diff --git a/.gitignore b/.gitignore
index 5270323..6806873 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ squashfs-4.1.tar.bz2
/squashfs-4.2-20101223.bz2
/squashfs-4.2-20101231.bz2
/squashfs4.2.tar.gz
+/squashfs4.3.tar.gz
diff --git a/buffer-issue.patch b/buffer-issue.patch
deleted file mode 100644
index 4464e88..0000000
--- a/buffer-issue.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-From: Phillip Lougher <phillip@squashfs.org.uk>
-Date: Sat, 24 Nov 2012 02:34:48 +0000 (+0000)
-Subject: unsquashfs: fix CVE-2012-4025
-X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e;hp=19c38fba0be1ce949ab44310d7f49887576cc123
-
-unsquashfs: fix CVE-2012-4025
-
-Fix integer overflow exploit in queue_init() leading to heap overflow.
-
-This was a complex exploit to fix because analysis of the code showed
-there were multiple ways this exploit could be triggered, in addition
-to the exploit vector documented in the CVE.
-
-Exploit:
-
-Data_buffer_size and fragment_buffer_size are added together and
-passed to the queue_init function defined as:
-
-struct queue *queue_init(int size)
-
-Unfortunately, data_buffer_size and fragment_buffer_size are ints, and
-contain values supplied by the user. The addition of these values can
-overflow, leading to a negative size passed to queue_init()
-
-In queue_init, space is allocated by
-
-queue->data = malloc(sizeof(void *) * (size + 1));
-
-Given a sufficiently large negative size, (size + 1) * sizeof(void *)
-can overflow leading to a small positive number, leading to a small
-amount of buffer space being created.
-
-In queue_get, the read pointer is moved through the buffer space by
-
-queue->readp = (queue->readp + 1) % queue->size;
-
-The negative sign of size is ignored, leading to readp going beyond the
-allocated buffer space.
-
-Analysis of exploit:
-
-The exploit above is subtle, and centres around passing a negative
-number to queue_init() due to integer overflow. This exploit can be
-fixed by adding a check for negative size passed into queue_init().
-
-However, further analysis of the exploit shows it can be triggered much
-more easily. Data_buffer_size and fragment_buffer_size added together
-can produce a value less than MAX_INT, which when passed into
-queue_init() is not negative. However, this less than MAX_INT value can
-overflow in the malloc calculation when multipled by sizeof(void *),
-leading to a small positive integer. This leads to the situation where
-the buffer allocated is smaller than size, and subsequent heap overflow.
-
-Checking for a negative number in queue_init() is insufficient to
-determine if overflow has or will occur. In fact any one time
-"spot checks" on size is fraught with the problem it can fail to detect
-previous overflow (i.e. previous overflow which has resulted in a small
-positive number is impossible to distinguish from a valid small positive
-number), and it cannot detect if overflow will occur later.
-
-Due to this the approach to the fix is to check every operation
-performed on data_buffer_size, fragment_buffer_size and any values
-derived from them. All calculations are checked for potential overflow
-before they are performed.
-
-This has the following advantages:
-
-1. It allows the code to trap exactly where the overflow takes place,
- leading to more descriptive error messages.
-
-2. It ensures overflow situations do not feed through to later
- calculations making it more difficult to determine if overflow has
- occurred.
-
-3. It ensures too large values for data and fragment buffer sizes are
- correctly rejected even if they don't trigger the exploits.
-
-Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
----
-
-diff --git a/squashfs-tools/squashfs_fs.h b/squashfs-tools/squashfs_fs.h
-index d1dc987..58d31f4 100644
---- squashfs-tools/squashfs_fs.h
-+++ squashfs-tools/squashfs_fs.h
-@@ -39,6 +39,7 @@
- #define SQUASHFS_FILE_LOG 17
-
- #define SQUASHFS_FILE_MAX_SIZE 1048576
-+#define SQUASHFS_FILE_MAX_LOG 20
-
- /* Max number of uids and gids */
- #define SQUASHFS_IDS 65536
---- squashfs-tools/unsquashfs.c.buffer 2012-11-25 17:07:52.237809893 -0600
-+++ squashfs-tools/unsquashfs.c 2012-11-25 17:15:24.155246275 -0600
-@@ -31,6 +31,7 @@
-
- #include <sys/sysinfo.h>
- #include <sys/types.h>
-+#include <limits.h>
-
- struct cache *fragment_cache, *data_cache;
- struct queue *to_reader, *to_deflate, *to_writer, *from_writer;
-@@ -136,6 +137,24 @@
- }
-
-
-+int add_overflow(int a, int b)
-+{
-+ return (INT_MAX - a) < b;
-+}
-+
-+
-+int shift_overflow(int a, int shift)
-+{
