nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
guix-devel/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch

106 lines
3.6 KiB
Diff
Raw Normal View History

gnu: cpio: Add fixes for CVE-2014-9112. * gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/cpio.scm (cpio): Add patches. Add 'autoconf' to native-inputs.
2014-12-30 20:13:20 +01:00
Partially fix CVE-2014-9112, part 4/5. Backported to 2.11.
From fd262d116c4564c1796be9be2799619cf7785d07 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Thu, 11 Dec 2014 10:51:21 +0000
Subject: Fix error recovery in copy-in mode
* src/copyin.c (copyin_link): Fix null dereference.
(read_in_header): Fix error recovery (bug introduced by
27e0ae55).
* tests/symlink-bad-length.at: Test error recovery.
Catch various architecture-dependent error messages (suggested
by Pavel Raiskup).
---
diff --git a/src/copyin.c b/src/copyin.c
index 264bfcb..ca12356 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -655,7 +655,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
}
static void
-copyin_link(struct cpio_file_stat *file_hdr, int in_file_des)
+copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
{
char *link_name = NULL; /* Name of hard and symbolic links. */
int res; /* Result of various function calls. */
@@ -666,6 +666,8 @@ copyin_link(struct cpio_file_stat *file_
if (archive_format != arf_tar && archive_format != arf_ustar)
{
link_name = get_link_name (file_hdr, in_file_des);
+ if (!link_name)
+ return;
}
else
{
@@ -1017,7 +1019,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
file_hdr->c_tar_linkname = NULL;
- tape_buffered_read (magic.str, in_des, 6L);
+ tape_buffered_read (magic.str, in_des, sizeof (magic.str));
while (1)
{
if (append_flag)
@@ -1062,8 +1064,8 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
break;
}
bytes_skipped++;
- memmove (magic.str, magic.str + 1, 5);
- tape_buffered_read (magic.str, in_des, 1L);
+ memmove (magic.str, magic.str + 1, sizeof (magic.str) - 1);
+ tape_buffered_read (magic.str + sizeof (magic.str) - 1, in_des, 1L);
}
}
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
index cbf4aa7..4dbeaa3 100644
--- a/tests/symlink-bad-length.at
+++ b/tests/symlink-bad-length.at
@@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length])
AT_KEYWORDS([symlink-long copyout])
AT_DATA([ARCHIVE.base64],
-[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
-JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
-UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk
+AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA
+c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ -37,13 +37,23 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AT_CHECK([
base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
-cpio -ntv < ARCHIVE
-test $? -eq 2
+TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+rc=$?
+cat stderr | grep -v \
+ -e 'stored filename length is out of range' \
+ -e 'premature end of file' \
+ -e 'archive header has reverse byte-order' \
+ -e 'memory exhausted' \
+ >&2
+echo >&2 STDERR
+test "$rc" -ne 0
],
-[0],
-[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
-],[cpio: LINK: stored filename length is out of range
-cpio: premature end of file
+[1],
+[-rw-rw-r-- 1 1000 100 13 Dec 11 09:02 FILE
+-rw-r--r-- 1 1000 100 18 Dec 11 10:13 FILE2
+],[cpio: warning: skipped 4 bytes of junk
+1 block
+STDERR
])
AT_CLEANUP
--
cgit v0.9.0.2