Accepting request 1065759 from home:dspinella:branches:Base:System

- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump (CVE-2022-48303, bsc#1207753) * fix-CVE-2022-48303.patch - Fix hang when unpacking test tarball, bsc#1202436 * remove bsc1202436.patch * bsc1202436-1.patch * bsc1202436-1.patch OBS-URL: https://build.opensuse.org/request/show/1065759 OBS-URL: https://build.opensuse.org/package/show/Base:System/tar?expand=0&rev=120
2023-02-18 16:33:21 +00:00 · 2023-02-18 16:33:21 +00:00 · 87aff9e33b
commit 87aff9e33b
parent f78b56f65a
8 changed files with 204 additions and 1 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+pax-global-records.tar filter=lfs diff=lfs merge=lfs -text
--- a/bsc1202436-1.patch
+++ b/bsc1202436-1.patch
@ -0,0 +1,65 @@
+From edf38d13a47becec81b2c3a2b74f54771e1cbee4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 13:03:23 +0200
+Subject: Prevent dead loop in extract_file
+
+* src/extract.c (maybe_recoverable): If make_directories indicates
+success, suppose some intermediate directories have been made, even
+if in fact they have not.  That's necessary to avoid dead loops when
+maybe_recoverable is called with the same arguments again.
+---
+ src/extract.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index 2d43947..aec5de6 100644
+--- a/src/extract.c
+++ b/src/extract.c
+@@ -682,7 +682,7 @@ fixup_delayed_set_stat (char const *src, char const *dst)
+    directories were created, nonzero (issuing a diagnostic) otherwise.
+    Set *INTERDIR_MADE if at least one directory was created.  */
+ static int
+-make_directories (char *file_name, bool *interdir_made)
+make_directories (char *file_name)
+ {
+   char *cursor0 = file_name + FILE_SYSTEM_PREFIX_LEN (file_name);
+   char *cursor;	        	/* points into the file name */
+@@ -726,7 +726,6 @@ make_directories (char *file_name, bool *interdir_made)
+ 			  desired_mode, AT_SYMLINK_NOFOLLOW);
+ 
+ 	  print_for_mkdir (file_name, cursor - file_name, desired_mode);
+-	  *interdir_made = true;
+ 	  parent_end = NULL;
+ 	}
+       else
+@@ -882,8 +881,11 @@ maybe_recoverable (char *file_name, bool regular, bool *interdir_made)
+ 
+     case ENOENT:
+       /* Attempt creating missing intermediate directories. */
+-      if (make_directories (file_name, interdir_made) == 0)
+-	return RECOVER_OK;
+      if (make_directories (file_name) == 0)
+	{
+	  *interdir_made = true;
+	  return RECOVER_OK;
+	}
+       break;
+ 
+     default:
+@@ -1985,12 +1987,11 @@ rename_directory (char *src, char *dst)
+   else
+     {
+       int e = errno;
+-      bool interdir_made;
+ 
+       switch (e)
+ 	{
+ 	case ENOENT:
+-	  if (make_directories (dst, &interdir_made) == 0)
+	  if (make_directories (dst) == 0)
+ 	    {
+ 	      if (renameat (chdir_fd, src, chdir_fd, dst) == 0)
+ 		return true;
+-- 
+cgit v1.1
+
--- a/bsc1202436-2.patch
+++ b/bsc1202436-2.patch
@ -0,0 +1,47 @@
+From 5e8a915b16c5f06d2a16d98cdc2af666199caabb Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 14:21:05 +0200
+Subject: Changes in extended header decoder
+
+* src/xheader.c (decode_time): Fix error detection.
+(raw_path_decoder): Ignore empty paths.
+---
+ src/xheader.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 7ff216b..a195f3e 100644
+--- a/src/xheader.c
+++ b/src/xheader.c
+@@ -1059,6 +1059,12 @@ decode_time (struct timespec *ts, char const *arg, char const *keyword)
+ 		keyword, arg));
+       return false;
+     }
+  if (*arg_lim)
+    {
+      ERROR ((0, 0, _("Malformed extended header: invalid %s=%s"),
+	      keyword, arg));
+      return false;
+    }
+ 
+   *ts = t;
+   return true;
+@@ -1247,9 +1253,12 @@ path_coder (struct tar_stat_info const *st, char const *keyword,
+ static void
+ raw_path_decoder (struct tar_stat_info *st, char const *arg)
+ {
+-  decode_string (&st->orig_file_name, arg);
+-  decode_string (&st->file_name, arg);
+-  st->had_trailing_slash = strip_trailing_slashes (st->file_name);
+  if (*arg)
+    {
+      decode_string (&st->orig_file_name, arg);
+      decode_string (&st->file_name, arg);
+      st->had_trailing_slash = strip_trailing_slashes (st->file_name);
+    }
+ }
+ 
+ 
+-- 
+cgit v1.1
+
--- a/fix-CVE-2022-48303.patch
+++ b/fix-CVE-2022-48303.patch
@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@gmail.com>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+  (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
+++ b/src/list.c
+@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
+      if (where == lim)
+        {
+          if (type && !silent)
+            ERROR ((0, 0, _("Archive base-256 value is invalid")));
+          return -1;
+        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.38.1
+
--- a/go-testsuite-test-hang.patch
+++ b/go-testsuite-test-hang.patch
@ -0,0 +1,27 @@
+Index: tar-1.34/tests/testsuite.at
+===================================================================
+--- tar-1.34.orig/tests/testsuite.at
+++ tar-1.34/tests/testsuite.at
+@@ -204,6 +204,8 @@ m4_include([version.at])
+ 
+ m4_include([pipe.at])
+ 
+m4_include([go-testsuite-test-hang.at])
+
+ AT_BANNER([Options])
+ m4_include([options.at])
+ m4_include([options02.at])
+Index: tar-1.34/suse-test.at
+===================================================================
+--- /dev/null
+++ tar-1.34/tests/go-testsuite-test-hang.at
+@@ -0,0 +1,9 @@
+AT_SETUP([try extracting archive without hanging])
+AT_KEYWORDS([suse])
+
+AT_TAR_CHECK([
+# This command will fail, just don't hang
+tar xf ../../../pax-global-records.tar || exit 0
+])
+
+AT_CLEANUP
--- a/pax-global-records.tar
+++ b/pax-global-records.tar
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e4e6b8700915613e10edbfe16f31c8d3edfd80603fa4f12fd6eeee5881cbd881
+size 7168
--- a/tar.changes
+++ b/tar.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Feb 14 11:07:40 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that
+  results in use of uninitialized memory for a conditional jump
+  (CVE-2022-48303, bsc#1207753)
+  * fix-CVE-2022-48303.patch
+- Fix hang when unpacking test tarball, bsc#1202436
+  * remove bsc1202436.patch
+  * bsc1202436-1.patch
+  * bsc1202436-1.patch
+
 -------------------------------------------------------------------
 Tue Dec 27 13:22:21 UTC 2022 - Ludwig Nussel <lnussel@suse.com>

