guix/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch
Mark H Weaver c7bdc7ece5 gnu: cpio: Add fixes for CVE-2014-9112.
* gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch,
  gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch,
  gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch,
  gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch,
  gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/cpio.scm (cpio): Add patches.  Add 'autoconf' to
  native-inputs.
2014-12-30 14:48:13 -05:00

106 lines
3.6 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Partially fix CVE-2014-9112, part 4/5. Backported to 2.11.
From fd262d116c4564c1796be9be2799619cf7785d07 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Thu, 11 Dec 2014 10:51:21 +0000
Subject: Fix error recovery in copy-in mode
* src/copyin.c (copyin_link): Fix null dereference.
(read_in_header): Fix error recovery (bug introduced by
27e0ae55).
* tests/symlink-bad-length.at: Test error recovery.
Catch various architecture-dependent error messages (suggested
by Pavel Raiskup).
---
diff --git a/src/copyin.c b/src/copyin.c
index 264bfcb..ca12356 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -655,7 +655,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
}
static void
-copyin_link(struct cpio_file_stat *file_hdr, int in_file_des)
+copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
{
char *link_name = NULL; /* Name of hard and symbolic links. */
int res; /* Result of various function calls. */
@@ -666,6 +666,8 @@ copyin_link(struct cpio_file_stat *file_
if (archive_format != arf_tar && archive_format != arf_ustar)
{
link_name = get_link_name (file_hdr, in_file_des);
+ if (!link_name)
+ return;
}
else
{
@@ -1017,7 +1019,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
file_hdr->c_tar_linkname = NULL;
- tape_buffered_read (magic.str, in_des, 6L);
+ tape_buffered_read (magic.str, in_des, sizeof (magic.str));
while (1)
{
if (append_flag)
@@ -1062,8 +1064,8 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
break;
}
bytes_skipped++;
- memmove (magic.str, magic.str + 1, 5);
- tape_buffered_read (magic.str, in_des, 1L);
+ memmove (magic.str, magic.str + 1, sizeof (magic.str) - 1);
+ tape_buffered_read (magic.str + sizeof (magic.str) - 1, in_des, 1L);
}
}
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
index cbf4aa7..4dbeaa3 100644
--- a/tests/symlink-bad-length.at
+++ b/tests/symlink-bad-length.at
@@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length])
AT_KEYWORDS([symlink-long copyout])
AT_DATA([ARCHIVE.base64],
-[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
-JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
-UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk
+AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA
+c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ -37,13 +37,23 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AT_CHECK([
base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
-cpio -ntv < ARCHIVE
-test $? -eq 2
+TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+rc=$?
+cat stderr | grep -v \
+ -e 'stored filename length is out of range' \
+ -e 'premature end of file' \
+ -e 'archive header has reverse byte-order' \
+ -e 'memory exhausted' \
+ >&2
+echo >&2 STDERR
+test "$rc" -ne 0
],
-[0],
-[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
-],[cpio: LINK: stored filename length is out of range
-cpio: premature end of file
+[1],
+[-rw-rw-r-- 1 1000 100 13 Dec 11 09:02 FILE
+-rw-r--r-- 1 1000 100 18 Dec 11 10:13 FILE2
+],[cpio: warning: skipped 4 bytes of junk
+1 block
+STDERR
])
AT_CLEANUP
--
cgit v0.9.0.2