From d30f2dec6b823e91d8be785a17476bcb3ad1a724 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 13:31:43 +0000 Subject: import cpio-2.11-28.el7 --- diff --git a/SOURCES/cpio-2.11-CVE-2019-14866.patch b/SOURCES/cpio-2.11-CVE-2019-14866.patch new file mode 100644 index 0000000..2dacd9f --- /dev/null +++ b/SOURCES/cpio-2.11-CVE-2019-14866.patch @@ -0,0 +1,312 @@ +From 0d5aa7b6578422d3a3a7cad315807ae5b53566b2 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 19 Mar 2020 08:58:32 +0100 +Subject: [PATCH] * src/copyout.c (to_ascii): Additional argument nul controls + whether to add the terminating nul character. (field_width_error): Improve + diagnostics: print the actual and the maximum allowed field value. * + src/extern.h (to_ascii, field_width_error): New prototypes. * src/tar.c + (to_oct): Remove. (to_oct_or_error): New function. (TO_OCT): New macro. + (write_out_tar_header) + +--- + src/copyout.c | 47 +++++++++++++++++++++------------- + src/extern.h | 15 +++++++++-- + src/tar.c | 71 ++++++++++++++++++++++++--------------------------- + 3 files changed, 75 insertions(+), 58 deletions(-) + +diff --git a/src/copyout.c b/src/copyout.c +index 03eaf88..c0b1ffa 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -279,26 +279,32 @@ writeout_final_defers (int out_des) + so it should be moved to paxutils too. + Allowed values for logbase are: 1 (binary), 2, 3 (octal), 4 (hex) */ + int +-to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase) ++to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, bool nul) + { + static char codetab[] = "0123456789ABCDEF"; +- int i = digits; + +- do ++ if (nul) ++ where[--digits] = 0; ++ while (digits > 0) + { +- where[--i] = codetab[(v & ((1 << logbase) - 1))]; ++ where[--digits] = codetab[(v & ((1 << logbase) - 1))]; + v >>= logbase; + } +- while (i); + + return v != 0; + } + +-static void +-field_width_error (const char *filename, const char *fieldname) ++void ++field_width_error (const char *filename, const char *fieldname, ++ uintmax_t value, size_t width, bool nul) + { +- error (1, 0, _("%s: field width not sufficient for storing %s"), +- filename, fieldname); ++ char valbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (0, 0, _("%s: value %s %s out of allowed range 0..%s"), ++ filename, fieldname, ++ STRINGIFY_BIGINT (value, valbuf), ++ STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8), ++ maxbuf)); + } + + static void +@@ -313,7 +319,7 @@ to_ascii_or_warn (char *where, uintmax_t n, size_t digits, + unsigned logbase, + const char *filename, const char *fieldname) + { +- if (to_ascii (where, n, digits, logbase)) ++ if (to_ascii (where, n, digits, logbase, false)) + field_width_warning (filename, fieldname); + } + +@@ -322,9 +328,9 @@ to_ascii_or_error (char *where, uintmax_t n, size_t digits, + unsigned logbase, + const char *filename, const char *fieldname) + { +- if (to_ascii (where, n, digits, logbase)) ++ if (to_ascii (where, n, digits, logbase, false)) + { +- field_width_error (filename, fieldname); ++ field_width_error (filename, fieldname, n, digits, false); + return 1; + } + return 0; +@@ -381,7 +387,7 @@ write_out_new_ascii_header (const char *magic_string, + _("name size"))) + return 1; + p += 8; +- to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16); ++ to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16, false); + + tape_buffered_write (ascii_header, out_des, sizeof ascii_header); + +@@ -398,7 +404,7 @@ write_out_old_ascii_header (dev_t dev, dev_t rdev, + char ascii_header[76]; + char *p = ascii_header; + +- to_ascii (p, file_hdr->c_magic, 6, LG_8); ++ to_ascii (p, file_hdr->c_magic, 6, LG_8, false); + p += 6; + to_ascii_or_warn (p, dev, 6, LG_8, file_hdr->c_name, _("device number")); + p += 6; +@@ -502,7 +508,10 @@ write_out_binary_header (dev_t rdev, + short_hdr.c_namesize = file_hdr->c_namesize & 0xFFFF; + if (short_hdr.c_namesize != file_hdr->c_namesize) + { +- field_width_error (file_hdr->c_name, _("name size")); ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (0, 0, _("%s: value %s %s out of allowed range 0..