guix-devel/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch

Partially fix CVE-2014-9112, part 2/5.

From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Mon, 01 Dec 2014 19:10:39 +0000
Subject: Bugfix

* src/copyin.c (get_link_name): Fix range checking.
* tests/symlink-bad-length.at: Change expected error message.
---
diff --git a/src/copyin.c b/src/copyin.c
index c502c7d..042cc41 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset)
 static char *
 get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
 {
-  off_t n = file_hdr->c_filesize + 1;
   char *link_name;
   
-  if (n == 0 || n > SIZE_MAX)
+  if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
     {
-      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
+      error (0, 0, _("%s: stored filename length is out of range"),
+	     file_hdr->c_name);
       link_name = NULL;
     }
   else
     {
-      link_name = xmalloc (n);
+      link_name = xmalloc (file_hdr->c_filesize);
       tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
       link_name[file_hdr->c_filesize] = '\0';
       tape_skip_padding (in_file_des, file_hdr->c_filesize);
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
index 6f804b1..cbf4aa7 100644
--- a/tests/symlink-bad-length.at
+++ b/tests/symlink-bad-length.at
@@ -42,7 +42,7 @@ test $? -eq 2
 ],
 [0],
 [-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
-],[cpio: LINK: stored filename length too big
+],[cpio: LINK: stored filename length is out of range
 cpio: premature end of file
 ])
 
--
cgit v0.9.0.2
gnu: cpio: Add fixes for CVE-2014-9112. * gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/cpio.scm (cpio): Add patches. Add 'autoconf' to native-inputs. 2014-12-30 20:13:20 +01:00			`Partially fix CVE-2014-9112, part 2/5.`

			`From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001`
			`From: Sergey Poznyakoff <gray@gnu.org.ua>`
			`Date: Mon, 01 Dec 2014 19:10:39 +0000`
			`Subject: Bugfix`

			`* src/copyin.c (get_link_name): Fix range checking.`
			`* tests/symlink-bad-length.at: Change expected error message.`
			`---`
			`diff --git a/src/copyin.c b/src/copyin.c`
			`index c502c7d..042cc41 100644`
			`--- a/src/copyin.c`
			`+++ b/src/copyin.c`
			`@@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset)`
			`static char *`
			`get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)`
			`{`
			`- off_t n = file_hdr->c_filesize + 1;`
			`char *link_name;`

			`- if (n == 0 \|\| n > SIZE_MAX)`
			`+ if (file_hdr->c_filesize < 0 \|\| file_hdr->c_filesize > SIZE_MAX-1)`
			`{`
			`- error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);`
			`+ error (0, 0, _("%s: stored filename length is out of range"),`
			`+ file_hdr->c_name);`
			`link_name = NULL;`
			`}`
			`else`
			`{`
			`- link_name = xmalloc (n);`
			`+ link_name = xmalloc (file_hdr->c_filesize);`
			`tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);`
			`link_name[file_hdr->c_filesize] = '\0';`
			`tape_skip_padding (in_file_des, file_hdr->c_filesize);`
			`diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at`
			`index 6f804b1..cbf4aa7 100644`
			`--- a/tests/symlink-bad-length.at`
			`+++ b/tests/symlink-bad-length.at`
			`@@ -42,7 +42,7 @@ test $? -eq 2`
			`],`
			`[0],`
			`[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE`
			`-],[cpio: LINK: stored filename length too big`
			`+],[cpio: LINK: stored filename length is out of range`
			`cpio: premature end of file`
			`])`

			`--`
			`cgit v0.9.0.2`