!26 backport lib/node.c: Fix minor typo in error message

From: @liyy9 
Reviewed-by: @Charlie_li 
Signed-off-by: @Charlie_li

0001-lib-node.c-Fix-minor-typo-in-error-message.patch

@@ -0,0 +1,25 @@
+From bb92eed6b57ed29d8230ca688ff73771b8b7e845 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Fri, 16 Jul 2021 09:49:04 +0100
+Subject: [PATCH] lib/node.c: Fix minor typo in error message
+
+---
+ lib/node.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/node.c b/lib/node.c
+index 21cd127..7b002a4 100644
+--- a/lib/node.c
++++ b/lib/node.c
+@@ -346,7 +346,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+     if (!h->unsafe) {
+       SET_ERRNO (ENOTSUP,
+                  "nr_subkeys_in_nk = %zu "
+-                 "is not equal to number of childred read %zu",
++                 "is not equal to number of children read %zu",
+                  nr_subkeys_in_nk, nr_children);
+       goto error;
+     } else {
+-- 
+2.33.0
+

0001-ocaml-Link-the-C-bindings-with-LDFLAGS-RHBZ-1548536.patch

@@ -1,48 +0,0 @@
-From be51757920b56a77e2e63247f9a8409ce994d33c Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Mon, 26 Feb 2018 12:38:12 +0000
-Subject: [PATCH] ocaml: Link the C bindings with LDFLAGS (RHBZ#1548536).
-
-Use the ocamlmklib -ldopt flag to pass the general $(LDFLAGS) when
-calling gcc to link dllmlhivex.so.  We were already passing $(CFLAGS)
-when building the object file.
-
-When building using Fedora's standard hardening flags this gives:
-
-ocamlmklib -o mlhivex hivex_c.o hivex.cmo \
-    -verbose -ldopt '-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' \
-    -L../lib/.libs -lhivex
-+ gcc -shared  -o ./dllmlhivex.so hivex_c.o  -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -L../lib/.libs -lhivex
-+ ar rc ./libmlhivex.a  hivex_c.o; ranlib ./libmlhivex.a
-+ /usr/bin/ocamlc -a    -o mlhivex.cma  hivex.cmo -dllib -lmlhivex -cclib -lmlhivex   -cclib -L../lib/.libs -cclib -lhivex
-
-This also works if $(LDFLAGS) is empty, because ocamlmklib ignores
--ldopt ''.
----
- ocaml/Makefile.am | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/ocaml/Makefile.am b/ocaml/Makefile.am
-index 61db095..85655b6 100644
---- a/ocaml/Makefile.am
-+++ b/ocaml/Makefile.am
-@@ -41,10 +41,14 @@ OBJS = hivex_c.o hivex.cmo
- XOBJS = $(OBJS:.cmo=.cmx)
- 
- mlhivex.cma: $(OBJS)
--	$(OCAMLMKLIB) -o mlhivex $^ -L$(top_builddir)/lib/.libs -lhivex
-+	$(OCAMLMKLIB) -o mlhivex $^ \
-+	    -ldopt '$(LDFLAGS)' \
-+	    -L$(top_builddir)/lib/.libs -lhivex
- 
- mlhivex.cmxa: $(XOBJS)
--	$(OCAMLMKLIB) -o mlhivex $^ -L$(top_builddir)/lib/.libs -lhivex
-+	$(OCAMLMKLIB) -o mlhivex $^ \
-+	    -ldopt '$(LDFLAGS)' \
-+	    -L$(top_builddir)/lib/.libs -lhivex
- 
- hivex_c.o: hivex_c.c
- 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -fPIC -Wall -c $<
--- 
-2.13.2
-

