From 390a0b27a23209d7cd4996ba449f4d9f8a50cddf756b3009548e4e6209cb7752 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 19 Feb 2016 16:42:39 +0000 Subject: [PATCH] Accepting request 360528 from home:kstreitova:branches:Archiving - add cpio-2.12-out_of_bounds_write.patch to fix an out of bounds write in a way cpio parses certain cpio files [bsc#963448], [CVE-2016-2037] OBS-URL: https://build.opensuse.org/request/show/360528 OBS-URL: https://build.opensuse.org/package/show/Archiving/cpio?expand=0&rev=58 --- cpio-2.12-out_of_bounds_write.patch | 38 +++++++++++++++++++++++++++++ cpio.changes | 7 ++++++ cpio.spec | 4 ++- 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 cpio-2.12-out_of_bounds_write.patch diff --git a/cpio-2.12-out_of_bounds_write.patch b/cpio-2.12-out_of_bounds_write.patch new file mode 100644 index 0000000..319f488 --- /dev/null +++ b/cpio-2.12-out_of_bounds_write.patch @@ -0,0 +1,38 @@ +* src/copyin.c (process_copy_in): Make sure that file_hdr.c_name +has at least two bytes allocated. +* src/util.c (cpio_safer_name_suffix): Document that use of this +function requires to be careful. +--- + src/copyin.c | 2 ++ + src/util.c | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: cpio-2.12/src/copyin.c +=================================================================== +--- cpio-2.12.orig/src/copyin.c ++++ cpio-2.12/src/copyin.c +@@ -1434,6 +1434,8 @@ process_copy_in () + break; + } + ++ if (file_hdr.c_namesize <= 1) ++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); + cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, + false); + +Index: cpio-2.12/src/util.c +=================================================================== +--- cpio-2.12.orig/src/util.c ++++ cpio-2.12/src/util.c +@@ -1460,7 +1460,10 @@ set_file_times (int fd, + } + + /* Do we have to ignore absolute paths, and if so, does the filename +- have an absolute path? */ ++ have an absolute path? ++ Before calling this function make sure that the allocated NAME buffer has ++ capacity at least 2 bytes to allow us to store the "." string inside. */ ++ + void + cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + bool strip_leading_dots) diff --git a/cpio.changes b/cpio.changes index 97c587d..f01d9a1 100644 --- a/cpio.changes +++ b/cpio.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Feb 19 15:47:00 UTC 2016 - kstreitova@suse.com + +- add cpio-2.12-out_of_bounds_write.patch to fix an out of bounds + write in a way cpio parses certain cpio files [bsc#963448], + [CVE-2016-2037] + ------------------------------------------------------------------- Thu Oct 8 11:57:19 UTC 2015 - kstreitova@suse.com diff --git a/cpio.spec b/cpio.spec index 35e99f6..e16dcc1 100644 --- a/cpio.spec +++ b/cpio.spec @@ -1,7 +1,7 @@ # # spec file for package cpio # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,6 +43,7 @@ Patch23: paxutils-rtapelib_mtget.patch Patch24: cpio-check_for_symlinks.patch Patch25: cpio-fix_truncation_check.patch Patch26: cpio-2.12-util.c_no_return_in_nonvoid_fnc.patch +Patch27: cpio-2.12-out_of_bounds_write.patch BuildRequires: autoconf BuildRequires: automake Requires(post): %{install_info_prereq} @@ -79,6 +80,7 @@ provided by cpio, install the 'dump' package as well. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 #chmod 755 . #chmod u+w * #chmod a+r *