diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1c280a4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/libtar-1.2.11.tar.gz +SOURCES/libtar_1.2.11-4.diff.gz diff --git a/.libtar.metadata b/.libtar.metadata new file mode 100644 index 0000000..78fbee4 --- /dev/null +++ b/.libtar.metadata @@ -0,0 +1,2 @@ +9611f23024b0e89aad1cfea301122186b3c160f8 SOURCES/libtar-1.2.11.tar.gz +a7069272701f793e11b749d50caca561a78ac086 SOURCES/libtar_1.2.11-4.diff.gz diff --git a/SOURCES/libtar-1.2.11-CVE-2013-4397.patch b/SOURCES/libtar-1.2.11-CVE-2013-4397.patch new file mode 100644 index 0000000..792c9a3 --- /dev/null +++ b/SOURCES/libtar-1.2.11-CVE-2013-4397.patch @@ -0,0 +1,94 @@ +From 8505fb844300f493b4e848d4461537a7bb0e8cc0 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 4 Oct 2013 13:55:26 +0200 +Subject: [PATCH] libtar - fix CVE-2013-4397 libtar (upstream patch) + +Heap-based buffer overflows by expanding a specially-crafted archive +--- + lib/block.c | 38 ++++++++++++++++++++++++-------------- + 1 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/lib/block.c b/lib/block.c +index 2917dc6..092bc28 100644 +--- a/lib/block.c ++++ b/lib/block.c +@@ -90,8 +90,8 @@ th_read_internal(TAR *t) + int + th_read(TAR *t) + { +- int i, j; +- size_t sz; ++ int i; ++ size_t sz, j, blocks; + char *ptr; + + #ifdef DEBUG +@@ -118,21 +118,26 @@ th_read(TAR *t) + if (TH_ISLONGLINK(t)) + { + sz = th_get_size(t); +- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++ errno = E2BIG; ++ return -1; ++ } + #ifdef DEBUG + printf(" th_read(): GNU long linkname detected " +- "(%ld bytes, %d blocks)\n", sz, j); ++ "(%ld bytes, %d blocks)\n", sz, blocks); + #endif +- t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE); ++ t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE); + if (t->th_buf.gnu_longlink == NULL) + return -1; + +- for (ptr = t->th_buf.gnu_longlink; j > 0; +- j--, ptr += T_BLOCKSIZE) ++ for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks; ++ j++, ptr += T_BLOCKSIZE) + { + #ifdef DEBUG + printf(" th_read(): reading long linkname " +- "(%d blocks left, ptr == %ld)\n", j, ptr); ++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr); + #endif + i = tar_block_read(t, ptr); + if (i != T_BLOCKSIZE) +@@ -163,21 +168,26 @@ th_read(TAR *t) + if (TH_ISLONGNAME(t)) + { + sz = th_get_size(t); +- j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); ++ if (blocks > ((size_t)-1 / T_BLOCKSIZE)) ++ { ++ errno = E2BIG; ++ return -1; ++ } + #ifdef DEBUG + printf(" th_read(): GNU long filename detected " +- "(%ld bytes, %d blocks)\n", sz, j); ++ "(%ld bytes, %d blocks)\n", sz, blocks); + #endif +- t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE); ++ t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE); + if (t->th_buf.gnu_longname == NULL) + return -1; + +- for (ptr = t->th_buf.gnu_longname; j > 0; +- j--, ptr += T_BLOCKSIZE) ++ for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks; ++ j++, ptr += T_BLOCKSIZE) + { + #ifdef DEBUG + printf(" th_read(): reading long filename " +- "(%d blocks left, ptr == %ld)\n", j, ptr); ++ "(%d blocks left, ptr == %ld)\n", blocks-j, ptr); + #endif + i = tar_block_read(t, ptr); + if (i != T_BLOCKSIZE) +-- +1.7.1 + diff --git a/SOURCES/libtar-1.2.11-bz729009.patch b/SOURCES/libtar-1.2.11-bz729009.patch new file mode 100644 index 0000000..a73eabc --- /dev/null +++ b/SOURCES/libtar-1.2.11-bz729009.patch @@ -0,0 +1,25 @@ +From 1f2ec801cf4ac954f84c81e7587ce11998f78911 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Aug 2011 12:02:26 +0200 +Subject: [PATCH] libtar - rhbz #729009 + +--- + libtar/Makefile.in | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/libtar/Makefile.in b/libtar/Makefile.in +index 4e7bca4..94bd198 100644 +--- a/libtar/Makefile.in ++++ b/libtar/Makefile.in +@@ -17,7 +17,7 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ + + ### Installation programs and flags + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL_PROGRAM@ -s ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_DATA = @INSTALL_DATA@ + LN_S = @LN_S@ + MKDIR = @MKDIR@ +-- +1.7.4.4 + diff --git a/SOURCES/libtar-1.2.11-bz785760.patch b/SOURCES/libtar-1.2.11-bz785760.patch new file mode 100644 index 0000000..5136b30 --- /dev/null +++ b/SOURCES/libtar-1.2.11-bz785760.patch @@ -0,0 +1,94 @@ +From 6595e6491a472bc4e7f81ed7fe2879c67b3873fe Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 7 Feb 2012 13:50:55 +0100 +Subject: [PATCH] libtar - rhbz #785760 + +--- + lib/append.c | 14 ++++++++------ + lib/extract.c | 2 ++ + libtar/libtar.c | 3 +++ + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/append.c b/lib/append.c +index 5489168..690202b 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -216,6 +216,7 @@ tar_append_regfile(TAR *t, char *realname) + int filefd; + int i, j; + size_t size; ++ int rv = -1; + + filefd = open(realname, O_RDONLY); + if (filefd == -1) +@@ -234,25 +235,26 @@ tar_append_regfile(TAR *t, char *realname) + { + if (j != -1) + errno = EINVAL; +- return -1; ++ goto fail; + } + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + + if (i > 0) + { + j = read(filefd, &block, i); + if (j == -1) +- return -1; ++ goto fail; + memset(&(block[i]), 0, T_BLOCKSIZE - i); + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + ++ rv = 0; ++fail: + close(filefd); +- +- return 0; ++ return rv; + } + + +diff --git a/lib/extract.c b/lib/extract.c +index b783d87..b36d447 100644 +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -245,6 +245,7 @@ tar_extract_regfile(TAR *t, char *realname) + { + if (k != -1) + errno = EINVAL; ++ close(fdout); + free (pn); + return -1; + } +@@ -253,6 +254,7 @@ tar_extract_regfile(TAR *t, char *realname) + if (write(fdout, buf, + ((i > T_BLOCKSIZE) ? T_BLOCKSIZE : i)) == -1) + { ++ close(fdout); + free (pn); + return -1; + } +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 83564c8..673c90e 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -83,7 +83,10 @@ gzopen_frontend(char *pathname, int oflags, int mode) + return -1; + + if ((oflags & O_CREAT) && fchmod(fd, mode)) ++ { ++ close(fd); + return -1; ++ } + + gzf = gzdopen(fd, gzoflags); + if (!gzf) +-- +1.7.1 + diff --git a/SOURCES/libtar-1.2.11-fix-memleak.patch b/SOURCES/libtar-1.2.11-fix-memleak.patch new file mode 100644 index 0000000..505e461 --- /dev/null +++ b/SOURCES/libtar-1.2.11-fix-memleak.patch @@ -0,0 +1,546 @@ + lib/decode.c | 2 +- + lib/extract.c | 94 +++++++++++++++++++++++++++++++++++++++++++------------ + lib/handle.c | 1 + + lib/wrapper.c | 12 ++++++- + libtar/libtar.c | 30 +++++++++++------ + 5 files changed, 106 insertions(+), 33 deletions(-) + +diff --git a/lib/decode.c b/lib/decode.c +index 794c868..c2c2baa 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -29,7 +29,7 @@ th_get_pathname(TAR *t) + char filename[MAXPATHLEN]; + + if (t->th_buf.gnu_longname) +- return t->th_buf.gnu_longname; ++ return strdup(t->th_buf.gnu_longname); + + if (t->th_buf.prefix[0] != '\0') + { +diff --git a/lib/extract.c b/lib/extract.c +index cacfe58..8993b95 100644 +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -44,9 +44,10 @@ tar_set_file_perms(TAR *t, char *realname) + uid_t uid; + gid_t gid; + struct utimbuf ut; +- char *filename; ++ char *filename,*pn; + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + uid = th_get_uid(t); + gid = th_get_gid(t); +@@ -69,6 +70,7 @@ tar_set_file_perms(TAR *t, char *realname) + filename, uid, gid, strerror(errno)); + # endif + #endif /* HAVE_LCHOWN */ ++ free (pn); + return -1; + } + +@@ -78,6 +80,7 @@ tar_set_file_perms(TAR *t, char *realname) + #ifdef DEBUG + perror("utime()"); + #endif ++ free (pn); + return -1; + } + +@@ -87,9 +90,11 @@ tar_set_file_perms(TAR *t, char *realname) + #ifdef DEBUG + perror("chmod()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +@@ -168,7 +173,7 @@ tar_extract_regfile(TAR *t, char *realname) + int fdout; + int i, k; + char buf[T_BLOCKSIZE]; +- char *filename; ++ char *filename,*pn; + + #ifdef DEBUG + printf("==> tar_extract_regfile(t=0x%lx, realname=\"%s\")\n", t, +@@ -181,14 +186,18 @@ tar_extract_regfile(TAR *t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + size = th_get_size(t); + uid = th_get_uid(t); + gid = th_get_gid(t); + + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + + #ifdef DEBUG + printf(" ==> extracting: %s (mode %04o, uid %d, gid %d, %d bytes)\n", +@@ -204,6 +213,7 @@ tar_extract_regfile(TAR *t, char *realname) + #ifdef DEBUG + perror("open()"); + #endif ++ free (pn); + return -1; + } + +@@ -235,23 +245,30 @@ tar_extract_regfile(TAR *t, char *realname) + { + if (k != -1) + errno = EINVAL; ++ free (pn); + return -1; + } + + /* write block to output file */ + if (write(fdout, buf, + ((i > T_BLOCKSIZE) ? T_BLOCKSIZE : i)) == -1) ++ { ++ free (pn); + return -1; ++ } + } + + /* close output file */ + if (close(fdout) == -1) ++ { ++ free (pn); + return -1; ++ } + + #ifdef DEBUG + printf("### done extracting %s\n", filename); + #endif +- ++ free (pn); + return 0; + } + +@@ -290,7 +307,7 @@ tar_skip_regfile(TAR *t) + int + tar_extract_hardlink(TAR * t, char *realname) + { +- char *filename; ++ char *filename,*pn; + char *linktgt = NULL; + linkname_t *lnp; + libtar_hashptr_t hp; +@@ -301,9 +318,13 @@ tar_extract_hardlink(TAR * t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + libtar_hashptr_reset(&hp); + if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), + (libtar_matchfunc_t)libtar_str_match) != 0) +@@ -322,9 +343,11 @@ tar_extract_hardlink(TAR * t, char *realname) + #ifdef DEBUG + perror("link()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +@@ -333,7 +356,7 @@ tar_extract_hardlink(TAR * t, char *realname) + int + tar_extract_symlink(TAR *t, char *realname) + { +- char *filename; ++ char *filename,*pn; + + if (!TH_ISSYM(t)) + { +@@ -341,9 +364,13 @@ tar_extract_symlink(TAR *t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + + if (unlink(filename) == -1 && errno != ENOENT) + return -1; +@@ -357,9 +384,11 @@ tar_extract_symlink(TAR *t, char *realname) + #ifdef DEBUG + perror("symlink()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +@@ -370,7 +399,7 @@ tar_extract_chardev(TAR *t, char *realname) + { + mode_t mode; + unsigned long devmaj, devmin; +- char *filename; ++ char *filename,*pn; + + if (!TH_ISCHR(t)) + { +@@ -378,14 +407,18 @@ tar_extract_chardev(TAR *t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + devmaj = th_get_devmajor(t); + devmin = th_get_devminor(t); + + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; +- ++ } ++ + #ifdef DEBUG + printf(" ==> extracting: %s (character device %ld,%ld)\n", + filename, devmaj, devmin); +@@ -396,9 +429,11 @@ tar_extract_chardev(TAR *t, char *realname) + #ifdef DEBUG + perror("mknod()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +@@ -409,7 +444,7 @@ tar_extract_blockdev(TAR *t, char *realname) + { + mode_t mode; + unsigned long devmaj, devmin; +- char *filename; ++ char *filename,*pn; + + if (!TH_ISBLK(t)) + { +@@ -417,13 +452,17 @@ tar_extract_blockdev(TAR *t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + devmaj = th_get_devmajor(t); + devmin = th_get_devminor(t); + + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + + #ifdef DEBUG + printf(" ==> extracting: %s (block device %ld,%ld)\n", +@@ -435,9 +474,11 @@ tar_extract_blockdev(TAR *t, char *realname) + #ifdef DEBUG + perror("mknod()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +@@ -447,19 +488,22 @@ int + tar_extract_dir(TAR *t, char *realname) + { + mode_t mode; +- char *filename; ++ char *filename,*pn; + + if (!TH_ISDIR(t)) + { + errno = EINVAL; + return -1; + } +- +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + + #ifdef DEBUG + printf(" ==> extracting: %s (mode %04o, directory)\n", filename, +@@ -474,6 +518,7 @@ tar_extract_dir(TAR *t, char *realname) + #ifdef DEBUG + perror("chmod()"); + #endif ++ free (pn); + return -1; + } + else +@@ -481,6 +526,7 @@ tar_extract_dir(TAR *t, char *realname) + #ifdef DEBUG + puts(" *** using existing directory"); + #endif ++ free (pn); + return 1; + } + } +@@ -489,10 +535,12 @@ tar_extract_dir(TAR *t, char *realname) + #ifdef DEBUG + perror("mkdir()"); + #endif ++ free (pn); + return -1; + } + } +- ++ ++ free (pn); + return 0; + } + +@@ -502,7 +550,7 @@ int + tar_extract_fifo(TAR *t, char *realname) + { + mode_t mode; +- char *filename; ++ char *filename,*pn; + + if (!TH_ISFIFO(t)) + { +@@ -510,11 +558,15 @@ tar_extract_fifo(TAR *t, char *realname) + return -1; + } + +- filename = (realname ? realname : th_get_pathname(t)); ++ pn = th_get_pathname(t); ++ filename = (realname ? realname : pn); + mode = th_get_mode(t); + + if (mkdirhier(dirname(filename)) == -1) ++ { ++ free (pn); + return -1; ++ } + + #ifdef DEBUG + printf(" ==> extracting: %s (fifo)\n", filename); +@@ -524,9 +576,11 @@ tar_extract_fifo(TAR *t, char *realname) + #ifdef