--- a/tar.spec
+++ b/tar.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tar
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,7 @@ Source0:        https://ftp.gnu.org/gnu/tar/%{name}-%{version}.tar.xz
 Source1:        https://ftp.gnu.org/gnu/tar/%{name}-%{version}.tar.xz.sig
 # http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x3602B07F55D0C732
 Source2:        %{name}.keyring
+Source3:        pax-global-records.tar
 Patch0:         %{name}-wildcards.patch
 Patch1:         %{name}-backup-spec-fix-paths.patch
 Patch2:         paxutils-rtapelib_mtget.patch
@ -47,6 +48,15 @@ Patch8:         tar-fix-race-condition.patch
 Patch9:         tar-avoid-overflow-in-symlinks-tests.patch
 Patch10:        bsc1200657.patch
 Patch11:        tar-fix-extract-unlink.patch
+# PATCH-FIX-SUSE danilo.spinella@suse.com bsc#1202436
+Patch12:        go-testsuite-test-hang.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1202436
+Patch13:        bsc1202436-1.patch
+Patch14:        bsc1202436-2.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1207753
+# tar has a one-byte out-of-bounds read that results in use of
+# uninitialized memory for a conditional jump
+Patch15:        fix-CVE-2022-48303.patch
 BuildRequires:  automake >= 1.15
 BuildRequires:  libacl-devel
 BuildRequires:  libselinux-devel
@ -109,6 +119,7 @@ it may as well access remote devices or files.
 %lang_package

 %prep
+# TODO: Use autosetup
 %setup -q
 %patch0 -p1
 %patch1 -p1
@ -121,6 +132,11 @@ it may as well access remote devices or files.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+cp %{S:3} tests

 %build
 %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE