+=================================================================== |
|
| 63 |
+--- libtar-1.2.16.orig/lib/extract.c 2013-12-09 14:11:03.212344872 +0100 |
|
| 64 |
+@@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real |
|
| 65 |
+ linktgt = &lnp[strlen(lnp) + 1]; |
|
| 66 |
+ } |
|
| 67 |
+ else |
|
| 68 |
+- linktgt = th_get_linkname(t); |
|
| 69 |
++ linktgt = safer_name_suffix(th_get_linkname(t)); |
|
| 70 |
+ |
|
| 71 |
+ #ifdef DEBUG |
|
| 72 |
+ printf(" ==> extracting: %s (link to %s)\n", filename, linktgt);
|
|
| 73 |
+@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna |
|
| 74 |
+ |
|
| 75 |
+ #ifdef DEBUG |
|
| 76 |
+ printf(" ==> extracting: %s (symlink to %s)\n",
|
|
| 77 |
+- filename, th_get_linkname(t)); |
|
| 78 |
++ filename, safer_name_suffix(th_get_linkname(t))); |
|
| 79 |
+ #endif |
|
| 80 |
+- if (symlink(th_get_linkname(t), filename) == -1) |
|
| 81 |
++ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) |
|
| 82 |
+ {
|
|
| 83 |
+ #ifdef DEBUG |
|
| 84 |
+ perror("symlink()");
|
|
| 85 |
+Index: libtar-1.2.16/lib/internal.h |
|
| 86 |
+=================================================================== |
|
| 87 |
+--- libtar-1.2.16.orig/lib/internal.h 2012-05-17 09:34:32.000000000 +0200 |
|
| 88 |
+@@ -15,6 +15,7 @@ |
|
| 89 |
+ |
|
| 90 |
+ #include <libtar.h> |
|
| 91 |
+ |
|
| 92 |
++char* safer_name_suffix(char const*); |
|
| 93 |
+ #ifdef TLS |
|
| 94 |
+ #define TLS_THREAD TLS |
|
| 95 |
+ #else |
|
| 96 |
+ |
| ... | ... |
@@ -4,7 +4,7 @@ |
| 4 | 4 |
Summary: C library for manipulating tar files |
| 5 | 5 |
Name: libtar |
| 6 | 6 |
Version: 1.2.20 |
| 7 |
-Release: 2%{?dist}
|
|
| 7 |
+Release: 3%{?dist}
|
|
| 8 | 8 |
URL: https://github.com/tklauser/libtar/archive/v1.2.20.tar.gz |
| 9 | 9 |
License: MIT |
| 10 | 10 |
Group: System Environment/Libraries |
| ... | ... |
@@ -13,6 +13,7 @@ Distribution: Photon |
| 13 | 13 |
Source0: libtar-%{version}.tar.gz
|
| 14 | 14 |
%define sha1 libtar=b3ec4058fa83448d6040ce9f9acf85eeec4530b1 |
| 15 | 15 |
Provides: libtar.so.0()(64bit) |
| 16 |
+patch0: libtar-CVE-2013-4420.patch |
|
| 16 | 17 |
|
| 17 | 18 |
%description |
| 18 | 19 |
libtar is a library for manipulating tar files from within C programs. |
| ... | ... |
@@ -28,6 +29,7 @@ developing applications that use libtar. |
| 28 | 28 |
|
| 29 | 29 |
%prep |
| 30 | 30 |
%setup |
| 31 |
+%patch0 -p1 |
|
| 31 | 32 |
autoreconf -iv |
| 32 | 33 |
|
| 33 | 34 |
%build |
| ... | ... |
@@ -56,6 +58,8 @@ make check |
| 56 | 56 |
%{_libdir}/libtar.la
|
| 57 | 57 |
|
| 58 | 58 |
%changelog |
| 59 |
+* Fri Oct 20 2017 Xiaolin Li <xiaolinl@vmware.com> 1.2.20-3 |
|
| 60 |
+- Fix CVE-2013-4420 |
|
| 59 | 61 |
* Fri Mar 10 2017 Xiaolin Li <xiaolinl@vmware.com> 1.2.20-2 |
| 60 | 62 |
- Provides libtar.so.0()(64bit). |
| 61 | 63 |
* Fri Mar 03 2017 Xiaolin Li <xiaolinl@vmware.com> 1.2.20-1 |