DEBUG + perror("mkfifo()"); + #endif ++ free (pn); + return -1; + } + ++ free (pn); + return 0; + } + +diff --git a/lib/handle.c b/lib/handle.c +index ae974b9..e3a48cb 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -82,6 +82,7 @@ tar_open(TAR **t, char *pathname, tartype_t *type, + (*t)->fd = (*((*t)->type->openfunc))(pathname, oflags, mode); + if ((*t)->fd == -1) + { ++ libtar_hash_free((*t)->h, NULL); + free(*t); + return -1; + } +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 51d5086..e60a530 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD)) + { + if (TH_ISREG(t) && tar_skip_regfile(t)) ++ { ++ free (filename); + return -1; ++ } + continue; + } + if (t->options & TAR_VERBOSE) +@@ -46,7 +49,11 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + else + strlcpy(buf, filename, sizeof(buf)); + if (tar_extract_file(t, filename) != 0) ++ { ++ free (filename); + return -1; ++ } ++ free (filename); + } + + return (i == 1 ? 0 : -1); +@@ -77,13 +84,16 @@ tar_extract_all(TAR *t, char *prefix) + snprintf(buf, sizeof(buf), "%s/%s", prefix, filename); + else + strlcpy(buf, filename, sizeof(buf)); +- free(filename); + #ifdef DEBUG + printf(" tar_extract_all(): calling tar_extract_file(t, " + "\"%s\")\n", buf); + #endif + if (tar_extract_file(t, buf) != 0) ++ { ++ free (filename); + return -1; ++ } ++ free (filename); + } + + return (i == 1 ? 0 : -1); +diff --git a/libtar/libtar.c b/libtar/libtar.c +index a6cef72..f06c5b8 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -249,7 +249,9 @@ extract(char *tarfile, char *rootdir) + #endif + if (tar_extract_all(t, rootdir) != 0) + { ++ + fprintf(stderr, "tar_extract_all(): %s\n", strerror(errno)); ++ tar_close(t); + return -1; + } + +@@ -267,12 +269,13 @@ extract(char *tarfile, char *rootdir) + + + void +-usage() ++usage(void *rootdir) + { + printf("Usage: %s [-C rootdir] [-g] [-z] -x|-t filename.tar\n", + progname); + printf(" %s [-C rootdir] [-g] [-z] -c filename.tar ...\n", + progname); ++ free(rootdir); + exit(-1); + } + +@@ -289,6 +292,7 @@ main(int argc, char *argv[]) + int c; + int mode = 0; + libtar_list_t *l; ++ int return_code = -2; + + progname = basename(argv[0]); + +@@ -310,17 +314,17 @@ main(int argc, char *argv[]) + break; + case 'c': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_CREATE; + break; + case 'x': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_EXTRACT; + break; + case 't': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_LIST; + break; + #ifdef HAVE_LIBZ +@@ -329,7 +333,7 @@ main(int argc, char *argv[]) + break; + #endif /* HAVE_LIBZ */ + default: +- usage(); ++ usage(rootdir); + } + + if (!mode || ((argc - optind) < (mode == MODE_CREATE ? 2 : 1))) +@@ -338,7 +342,7 @@ main(int argc, char *argv[]) + printf("argc - optind == %d\tmode == %d\n", argc - optind, + mode); + #endif +- usage(); ++ usage(rootdir); + } + + #ifdef DEBUG +@@ -348,21 +352,25 @@ main(int argc, char *argv[]) + switch (mode) + { + case MODE_EXTRACT: +- return extract(argv[optind], rootdir); ++ return_code = extract(argv[optind], rootdir); ++ break; + case MODE_CREATE: + tarfile = argv[optind]; + l = libtar_list_new(LIST_QUEUE, NULL); + for (c = optind + 1; c < argc; c++) + libtar_list_add(l, argv[c]); +- return