-+ return (INT_MAX >> shift) < a;
-+}
-+
-+
-+int multiply_overflow(int a, int multiplier)
-+{
-+ return (INT_MAX / multiplier) < a;
-+}
-+
-+
- struct queue *queue_init(int size)
- {
- struct queue *queue = malloc(sizeof(struct queue));
-@@ -143,6 +162,10 @@
- if(queue == NULL)
- EXIT_UNSQUASH("Out of memory in queue_init\n");
-
-+ if(add_overflow(size, 1) ||
-+ multiply_overflow(size + 1, sizeof(void *)))
-+ EXIT_UNSQUASH("Size too large in queue_init\n");
-+
- queue->data = malloc(sizeof(void *) * (size + 1));
- if(queue->data == NULL)
- EXIT_UNSQUASH("Out of memory in queue_init\n");
-@@ -1805,7 +1828,7 @@
- {
- int i;
- sigset_t sigmask, old_mask;
-- int all_buffers_size = fragment_buffer_size + data_buffer_size;
-+ int all_buffers_size;
-
- sigemptyset(&sigmask);
- sigaddset(&sigmask, SIGINT);
-@@ -1841,6 +1864,15 @@
- EXIT_UNSQUASH("Out of memory allocating thread descriptors\n");
- deflator_thread = &thread[3];
-
-+ if(add_overflow(fragment_buffer_size, data_buffer_size))
-+ EXIT_UNSQUASH("Data and fragment queues combined are"
-+ " too large\n");
-+
-+ all_buffers_size = fragment_buffer_size + data_buffer_size;
-+
-+ if(add_overflow(all_buffers_size, all_buffers_size))
-+ EXIT_UNSQUASH("Data and fragment queues combined are"
-+ " too large\n");
- to_reader = queue_init(all_buffers_size);
- to_deflate = queue_init(all_buffers_size);
- to_writer = queue_init(1000);
-@@ -1940,6 +1972,31 @@
- fflush(stdout);
- }
-
-+int parse_number(char *arg, int *res)
-+{
-+ char *b;
-+ long number = strtol(arg, &b, 10);
-+
-+ /* check for trailing junk after number */
-+ if(*b != '\0')
-+ return 0;
-+
-+ /* check for strtol underflow or overflow in conversion */
-+ if(number == LONG_MIN || number == LONG_MAX)
-+ return 0;
-+
-+ /* reject negative numbers as invalid */
-+ if(number < 0)
-+ return 0;
-+
-+ /* check if long result will overflow signed int */
-+ if(number > INT_MAX)
-+ return 0;
-+
-+ *res = number;
-+ return 1;
-+}
-+
-
- #define VERSION() \
- printf("unsquashfs version 4.2 (2011/02/28)\n");\
-@@ -2022,8 +2079,8 @@
- } else if(strcmp(argv[i], "-data-queue") == 0 ||
- strcmp(argv[i], "-da") == 0) {
- if((++i == argc) ||
-- (data_buffer_size = strtol(argv[i], &b,
-- 10), *b != '\0')) {
-+ !parse_number(argv[i],
-+ &data_buffer_size)) {
- ERROR("%s: -data-queue missing or invalid "
- "queue size\n", argv[0]);
- exit(1);
-@@ -2036,8 +2093,8 @@
- } else if(strcmp(argv[i], "-frag-queue") == 0 ||
- strcmp(argv[i], "-fr") == 0) {
- if((++i == argc) ||
-- (fragment_buffer_size = strtol(argv[i],
-- &b, 10), *b != '\0')) {
-+ !parse_number(argv[i],
-+ &fragment_buffer_size)) {
- ERROR("%s: -frag-queue missing or invalid "
- "queue size\n", argv[0]);
- exit(1);
-@@ -2161,8 +2218,41 @@
- block_size = sBlk.s.block_size;
- block_log = sBlk.s.block_log;
-
-- fragment_buffer_size <<= 20 - block_log;
-- data_buffer_size <<= 20 - block_log;
-+ /*
-+ * Sanity check block size and block log.
-+ *
-+ * Check they're within correct limits
-+ */
-+ if(block_size > SQUASHFS_FILE_MAX_SIZE ||
-+ block_log > SQUASHFS_FILE_MAX_LOG)
-+ EXIT_UNSQUASH("Block size or block_log too large."
-+ " File system is corrupt.\n");
-+
-+ /*
-+ * Check block_size and block_log match
-+ */
-+ if(block_size != (1 << block_log))
-+ EXIT_UNSQUASH("Block size and block_log do not match."
-+ " File system is corrupt.\n");
-+
-+ /*
-+ * convert from queue size in Mbytes to queue size in
-+ * blocks.
-+ *
-+ * In doing so, check that the user supplied values do not
-+ * overflow a signed int
-+ */
-+ if(shift_overflow(fragment_buffer_size, 20 - block_log))
-+ EXIT_UNSQUASH("Fragment queue size is too large\n");
-+ else
-+ fragment_buffer_size <<= 20 - block_log;
-+
-+ if(shift_overflow(data_buffer_size, 20 - block_log))
-+ EXIT_UNSQUASH("Data queue size is too large\n");
-+ else
-+ data_buffer_size <<= 20 - block_log;
-+
-+
- initialise_threads(fragment_buffer_size, data_buffer_size);
-
- fragment_data = malloc(block_size);
diff --git a/path-issue.patch b/path-issue.patch
deleted file mode 100644
index 7058241..0000000
--- a/path-issue.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Phillip Lougher <phillip@squashfs.org.uk>
-Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000)
-Subject: unsquashfs: fix CVE-2012-4024
-X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb
-
-unsquashfs: fix CVE-2012-4024
-
-Fix potential stack overflow in get_component() where an individual
-pathname component in an extract file (specified on the command line
-or in an extract file) could exceed the 1024 byte sized targname
-allocated on the stack.
