From dc70889684157143654835a7d6cba6964dc38b1c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 03 2023 08:10:12 +0000 Subject: import libtar-1.2.20-17.el8 --- diff --git a/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000..f6692c3 --- /dev/null +++ b/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,40 @@ +From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001 +From: shixuantong <1726671442@qq.com> +Date: Wed, 6 Apr 2022 17:40:57 +0800 +Subject: [PATCH 1/2] Ensure that sz is greater than 0. + +--- + lib/block.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/block.c b/lib/block.c +index 092bc28..f12c4bc 100644 +--- a/lib/block.c ++++ b/lib/block.c +@@ -118,6 +118,11 @@ th_read(TAR *t) + if (TH_ISLONGLINK(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +@@ -168,6 +173,11 @@ th_read(TAR *t) + if (TH_ISLONGNAME(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +-- +2.37.1 + diff --git a/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch b/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000..c625d61 --- /dev/null +++ b/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,30 @@ +From 78e95da690556874baac96dd1d655e577c6d8e95 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 4 Oct 2022 10:39:35 +0200 +Subject: [PATCH] free memory allocated by gnu_long* fields + +--- + lib/handle.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 28a7dc2..18bd8dc 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,8 +122,11 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); +- if (t->th_pathname != NULL) +- free(t->th_pathname); ++ ++ free(t->th_pathname); ++ free(t->th_buf.gnu_longname); ++ free(t->th_buf.gnu_longlink); ++ + free(t); + + return i; +-- +2.38.1 + diff --git a/SPECS/libtar.spec b/SPECS/libtar.spec index 3b5312d..1c13366 100644 --- a/SPECS/libtar.spec +++ b/SPECS/libtar.spec @@ -1,7 +1,7 @@ Summary: Tar file manipulation API Name: libtar Version: 1.2.20 -Release: 15%{?dist} +Release: 17%{?dist} License: MIT URL: http://repo.or.cz/libtar.git Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz @@ -14,6 +14,12 @@ Patch7: libtar-1.2.20-no-static-buffer.patch # fix programming mistakes detected by static analysis (#1602596) Patch8: libtar-1.2.20-static-analysis.patch +# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) +Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch + +# fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646) +Patch10: libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch + BuildRequires: libtool BuildRequires: zlib-devel @@ -71,6 +77,13 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %changelog +* Mon Dec 19 2022 Kamil Dudka - 1.2.20-17 +- fix use-after-free bugs introduced by incorrect memleak fixes (CVE-2021-33640) + +* Fri Aug 26 2022 Kamil Dudka - 1.2.20-16 +- fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646) +- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) + * Wed Nov 07 2018 Kamil Dudka - 1.2.20-15 - fix programming mistakes detected by static analysis (#1602596)