CVE-2021-3504.patch

@@ -0,0 +1,72 @@
+From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+  +-------------------+-------------------+-------------------+--
+  | header            |[ blk ][blk][ blk ]|[blk][blk][blk]    |
+  +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary.  However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+  +-------------------+-------------------+
+  | header            |[ blk ][blk][ blk ..... ]
+  +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry.  Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file.  Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash.  (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563..2e4231a 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+         if (is_root || !h->unsafe) {
+           SET_ERRNO (ENOTSUP,
+-                     "%s, the block at 0x%zx has invalid size %" PRIu32
+-                     ", bad registry",
++                     "%s, the block at 0x%zx size %" PRIu32
++                     " <= 4 or not a multiple of 4, bad registry",
+                      filename, blkoff, le32toh (block->seg_len));
+           goto error;
+         } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+         }
+       }
+ 
++      if (blkoff + seg_len > off + page_size) {
++        SET_ERRNO (ENOTSUP,
++                   "%s, the block at 0x%zx size %" PRIu32
++                   " extends beyond the current page, bad registry",
++                   filename, blkoff, le32toh (block->seg_len));
++        goto error;
++      }
++
+       if (h->msglvl >= 2) {
+         unsigned char *id = (unsigned char *) block->id;
+         int id0 = id[0], id1 = id[1];

CVE-2021-3622.patch

@@ -0,0 +1,92 @@
+From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 8 Jul 2021 19:00:45 +0100
+Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
+
+Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
+structures:
+
+  +-------------+
+  | ri          |
+  |-------------|
+  | nr_offsets  |
+  |   offset[0] ------>  points to another lf/lh/li/ri block
+  |   offset[1] ------>
+  |   offset[2] ------>
+  +-------------+
+
+It is possible to construct a hive with a very deeply nested tree of
+ri-records, causing the internal _get_children function to recurse to
+any depth which can cause programs linked to hivex to crash with a
+stack overflow.
+
+Since it is not thought that deeply nested ri-records occur in real
+hives, limit recursion depth.  If you hit this limit you will see the
+following error and the operation will return an error instead of
+crashing:
+
+  \> ls
+  hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
+  ls: Invalid argument
+
+Thanks to Jeremy Galindo for finding and reporting this bug.
+
+Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3622
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
+(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
+---
+ lib/node.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/lib/node.c b/lib/node.c
+index 7b002a4..eb7fe93 100644
+--- a/lib/node.c
++++ b/lib/node.c
+@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
+ 
+ static int _get_children (hive_h *h, hive_node_h blkoff,
+                           offset_list *children, offset_list *blocks,
+-                          int flags);
++                          int flags, unsigned depth);
+ static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
+ 
+ /* Iterate over children (ie. subkeys of a node), returning child
+@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+     goto error;
+   }
+ 
+-  if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
++  if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
+     goto error;
+ 
+   /* Check the number of children we ended up reading matches
+@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+ static int
+ _get_children (hive_h *h, hive_node_h blkoff,
+                offset_list *children, offset_list *blocks,
+-               int flags)
++               int flags, unsigned depth)
+ {
+   /* Add this intermediate block. */
+   if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
+@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
+         }
+       }
+ 
+-      if (_get_children (h, offset, children, blocks, flags) == -1)
++      /* Although in theory hive ri records might be nested to any
++       * depth, in practice this is unlikely.  Recursing here caused
++       * CVE-2021-3622.  Thus limit the depth we will recurse to
++       * something small.
++       */
++      if (depth >= 32) {
++        SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
++        return -1;
++      }
++
++      if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
+         return -1;
+     }
+   }

hivex-1.3.15.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJalDSOAAoJEJFzj3Pht2igdNYP/2R2+SkPNutZfQpUZfiKD/vQ
-RRAQjePYncUjNUc2WgX7LXmJN1z9WfKRzUGqQG7sD/B7BnecBtEOP4Dyw5PpjgBQ
-ae4ErdeU6uFv5xSiprnYErfGJrhYSBfDKilDjrdO7J4AlTlVVlgfeb7C5TopER81
-brVJ7iXuF6rbZmQP3c0D3GWdez3Nw719e6MmdM9FFGQQS8hg9vZlNYQPyiFEQx1U
-nNjSMaoft+OWYEQp56arjPOLj4JiIcIH9B/HLu8Tcl4FEogTCVyMsodyEFXzfBUm
-21UfIn/RNEXjI8DJ/k7kh35uWEwv8hb/0YszGAWNpSt+rrdx9+decjNdNI2DZs65
-XEcuboWN7UOZJf2p+8f78QVcbwNPRjpnfGZaVLYJYNON3y/lyvhrA8je5FOzsyVA
-4G6BwU3ythoS2NTK3Q76I7UdMDvz6vydgsLAruVVtMX5x1M7fXoplRxi1nkRjCvQ
-Qgmo0L/rwwDUitRmlRyyJqZK7j+lMlltuZAck9XCUtd72VRAUj4f56I8Xo2wwT0Y
-ioFer6o02K18pjhGLikV4ujUUKAkC1lAK1QhsEsp7y2isOe1mA3ptcGrz4rElcaH
-f78Yr7b28Gl9HSGg98uhYEwWVCl5fUwXhDUQVVNutDRPKI479O390uGG7ZNZTghS
-Lv/P/Uz1ijp+m8Hi5WsX
-=gmjv
------END PGP SIGNATURE-----