create(tarfile, rootdir, l); ++ return_code = create(tarfile, rootdir, l); ++ libtar_list_free (l, NULL); ++ break; + case MODE_LIST: +- return list(argv[optind]); ++ return_code = list(argv[optind]); ++ break; + default: + break; + } + +- /* NOTREACHED */ +- return -2; ++ free(rootdir); ++ return return_code; + } + + diff --git a/SOURCES/libtar-1.2.11-mem-deref.patch b/SOURCES/libtar-1.2.11-mem-deref.patch new file mode 100644 index 0000000..9b89bf8 --- /dev/null +++ b/SOURCES/libtar-1.2.11-mem-deref.patch @@ -0,0 +1,24 @@ +--- libtar-1.2.11/lib/libtar.h.deref 2009-12-30 16:37:03.790121122 +0100 ++++ libtar-1.2.11/lib/libtar.h 2009-12-30 16:37:35.521246633 +0100 +@@ -172,6 +172,7 @@ int th_write(TAR *t); + #define TH_ISDIR(t) ((t)->th_buf.typeflag == DIRTYPE \ + || S_ISDIR((mode_t)oct_to_int((t)->th_buf.mode)) \ + || ((t)->th_buf.typeflag == AREGTYPE \ ++ && strlen((t)->th_buf.name) \ + && ((t)->th_buf.name[strlen((t)->th_buf.name) - 1] == '/'))) + #define TH_ISFIFO(t) ((t)->th_buf.typeflag == FIFOTYPE \ + || S_ISFIFO((mode_t)oct_to_int((t)->th_buf.mode))) +--- libtar-1.2.11/lib/util.c.deref 2003-01-07 02:41:00.000000000 +0100 ++++ libtar-1.2.11/lib/util.c 2009-12-30 17:35:51.860121660 +0100 +@@ -133,9 +133,7 @@ oct_to_int(char *oct) + { + int i; + +- sscanf(oct, "%o", &i); +- +- return i; ++ return sscanf(oct, "%o", &i) == 1 ? i : 0; + } + + + diff --git a/SOURCES/libtar-1.2.11-missing-protos.patch b/SOURCES/libtar-1.2.11-missing-protos.patch new file mode 100644 index 0000000..1a61087 --- /dev/null +++ b/SOURCES/libtar-1.2.11-missing-protos.patch @@ -0,0 +1,80 @@ +diff -up libtar-1.2.11/lib/append.c.foo libtar-1.2.11/lib/append.c +--- libtar-1.2.11/lib/append.c.foo 2003-01-07 02:40:59.000000000 +0100 ++++ libtar-1.2.11/lib/append.c 2008-04-03 15:08:07.000000000 +0200 +@@ -13,6 +13,8 @@ + #include + + #include ++#include ++#include + #include + #include + #include +diff -up libtar-1.2.11/configure.foo libtar-1.2.11/configure +--- libtar-1.2.11/configure.foo 2008-04-03 15:08:07.000000000 +0200 ++++ libtar-1.2.11/configure 2008-04-03 15:09:20.000000000 +0200 +@@ -4943,8 +4943,8 @@ main () + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) +- exit(2); +- exit (0); ++ return 2; ++ return 0; + } + _ACEOF + rm -f conftest$ac_exeext +@@ -20083,8 +20083,8 @@ main () + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) +- exit(2); +- exit (0); ++ return (2); ++ return (0); + } + _ACEOF + rm -f conftest$ac_exeext +@@ -22411,6 +22411,7 @@ cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + #include ++#include + + typedef struct { + int length; +@@ -22437,10 +22438,10 @@ int main() { + if ((snprintf(test1, tests[i].length, "%s", tests[i].test) + != tests[i].retval) || + (tests[i].result && strcmp(tests[i].result, test1))) +- exit(1); ++ return (1); + } + +- exit(0); ++ return (0); + } + + _ACEOF +diff -up libtar-1.2.11/lib/output.c~ libtar-1.2.11/lib/output.c +--- libtar-1.2.11/lib/output.c~ 2008-04-03 15:11:07.000000000 +0200 ++++ libtar-1.2.11/lib/output.c 2008-04-03 15:11:07.000000000 +0200 +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include +diff -up libtar-1.2.11/lib/wrapper.c~ libtar-1.2.11/lib/wrapper.c +--- libtar-1.2.11/lib/wrapper.c~ 2008-04-03 15:11:28.000000000 +0200 ++++ libtar-1.2.11/lib/wrapper.c 2008-04-03 15:11:28.000000000 +0200 +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include diff --git a/SOURCES/libtar-1.2.11-tar_header.patch b/SOURCES/libtar-1.2.11-tar_header.patch new file mode 100644 index 0000000..161f7da --- /dev/null +++ b/SOURCES/libtar-1.2.11-tar_header.patch @@ -0,0 +1,15 @@ +diff -Naur libtar-1.2.11/lib/encode.c libtar-1.2.11.tar_header/lib/encode.c +--- libtar-1.2.11/lib/encode.c 2003-01-07 07:10:59.000000000 +0530 ++++ libtar-1.2.11.tar_header/lib/encode.c 2009-11-20 11:13:25.166756167 +0530 +@@ -30,7 +30,10 @@ + int i, sum = 0; + + if (t->options & TAR_GNU) +- strncpy(t->th_buf.magic, "ustar ", 8); ++ { ++ memcpy(t->th_buf.magic, "ustar ", 6); ++ memcpy(t->th_buf.version, " \0", 2); ++ } + else + { + strncpy(t->th_buf.version, TVERSION, TVERSLEN); diff --git a/SOURCES/libtar-macro.patch b/SOURCES/libtar-macro.patch new file mode 100644 index 0000000..8a2c448 --- /dev/null +++ b/SOURCES/libtar-macro.patch @@ -0,0 +1,14 @@ +2009-09-22 Stepan Kasal + + * tell aclocal where are the macros + +--- libtar-1.2.11/configure.ac.macro 2009-09-22 14:47:07.000000000 +0200 ++++ libtar-1.2.11/configure.ac 2009-09-22 14:50:34.000000000 +0200 +@@ -2,6 +2,7 @@ + AC_INIT([libtar], [1.2.11]) + AC_PREREQ([2.57]) + AC_CONFIG_AUX_DIR([autoconf]) ++AC_CONFIG_MACRO_DIR([autoconf]) + AC_CONFIG_HEADERS([config.h]) + AC_COPYRIGHT([[ + Copyright (c) 1998-2003 University of Illinois Board of Trustees diff --git a/SPECS/libtar.spec b/SPECS/libtar.spec new file mode 100644 index 0000000..994606a --- /dev/null +++ b/SPECS/libtar.spec @@ -0,0 +1,180 @@ +Summary: Tar file manipulation API +Name: libtar +Version: 1.2.11 +Release: 29%{?dist} +License: MIT +Group: System Environment/Libraries +URL: http://www.feep.net/libtar/ +Source0: ftp://ftp.feep.net/pub/software/libtar/libtar-%{version}.tar.gz +Patch0: http://ftp.debian.org/debian/pool/main/libt/libtar/libtar_1.2.11-4.diff.gz +Patch1: libtar-1.2.11-missing-protos.patch +Patch2: libtar-macro.patch +Patch3: libtar-1.2.11-tar_header.patch +Patch4: libtar-1.2.11-mem-deref.patch +Patch5: libtar-1.2.11-fix-memleak.patch +Patch6: libtar-1.2.11-bz729009.patch +Patch7: libtar-1.2.11-CVE-2013-4397.patch +Patch8: libtar-1.2.11-bz785760.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot +BuildRequires: zlib-devel libtool + +%description +libtar is a C library for manipulating tar archives. It supports both +the strict POSIX tar format and many of the commonly-used GNU +extensions. + + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%setup -q +%patch0 -p1 -z .deb +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 -b .tar_header +%patch4 -p1 -b .deref +%patch5 -p1 -b .fixmem +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 + +# set correct version for .so build +%global ltversion %(echo %{version} | tr '.' ':') +sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \ + lib/Makefile.in +# sanitize the macro definitions so that aclocal can find them: +cd autoconf +sed '/^m4_include/d;s/ m4_include/ m4][_include/g' aclocal.m4 >psg.m4 +rm acsite.m4 aclocal.m4 +cd .. + + +%build +cp -p /usr/share/libtool/config/config.sub autoconf +# config.guess is not needed, macro %%configure specifies --build +libtoolize --copy +aclocal -I autoconf +autoconf +%configure --disable-static +make %{?