%u"), ++ file_hdr->c_name, _("name size"), ++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFu); + return 1; + } + +@@ -512,7 +521,10 @@ write_out_binary_header (dev_t rdev, + if (((off_t)short_hdr.c_filesizes[0] << 16) + short_hdr.c_filesizes[1] + != file_hdr->c_filesize) + { +- field_width_error (file_hdr->c_name, _("file size")); ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (0, 0, _("%s: value %s %s out of allowed range 0..%lu"), ++ file_hdr->c_name, _("file size"), ++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFFFFFlu); + return 1; + } + +@@ -562,8 +574,7 @@ write_out_header (struct cpio_file_stat *file_hdr, int out_des) + error (0, 0, _("%s: file name too long"), file_hdr->c_name); + return 1; + } +- write_out_tar_header (file_hdr, out_des); /* FIXME: No error checking */ +- return 0; ++ return write_out_tar_header (file_hdr, out_des); + + case arf_binary: + return write_out_binary_header (makedev (file_hdr->c_rdev_maj, +diff --git a/src/extern.h b/src/extern.h +index 1c6f70b..a0b6009 100644 +--- a/src/extern.h ++++ b/src/extern.h +@@ -117,6 +117,10 @@ void print_name_with_quoting (char *p); + /* copyout.c */ + int write_out_header (struct cpio_file_stat *file_hdr, int out_des); + void process_copy_out (void); ++int to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, ++ bool nul); ++void field_width_error (const char *filename, const char *fieldname, ++ uintmax_t value, size_t width, bool nul); + + /* copypass.c */ + void process_copy_pass (void); +@@ -145,7 +149,7 @@ int make_path (char *argpath, uid_t owner, gid_t group, + const char *verbose_fmt_string); + + /* tar.c */ +-void write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des); ++int write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des); + int null_block (long *block, int size); + void read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des); + int otoa (char *s, unsigned long *n); +@@ -203,9 +207,16 @@ void cpio_safer_name_suffix (char *name, bool link_target, + bool absolute_names, bool strip_leading_dots); + int cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir); + +-/* FIXME: These two defines should be defined in paxutils */ ++/* FIXME: The following three should be defined in paxutils */ + #define LG_8 3 + #define LG_16 4 ++/* The maximum uintmax_t value that can be represented with DIGITS digits, ++ assuming that each digit is BITS_PER_DIGIT wide. */ ++#define MAX_VAL_WITH_DIGITS(digits, bits_per_digit) \ ++ ((digits) * (bits_per_digit) < sizeof (uintmax_t) * CHAR_BIT \ ++ ? ((uintmax_t) 1 << ((digits) * (bits_per_digit))) - 1 \ ++ : (uintmax_t) -1) ++ + + uintmax_t from_ascii (char const *where, size_t digs, unsigned logbase); + +diff --git a/src/tar.c b/src/tar.c +index 854878e..fe8fdcf 100644 +--- a/src/tar.c ++++ b/src/tar.c +@@ -1,6 +1,5 @@ + /* tar.c - read in write tar headers for cpio +- Copyright (C) 1992, 2001, 2004, 2006, 2007, 2010 Free Software +- Foundation, Inc. ++ Copyright (C) 1992-2019 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -81,34 +80,16 @@ stash_tar_filename (char *prefix, char *filename) + return hold_tar_filename; + } + +-/* Convert a number into a string of octal digits. +- Convert long VALUE into a DIGITS-digit field at WHERE, +- including a trailing space and room for a NUL. DIGITS==3 means +- 1 digit, a space, and room for a NUL. +- +- We assume the trailing NUL is already there and don't fill it in. +- This fact is used by start_header and finish_header, so don't change it! +- +- This is be equivalent to: +- sprintf (where, "%*lo ", digits - 2, value); +- except that sprintf fills in the trailing NUL and we don't. */ +- +-static void +-to_oct (register long value, register int digits, register char *where) ++static int ++to_oct_or_error (uintmax_t value, size_t digits, char *where, char const *field, ++ char const *file) + { +- --digits; /* Leave the trailing NUL slot alone. */ +- +- /* Produce the digits -- at least one. */ +- do ++ if (to_ascii (where, value, digits, LG_8, true)) + { +- where[--digits] = '0' + (char) (value & 7); /* One octal digit. */ +- value >>= 3; ++ field_width_error (file, field, value, digits, true); ++ return 1; + } +- while (digits > 0 && value != 0); +- +- /* Add leading zeroes, if necessary. */ +- while (digits > 0) +- where[--digits] = '0'; ++ return 0; + } + + +@@ -136,10 +117,22 @@ tar_checksum (struct tar_header *tar_hdr) + return sum; + } + ++#define TO_OCT(file_hdr, c_fld, digits, tar_hdr, tar_field) \ ++ do \ ++ { \ ++ if (to_oct_or_error (file_hdr -> c_fld, \ ++ digits, \ ++ tar_hdr -> tar_field, \ ++ #tar_field, \ ++ file_hdr->c_name)) \ ++ return 1; \ ++ } \ ++ while (0) ++ + /* Write out header FILE_HDR, including the file name, to file + descriptor OUT_DES. */ + +-void ++int + write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des) + { + int name_len; +@@ -168,11 +161,11 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des) + + /* Ustar standard (POSIX.1-1988) requires the mode to contain only 3 octal + digits */ +- to_oct (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode); +- to_oct (file_hdr->c_uid, 8, tar_hdr->uid); +- to_oct (file_hdr->c_gid, 8, tar_hdr->gid); +- to_oct (file_hdr->c_filesize, 12, tar_hdr->size); +- to_oct (file_hdr->c_mtime, 12, tar_hdr->mtime); ++ TO_OCT (file_hdr, c_mode & MODE_ALL, 8, tar_hdr, mode); ++ TO_OCT (file_hdr, c_uid, 8, tar_hdr, uid); ++ TO_OCT (file_hdr, c_gid, 8, tar_hdr, gid); ++ TO_OCT (file_hdr, c_filesize, 12, tar_hdr, size); ++ TO_OCT (file_hdr, c_mtime, 12, tar_hdr, mtime); + + switch (file_hdr->c_mode & CP_IFMT) + { +@@ -184,7 +177,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des) + strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname, + TARLINKNAMESIZE); + tar_hdr->typeflag = LNKTYPE; +- to_oct (0, 12, tar_hdr->size); ++ to_ascii (tar_hdr->size, 0, 12, LG_8, true); + } + else + tar_hdr->typeflag = REGTYPE; +@@ -210,7 +203,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des) + than TARLINKNAMESIZE. */ + strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname, + TARLINKNAMESIZE); +- to_oct (0, 12, tar_hdr->size); ++ to_ascii (tar_hdr->size, 0, 12, LG_8, true); + break; + #endif /* CP_IFLNK */ + } +@@ -229,13 +222,15 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des) + if (name) + strcpy (tar_hdr->gname, name); + +- to_oct (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor); +- to_oct (file_hdr->c_rdev_min, 8, tar_hdr->devminor); ++ TO_OCT (file_hdr, c_rdev_maj, 8, tar_hdr, devmajor); ++ TO_OCT (file_hdr, c_rdev_min, 8, tar_hdr, devminor); + } + +- to_oct (tar_checksum (tar_hdr), 8, tar_hdr->chksum); ++ to_ascii (tar_hdr->chksum, tar_checksum (tar_hdr), 8, LG_8, true); + + tape_buffered_write ((char *) &tar_rec, out_des, TARRECORDSIZE); ++ ++ return 0; + } + + /* Return nonzero iff all the bytes in BLOCK are NUL. +-- +2.24.1 + diff --git a/SPECS/cpio.spec b/SPECS/cpio.spec index 71e1e81..e4b889d 100644 --- a/SPECS/cpio.spec +++ b/SPECS/cpio.spec @@ -1,7 +1,7 @@ Summary: A GNU archiving program Name: cpio Version: 2.11 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv3+ Group: Applications/Archiving URL: http://www.gnu.org/software/cpio/ @@ -53,6 +53,10 @@ Patch15: cpio-2.11-reproducible.patch # ~> upstream fd262d116c4564c1796 Patch16: cpio-2.11-recovery.patch +# Improper input validation +# ~> upstream 7554e3e42cd72f6f8304410c47fe6f8918e9bfd7 +Patch17: cpio-2.11-CVE-2019-14866.patch + Requires(post): /sbin/install-info Requires(preun): /sbin/install-info Provides: bundled(gnulib) @@ -92,6 +96,7 @@ Install cpio if you need a program to manage file archives. %patch14 -p1 -b .crc-big-files %patch15 -p1 -b .reproducible %patch16 -p1 -b .recovery +%patch17 -p1 autoreconf -v @@ -142,6 +147,9 @@ fi %{_infodir}/*.info* %changelog +* Fri Mar 13 2020 Ondrej Dubaj - 2.11-28 +- Improper input validation when writing tar header fields (#1766222) + * Mon Feb 06 2017 Pavel Raiskup - 2.11-27 - don't segfault during recovery (rhbz#1318084)