hivex-1.3.17.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAlxHnNsRHHJpY2hAYW5u
+ZXhpYS5vcmcACgkQkXOPc+G3aKCbkxAAortQKeA7TDTeiTk3dwI/tQ+4VVqe90lt
+L/xWnDtR6ZH5DZ4FgcJbaKx9PCBtaQxyFBjA5qcrEClK8fTfm3NGNPQuSX4YDN83
+3jJx2uOtM7Io5hpFrXeWC22m77dqQKeU0r1oblJtf1kK1SEef6HL44flCtGr+HlM
+37nwm29ToSl5Ksp9XvBqT5smQVuUPjqwcm+4jYUR88SnFmkTpneZYYTstDbqzvUm
+RT089O/q+4JLh6egfyA66wXTfzhsqe3HRZtG7pPhe+j/HBIfYmAigEi4Cm/6pFrc
+vNJAZ9KJ50no69A2jZ86Dfy4/4nwjYc/aDZ0vIZ4Fairj+LzTxQwfQeYk1BCqb2z
+XNNRl3pUDkrk3jrAPnxqR2z/2qsEgoSrVDEQlhVUZ1n/WOTqxst1F0YHOeHHWun5
+O1d2nV8i1A8JAysHx77smKscpKtu4jcymr4SmqXYSG90BvuqxJgpPsX6rln38DKX
+qA3Zj7wKkqOTBbX+JInBwMcWOzzAO38hQkQjuOG71CQ6CKVGdnovp4OHDcwsmkp4
+KbCjnXgIl5DOxCrnVaWtPV5Zy6smst982fG0zPD/m42Dz7+Tb4O1np8zfLH9C4Dx
+CdD3otIo0XOJM50Bvu9Oqn/SP8j8nDqMZtiCg+gXBRyVdl37EGqtwd/2bt7TRWSV
+xmddKuLdf6Q=
+=+f/m
+-----END PGP SIGNATURE-----

hivex.spec

@@ -5,8 +5,8 @@
 %endif
 
 Name:           hivex
-Version:        1.3.15
-Release:        12
+Version:        1.3.17
+Release:        5
 Summary:        Windows Registry "hive" extraction library
 License:        LGPLv2
 URL:            http://libguestfs.org/
@@ -14,11 +14,11 @@ URL:            http://libguestfs.org/
 Source0:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
 Source1:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
 Source2:        libguestfs.keyring
+Patch0:         CVE-2021-3504.patch
+Patch1:         CVE-2021-3622.patch
+Patch2:         0001-lib-node.c-Fix-minor-typo-in-error-message.patch
 
-Patch1:         0001-ocaml-Link-the-C-bindings-with-LDFLAGS-RHBZ-1548536.patch
-
-BuildRequires:  autoconf, automake, libtool, gettext-devel, perl-interpreter, perl-devel, perl-generators, perl, perl-podlators
-BuildRequires:  perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
+BuildRequires:  perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
 
 %if %{with ocaml}
 BuildRequires:  ocaml
@@ -29,6 +29,7 @@ BuildRequires:  python2-devel, python-unversioned-command, python3-devel, ruby-d
 
 Provides:      bundled(gnulib)
 
+
 %description
 Hivex is a library for extracting the contents of Windows Registry "hive" files.  It is designed to be secure against buggy or
 malicious registry files.
@@ -44,14 +45,14 @@ If you just want to export or modify the Registry of a Windows virtual machine,
 
 Hivex is also comes with language bindings for OCaml, Perl, Python and Ruby.
 
