diff --git a/cpio-2.10-heap_overflow_in_rtapelib.patch b/cpio-2.10-heap_overflow_in_rtapelib.patch new file mode 100644 index 0000000..41d0626 --- /dev/null +++ b/cpio-2.10-heap_overflow_in_rtapelib.patch @@ -0,0 +1,52 @@ +From 9bc39283e4cc6ab9e5913ccbf766998eab4ff093 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Mon, 01 Mar 2010 08:49:03 +0000 +Subject: Bugfixes in rtapelib + +* lib/rmt.h (rmtcreat): Use fcntl O_ macros insead of +their hardcoded values. +* lib/rtapelib.c (rmt_read__,rmt_ioctl__): Prevent +potential overflow. +--- +diff --git a/lib/rmt.h b/lib/rmt.h +index 50f037c..2ce9dc5 100644 +--- a/lib/rmt.h ++++ b/lib/rmt.h +@@ -61,7 +61,7 @@ extern bool force_local_option; + + #define rmtcreat(dev_name, mode, command) \ + (_remdev (dev_name) \ +- ? rmt_open__ (dev_name, 1 | O_CREAT, __REM_BIAS, command) \ ++ ? rmt_open__ (dev_name, O_CREAT | O_WRONLY, __REM_BIAS, command) \ + : creat (dev_name, mode)) + + #define rmtlstat(dev_name, muffer) \ +diff --git a/lib/rtapelib.c b/lib/rtapelib.c +index 02ad1e7..cb645db 100644 +--- a/lib/rtapelib.c ++++ b/lib/rtapelib.c +@@ -573,7 +573,8 @@ rmt_read__ (int handle, char *buffer, size_t length) + + sprintf (command_buffer, "R%lu\n", (unsigned long) length); + if (do_command (handle, command_buffer) == -1 +- || (status = get_status (handle)) == SAFE_READ_ERROR) ++ || (status = get_status (handle)) == SAFE_READ_ERROR ++ || status > length) + return SAFE_READ_ERROR; + + for (counter = 0; counter < status; counter += rlen, buffer += rlen) +@@ -709,6 +710,12 @@ rmt_ioctl__ (int handle, int operation, char *argument) + || (status = get_status (handle), status == -1)) + return -1; + ++ if (status > sizeof (struct mtop)) ++ { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ + for (; status > 0; status -= counter, argument += counter) + { + counter = safe_read (READ_SIDE (handle), argument, status); +-- +cgit v0.8.2.1 diff --git a/cpio.changes b/cpio.changes index 117edc3..bb19032 100644 --- a/cpio.changes +++ b/cpio.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 3 09:29:23 UTC 2010 - mseben@novell.com + +- added heap_overflow_in_rtapelib.patch fix possible heap overflow in + rtapelib.c (bnc#579475) + ------------------------------------------------------------------- Sat Dec 26 11:51:46 CET 2009 - jengelh@medozas.de diff --git a/cpio.spec b/cpio.spec index cc34de6..230f218 100644 --- a/cpio.spec +++ b/cpio.spec @@ -43,6 +43,9 @@ Patch18: %{name}-%{version}-default_tape_dev.patch Patch19: %{name}-%{version}-include_fatal_c.patch #PATCH-FIX-UPSTREAM cpio-2.10-close_files_after_copy.patch Patch20: %{name}-%{version}-close_files_after_copy.patch +#fix possible heap overflow in rtapelib.c bnc#579475 +Patch21: %{name}-%{version}-heap_overflow_in_rtapelib.patch +PreReq: %install_info_prereq PreReq: %install_info_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-lang = %{version} @@ -80,6 +83,7 @@ Authors: %patch18 %patch19 %patch20 +%patch21 -p1 #chmod 755 . #chmod u+w * #chmod a+r *