From 87aff9e33bc6165e25cf63e69da9ae8c9aaea5ecd5b36ed4afdc7e2e186a0e40 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 18 Feb 2023 16:33:21 +0000 Subject: [PATCH] Accepting request 1065759 from home:dspinella:branches:Base:System - Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump (CVE-2022-48303, bsc#1207753) * fix-CVE-2022-48303.patch - Fix hang when unpacking test tarball, bsc#1202436 * remove bsc1202436.patch * bsc1202436-1.patch * bsc1202436-1.patch OBS-URL: https://build.opensuse.org/request/show/1065759 OBS-URL: https://build.opensuse.org/package/show/Base:System/tar?expand=0&rev=120 --- .gitattributes | 2 ++ bsc1202436-1.patch | 65 ++++++++++++++++++++++++++++++++++++ bsc1202436-2.patch | 47 ++++++++++++++++++++++++++ fix-CVE-2022-48303.patch | 31 +++++++++++++++++ go-testsuite-test-hang.patch | 27 +++++++++++++++ pax-global-records.tar | 3 ++ tar.changes | 12 +++++++ tar.spec | 18 +++++++++- 8 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 bsc1202436-1.patch create mode 100644 bsc1202436-2.patch create mode 100644 fix-CVE-2022-48303.patch create mode 100644 go-testsuite-test-hang.patch create mode 100644 pax-global-records.tar diff --git a/.gitattributes b/.gitattributes index 9b03811..25b5807 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,3 +21,5 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text +## Specific LFS patterns +pax-global-records.tar filter=lfs diff=lfs merge=lfs -text diff --git a/bsc1202436-1.patch b/bsc1202436-1.patch new file mode 100644 index 0000000..ff99be2 --- /dev/null +++ b/bsc1202436-1.patch @@ -0,0 +1,65 @@ +From edf38d13a47becec81b2c3a2b74f54771e1cbee4 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Sat, 11 Feb 2023 13:03:23 +0200 +Subject: Prevent dead loop in extract_file + +* src/extract.c (maybe_recoverable): If make_directories indicates +success, suppose some intermediate directories have been made, even +if in fact they have not. That's necessary to avoid dead loops when +maybe_recoverable is called with the same arguments again. +--- + src/extract.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/extract.c b/src/extract.c +index 2d43947..aec5de6 100644 +--- a/src/extract.c ++++ b/src/extract.c +@@ -682,7 +682,7 @@ fixup_delayed_set_stat (char const *src, char const *dst) + directories were created, nonzero (issuing a diagnostic) otherwise. + Set *INTERDIR_MADE if at least one directory was created. */ + static int +-make_directories (char *file_name, bool *interdir_made) ++make_directories (char *file_name) + { + char *cursor0 = file_name + FILE_SYSTEM_PREFIX_LEN (file_name); + char *cursor; /* points into the file name */ +@@ -726,7 +726,6 @@ make_directories (char *file_name, bool *interdir_made) + desired_mode, AT_SYMLINK_NOFOLLOW); + + print_for_mkdir (file_name, cursor - file_name, desired_mode); +- *interdir_made = true; + parent_end = NULL; + } + else +@@ -882,8 +881,11 @@ maybe_recoverable (char *file_name, bool regular, bool *interdir_made) + + case ENOENT: + /* Attempt creating missing intermediate directories. */ +- if (make_directories (file_name, interdir_made) == 0) +- return RECOVER_OK; ++ if (make_directories (file_name) == 0) ++ { ++ *interdir_made = true; ++ return RECOVER_OK; ++ } + break; + + default: +@@ -1985,12 +1987,11 @@ rename_directory (char *src, char *dst) + else + { + int e = errno; +- bool interdir_made; + + switch (e) + { + case ENOENT: +- if (make_directories (dst, &interdir_made) == 0) ++ if (make_directories (dst) == 0) + { + if (renameat (chdir_fd, src, chdir_fd, dst) == 0) + return true; +-- +cgit v1.1 + diff --git a/bsc1202436-2.patch b/bsc1202436-2.patch new file mode 100644 index 0000000..062de02 --- /dev/null +++ b/bsc1202436-2.patch @@ -0,0 +1,47 @@ +From 5e8a915b16c5f06d2a16d98cdc2af666199caabb Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Sat, 11 Feb 2023 14:21:05 +0200 +Subject: Changes in extended header decoder + +* src/xheader.c (decode_time): Fix error detection. +(raw_path_decoder): Ignore empty paths. +--- + src/xheader.