-
-Fix by dynamically allocating targname rather than storing it as
-a fixed size on the stack.
-
-Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
----
-
-diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
-index 90ed1c2..d9d1377 100644
---- a/squashfs-tools/unsquashfs.c
-+++ b/squashfs-tools/unsquashfs.c
-@@ -1099,15 +1099,18 @@ void squashfs_closedir(struct dir *dir)
- }
-
-
--char *get_component(char *target, char *targname)
-+char *get_component(char *target, char **targname)
- {
-+ char *start;
-+
- while(*target == '/')
- target ++;
-
-+ start = target;
- while(*target != '/' && *target!= '\0')
-- *targname ++ = *target ++;
-+ target ++;
-
-- *targname = '\0';
-+ *targname = strndup(start, target - start);
-
- return target;
- }
-@@ -1133,12 +1136,12 @@ void free_path(struct pathname *paths)
-
- struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
- {
-- char targname[1024];
-+ char *targname;
- int i, error;
-
- TRACE("add_path: adding \"%s\" extract file\n", target);
-
-- target = get_component(target, targname);
-+ target = get_component(target, &targname);
-
- if(paths == NULL) {
- paths = malloc(sizeof(struct pathname));
-@@ -1162,7 +1165,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
- sizeof(struct path_entry));
- if(paths->name == NULL)
- EXIT_UNSQUASH("Out of memory in add_path\n");
-- paths->name[i].name = strdup(targname);
-+ paths->name[i].name = targname;
- paths->name[i].paths = NULL;
- if(use_regex) {
- paths->name[i].preg = malloc(sizeof(regex_t));
-@@ -1195,6 +1198,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
- /*
- * existing matching entry
- */
-+ free(targname);
-+
- if(paths->name[i].paths == NULL) {
- /*
- * No sub-directory which means this is the leaf
diff --git a/sources b/sources
index df751a2..23b2973 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1b7a781fb4cf8938842279bd3e8ee852 squashfs4.2.tar.gz
+fc16dfed64a698fd66818e26e5f7b647 squashfs4.3.tar.gz
diff --git a/squashfs-tools.spec b/squashfs-tools.spec
index ac4fd28..687653b 100644
--- a/squashfs-tools.spec
+++ b/squashfs-tools.spec
@@ -1,31 +1,25 @@
Summary: Utility for the creation of squashfs filesystems
Name: squashfs-tools
-Version: 4.2
-Release: 5%{?dist}
+Version: 4.3
+Release: 0.1.git0be606be%{?dist}
License: GPLv2+
Group: System Environment/Base
URL: http://squashfs.sourceforge.net/
+# For now I am using a prerelease version obtained by:
+# git archive --remote git://squashfs.git.sourceforge.net/gitroot/squashfs/squashfs --format=tar --prefix=squashfs4.3/ fadb345ddcf81e2b0e8cc802dbae41260be606be | gzip > squashfs4.3.tar.gz
Source0: http://downloads.sourceforge.net/squashfs/squashfs%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel
BuildRequires: xz-devel
BuildRequires: lzo-devel
BuildRequires: libattr-devel
-# Upstream commit 19c38fba0be1ce949ab44310d7f49887576cc123 (minus version
-# date change that doesn't apply cleanly)
-Patch0: path-issue.patch
-# Upstream commit 8515b3d420f502c5c0236b86e2d6d7e3b23c190e
-# Patch needed to be adjusted to fit with the 4.2 release
-Patch1: buffer-issue.patch
%description
Squashfs is a highly compressed read-only filesystem for Linux. This package
contains the utilities for manipulating squashfs filesystems.
%prep
-%setup -q -n squashfs4.2
-%patch0 -p1 -b .pathname
-%patch1 -p0 -b .buffer
+%setup -q -n squashfs%{version}
%build
pushd squashfs-tools
@@ -47,6 +41,12 @@ rm -rf %{buildroot}
%{_sbindir}/unsquashfs
%changelog
+* Sat Dec 01 2012 Bruno Wolff III <bruno@wolff.to> - 4.3-0.1.git0be606be
+- Pre-release of 4.3 to get early testing
+- This update includes a bit of internal code infrastructure changes
+- There are lots of fixes to better handle bad data
+- The final release is expected sometime in December
+
* Sun Nov 25 2012 Bruno Wolff III <bruno@wolff.to> - 4.2-5
- Backported fix for bz 842460 (CVE-2012-4025)