Blame SOURCES/fix-use-after-free-in-delayed-newc.patch

f485a7
From 6a71cce7ed735f83f9a6a6bad8beaa47f8d14734 Mon Sep 17 00:00:00 2001
f485a7
From: Ondrej Dubaj <odubaj@redhat.com>
f485a7
Date: Mon, 27 May 2019 10:06:14 +0200
f485a7
Subject: [PATCH 1/2] Fix use-after-free in delayed link processing (newc
f485a7
 format)
f485a7
f485a7
During archiving, if some of the "delayed" hard link entries
f485a7
happened to disappear on filesystem (or become unreadable) for
f485a7
some reason (most probably race), the old code free()d the 'entry'
f485a7
and continued with the loop;  the next loop though dereferenced
f485a7
'entry' and crashed the archiver.
f485a7
f485a7
Per report from Coverity.
f485a7
---
f485a7
 tar/write.c | 9 ++++-----
f485a7
 1 file changed, 4 insertions(+), 5 deletions(-)
f485a7
f485a7
diff --git a/tar/write.c b/tar/write.c
f485a7
index 9c24566..3970de2 100644
f485a7
--- a/tar/write.c
f485a7
+++ b/tar/write.c
f485a7
@@ -540,8 +540,7 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
f485a7
 			lafe_warnc(archive_errno(disk),
f485a7
 			    "%s", archive_error_string(disk));
f485a7
 			bsdtar->return_value = 1;
f485a7
-			archive_entry_free(entry);
f485a7
-			continue;
f485a7
+			goto next_entry;
f485a7
 		}
f485a7
 
f485a7
 		/*
f485a7
@@ -559,13 +558,13 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
f485a7
 				bsdtar->return_value = 1;
f485a7
 			else
f485a7
 				archive_read_close(disk);
f485a7
-			archive_entry_free(entry);
f485a7
-			continue;
f485a7
+			goto next_entry;
f485a7
 		}
f485a7
 
f485a7
 		write_file(bsdtar, a, entry);
f485a7
-		archive_entry_free(entry);
f485a7
 		archive_read_close(disk);
f485a7
+next_entry:
f485a7
+		archive_entry_free(entry);
f485a7
 		entry = NULL;
f485a7
 		archive_entry_linkify(bsdtar->resolver, &entry, &sparse_entry);
f485a7
 	}
f485a7
-- 
f485a7
2.17.1
f485a7
f485a7
f485a7
From a999ca882aeb8fce4f4f2ee1317f528984b47e8e Mon Sep 17 00:00:00 2001
f485a7
From: Ondrej Dubaj <odubaj@redhat.com>
f485a7
Date: Mon, 27 May 2019 10:34:48 +0200
f485a7
Subject: [PATCH 2/2] call missing archive_read_close() in write_archive()
f485a7
f485a7
---
f485a7
 tar/write.c | 3 +--
f485a7
 1 file changed, 1 insertion(+), 2 deletions(-)
f485a7
f485a7
diff --git a/tar/write.c b/tar/write.c
f485a7
index 3970de2..63c619c 100644
f485a7
--- a/tar/write.c
f485a7
+++ b/tar/write.c
f485a7
@@ -556,8 +556,7 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
f485a7
 			    "%s", archive_error_string(disk));
f485a7
 			if (r == ARCHIVE_FATAL)
f485a7
 				bsdtar->return_value = 1;
f485a7
-			else
f485a7
-				archive_read_close(disk);
f485a7
+			archive_read_close(disk);
f485a7
 			goto next_entry;
f485a7
 		}
f485a7
 
f485a7
-- 
f485a7
2.17.1
f485a7