_smp_mflags} + + +%install +make install DESTDIR=$RPM_BUILD_ROOT +# Without this we get no debuginfo and stripping +chmod +x $RPM_BUILD_ROOT%{_libdir}/libtar.so.%{version} +rm $RPM_BUILD_ROOT%{_libdir}/*.la + + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + + +%files +%doc COPYRIGHT TODO README ChangeLog* +%{_bindir}/%{name} +%{_libdir}/lib*.so.* + +%files devel +%{_includedir}/libtar.h +%{_includedir}/libtar_listhash.h +%{_libdir}/lib*.so +%{_mandir}/man3/*.3* + + +%changelog +* Tue Apr 21 2015 Kamil Dudka - 1.2.11-29 +- fix resource leaks found by cppcheck (#785760) + +* Fri Jan 24 2014 Daniel Mach - 1.2.11-28 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.2.11-27 +- Mass rebuild 2013-12-27 + +* Fri Oct 04 2013 Kamil Dudka - 1.2.11-26 +- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive + +* Thu Feb 14 2013 Fedora Release Engineering - 1.2.11-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Aug 28 2012 Kamil Dudka - 1.2.11-24 +- fix specfile issues reported by the fedora-review script + +* Thu Jul 19 2012 Fedora Release Engineering - 1.2.11-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.2.11-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Aug 09 2011 Kamil Dudka - 1.2.11-21 +- Allow to extract debug-info from /usr/bin/libtar (#729009) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.2.11-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu May 27 2010 Kamil Dudka - 1.2.11-19 +- Completed review of memory leaks related patches (#589056) + +* Mon May 3 2010 Huzaifa Sidhpurwala - 1.2.11-18 +- Fix more memory leaks + +* Mon May 3 2010 Huzaifa Sidhpurwala - 1.2.11-17 +- Fix lot of memory leaks + +* Thu Dec 31 2009 Huzaifa Sidhpurwala - 1.2.11-16 +- Fix invalid memory de-reference issue in BZ #551415 + +* Fri Nov 20 2009 Huzaifa Sidhpurwala - 1.2.11-15 +- Fix buffer overflow in BZ #538770 + +* Tue Sep 22 2009 Stepan Kasal - 1.2.11-14 +- fix up so that it builds again (#511566) + +* Sat Jul 25 2009 Fedora Release Engineering - 1.2.11-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Apr 3 2008 Hans de Goede 1.2.11-11 +- Fix missing prototype compiler warnings + +* Tue Feb 19 2008 Fedora Release Engineering - 1.2.11-10 +- Autorebuild for GCC 4.3 + +* Mon Aug 13 2007 Hans de Goede 1.2.11-9 +- Update License tag for new Licensing Guidelines compliance + +* Mon Aug 28 2006 Hans de Goede 1.2.11-8 +- FE6 Rebuild + +* Sun Jul 23 2006 Hans de Goede 1.2.11-7 +- Taking over as maintainer since Anvil has other priorities +- Add a bunch of patches from Debian, which build a .so instead of a .a + and fix a bunch of memory leaks. +- Reinstate a proper devel package as we now build a .so + +* Thu Mar 16 2006 Dams - 1.2.11-6.fc5 +- Modified URL and added one in Source0 + +* Sun May 22 2005 Jeremy Katz - 1.2.11-5 +- rebuild on all arches + +* Fri Apr 7 2005 Michael Schwendt +- rebuilt + +* Sat Aug 16 2003 Dams 0:1.2.11-0.fdr.3 +- Merged devel and main packages +- Package provide now libtar-devel + +* Tue Jul 8 2003 Dams +- Initial build.