+
 %package devel
 Summary:        Development package for %{name}
 Requires:       %{name} = %{version}-%{release}
 Requires:       pkgconfig
 
-Provides:       %{name}-devel
-Obsoletes:      %{name}-devel
-
+Provides:       %{name}-static = %{version}-%{release}
+Obsoletes:      %{name}-static < %{version}-%{release}
 
 %description devel
 Development tools and libraries for %{name} are included in %{name}-devel.
@@ -65,12 +66,11 @@ Development tools and libraries for %{name} are included in %{name}-devel.
 Summary:       Provide OCaml bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 
-
 %description -n ocaml-%{name}
 OCaml bindings for %{name} are included in ocaml-%{name}.
 
-This is for toplevel and scripting access only.  To compile OCaml
-programs which use %{name} you will also need ocaml-%{name}-devel.
+Only for toplevel and scripting access. To compile OCaml
+programs which use %{name} you will also need ocaml-%{name}-devel package.
 
 
 %package -n ocaml-%{name}-devel
@@ -78,7 +78,6 @@ Summary:       Development package for %{name} OCaml bindings
 Requires:      ocaml-%{name} = %{version}-%{release}
 Requires:      %{name}-devel = %{version}-%{release}
 
-
 %description -n ocaml-%{name}-devel
 Development libraries required to use the OCaml bindings for %{name} are in ocaml-%{name}-devel.
 %endif
@@ -89,7 +88,6 @@ Summary:       Provide perl bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 Requires:      perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
-
 %description -n perl-%{name}
 Perl bindings for %{name} are included in perl-%{name}.
 
@@ -128,10 +126,9 @@ Ruby bindings for %{name} are included ruby-%{name}.
 tmphome="$(mktemp -d)" && gpgv2 --homedir "$tmphome" --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %autosetup -p1 -n %{name}-%{version}
 
-autoreconf -i -f
-
 copy="$(mktemp -d)" && cp -a . "$copy" && mv "$copy" python3
 
+
 %build
 %configure \
 %if !%{with ocaml}
@@ -147,22 +144,12 @@ cd python3
 %make_build V=1 INSTALLDIRS=vendor
 cd ..
 
+
 %install
 cd python3
-%make_install DESTDIR=$RPM_BUILD_ROOT INSTALLDIRS=vendor
+%make_install INSTALLDIRS=vendor
 cd ..
-%make_install DESTDIR=$RPM_BUILD_ROOT INSTALLDIRS=vendor
-
-#rm $RPM_BUILD_ROOT%{_libdir}/libhivex.la
-
-# Remove unwanted Perl files:
-# find $RPM_BUILD_ROOT -name perllocal.pod -delete
-# find $RPM_BUILD_ROOT -name .packlist -delete
-# find $RPM_BUILD_ROOT -name '*.bs' -delete
-
-# Remove unwanted Python files:
-# rm $RPM_BUILD_ROOT%{python2_sitearch}/libhivexmod.la
-# rm $RPM_BUILD_ROOT%{python3_sitearch}/libhivexmod.la
+%make_install INSTALLDIRS=vendor
 
 %find_lang %{name}
 
@@ -170,9 +157,7 @@ cd ..
 %check
 make check
 
-cd python3
-make check
-cd ..
+cd python3 && make check && cd ..
 
 
 %files -f %{name}.lang
@@ -247,5 +232,14 @@ cd ..
 
 
 %changelog
-* Sat Nov 30 2019 jiaxiya <jiaxiyajiaxiya@163.com> - 1.3.15-12
+* Thu Dec 21 2023 liyuanyuan <liyuanyuan@xfusion.com> - 1.3.17-5
+- lib/node.c: Fix minor typo in error message
+
+* Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-4
+- Fix CVE-2021-3622
+
+* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-3
+- Fix CVE-2021-3504
+
+* Sat Nov 30 2019 jiaxiya <jiaxiyajiaxiya@163.com> - 1.3.17-2
 - Package init