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 7ff216b..a195f3e 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -1059,6 +1059,12 @@ decode_time (struct timespec *ts, char const *arg, char const *keyword) + keyword, arg)); + return false; + } ++ if (*arg_lim) ++ { ++ ERROR ((0, 0, _("Malformed extended header: invalid %s=%s"), ++ keyword, arg)); ++ return false; ++ } + + *ts = t; + return true; +@@ -1247,9 +1253,12 @@ path_coder (struct tar_stat_info const *st, char const *keyword, + static void + raw_path_decoder (struct tar_stat_info *st, char const *arg) + { +- decode_string (&st->orig_file_name, arg); +- decode_string (&st->file_name, arg); +- st->had_trailing_slash = strip_trailing_slashes (st->file_name); ++ if (*arg) ++ { ++ decode_string (&st->orig_file_name, arg); ++ decode_string (&st->file_name, arg); ++ st->had_trailing_slash = strip_trailing_slashes (st->file_name); ++ } + } + + +-- +cgit v1.1 + diff --git a/fix-CVE-2022-48303.patch b/fix-CVE-2022-48303.patch new file mode 100644 index 0000000..e073df7 --- /dev/null +++ b/fix-CVE-2022-48303.patch @@ -0,0 +1,31 @@ +From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Wed, 11 Jan 2023 08:55:58 +0100 +Subject: [PATCH] Fix savannah bug #62387 + +* src/list.c (from_header): Check for the end of field after leading byte + (0x80 or 0xff) of base-256 encoded header value +--- + src/list.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/list.c b/src/list.c +index 9fafc425..bf41b581 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type, + << (CHAR_BIT * sizeof (uintmax_t) + - LG_256 - (LG_256 - 2))); + value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit; ++ if (where == lim) ++ { ++ if (type && !silent) ++ ERROR ((0, 0, _("Archive base-256 value is invalid"))); ++ return -1; ++ } + for (;;) + { + value = (value << LG_256) + (unsigned char) *where++; +-- +2.38.1 + diff --git a/go-testsuite-test-hang.patch b/go-testsuite-test-hang.patch new file mode 100644 index 0000000..84cdada --- /dev/null +++ b/go-testsuite-test-hang.patch @@ -0,0 +1,27 @@ +Index: tar-1.34/tests/testsuite.at +=================================================================== +--- tar-1.34.orig/tests/testsuite.at ++++ tar-1.34/tests/testsuite.at +@@ -204,6 +204,8 @@ m4_include([version.at]) + + m4_include([pipe.at]) + ++m4_include([go-testsuite-test-hang.at]) ++ + AT_BANNER([Options]) + m4_include([options.at]) + m4_include([options02.at]) +Index: tar-1.34/suse-test.at +=================================================================== +--- /dev/null ++++ tar-1.34/tests/go-testsuite-test-hang.at +@@ -0,0 +1,9 @@ ++AT_SETUP([try extracting archive without hanging]) ++AT_KEYWORDS([suse]) ++ ++AT_TAR_CHECK([ ++# This command will fail, just don't hang ++tar xf ../../../pax-global-records.tar || exit 0 ++]) ++ ++AT_CLEANUP diff --git a/pax-global-records.tar b/pax-global-records.tar new file mode 100644 index 0000000..b1d7e90 --- /dev/null +++ b/pax-global-records.tar @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e4e6b8700915613e10edbfe16f31c8d3edfd80603fa4f12fd6eeee5881cbd881 +size 7168 diff --git a/tar.changes b/tar.changes index 3823980..d7635d9 100644 --- a/tar.changes +++ b/tar.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Feb 14 11:07:40 UTC 2023 - Danilo Spinella + +- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that + results in use of uninitialized memory for a conditional jump + (CVE-2022-48303, bsc#1207753) + * fix-CVE-2022-48303.patch +- Fix hang when unpacking test tarball, bsc#1202436 + * remove bsc1202436.patch + * bsc1202436-1.patch + * bsc1202436-1.patch + ------------------------------------------------------------------- Tue Dec 27 13:22:21 UTC 2022 - Ludwig Nussel diff --git a/tar.spec b/tar.spec index 8ae282d..ed2e0f5 100644 --- a/tar.spec +++ b/tar.spec @@ -1,7 +1,7 @@ # # spec file for package tar # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,7 @@ Source0: https://ftp.gnu.org/gnu/tar/%{name}-%{version}.tar.xz Source1: https://ftp.gnu.org/gnu/tar/%{name}-%{version}.tar.xz.sig # http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x3602B07F55D0C732 Source2: %{name}.keyring +Source3: pax-global-records.tar Patch0: %{name}-wildcards.patch Patch1: %{name}-backup-spec-fix-paths.patch Patch2: paxutils-rtapelib_mtget.patch @@ -47,6 +48,15 @@ Patch8: tar-fix-race-condition.patch Patch9: tar-avoid-overflow-in-symlinks-tests.patch Patch10: bsc1200657.patch Patch11: tar-fix-extract-unlink.patch +# PATCH-FIX-SUSE danilo.spinella@suse.com bsc#1202436 +Patch12: go-testsuite-test-hang.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1202436 +Patch13: bsc1202436-1.patch +Patch14: bsc1202436-2.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1207753 +# tar has a one-byte out-of-bounds read that results in use of +# uninitialized memory for a conditional jump +Patch15: fix-CVE-2022-48303.patch BuildRequires: automake >= 1.15 BuildRequires: libacl-devel BuildRequires: libselinux-devel @@ -109,6 +119,7 @@ it may as well access remote devices or files. %lang_package %prep +# TODO: Use autosetup %setup -q %patch0 -p1 %patch1 -p1 @@ -121,6 +132,11 @@ it may as well access remote devices or files. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +cp %{S:3} tests %build %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE