From d04822c219a64fe7a5dc8eed578e3557854635d1 Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Fri, 29 Jul 2022 10:20:00 +0800 Subject: [PATCH] fix CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 (cherry picked from commit 7f0a7fb73bd0facbef5d754a64063a3f83544129) --- libtar.spec | 8 +- openEuler-CVE-2021-33643-CVE-2021-33644.patch | 40 ++++++ openEuler-CVE-2021-33645-CVE-2021-33646.patch | 119 ++++++++++++++++++ 3 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 openEuler-CVE-2021-33643-CVE-2021-33644.patch create mode 100644 openEuler-CVE-2021-33645-CVE-2021-33646.patch diff --git a/libtar.spec b/libtar.spec index 6293118..4b3378f 100644 --- a/libtar.spec +++ b/libtar.spec @@ -1,6 +1,6 @@ Name: libtar Version: 1.2.20 -Release: 18 +Release: 19 Summary: Library for manipulating tar files from within C programs. License: BSD URL: http://repo.or.cz/libtar.git @@ -13,6 +13,9 @@ Patch3: libtar-1.2.11-bz729009.patch Patch4: libtar-1.2.20-no-static-buffer.patch Patch5: backport-CVE-2013-4420.patch +Patch9000: openEuler-CVE-2021-33643-CVE-2021-33644.patch +Patch9001: openEuler-CVE-2021-33645-CVE-2021-33646.patch + BuildRequires: libtool git gdb %description @@ -70,6 +73,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %{_mandir}/man3/*.3* %changelog +* Fri Jul 29 2022 shixuantong - 1.2.20-19 +- fix CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 + * Thu Dec 10 2020 shixuantong - 1.2.20-18 - fix CVE-2013-4420 diff --git a/openEuler-CVE-2021-33643-CVE-2021-33644.patch b/openEuler-CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000..b0b285f --- /dev/null +++ b/openEuler-CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,40 @@ +From 6bacfdcb84a4b80c7c026e926b7e1f84d6eed26d Mon Sep 17 00:00:00 2001 +From: shixuantong <1726671442@qq.com> +Date: Wed, 6 Apr 2022 17:40:57 +0800 +Subject: [PATCH] Ensure that sz is greater than 0. + +--- + lib/block.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/block.c b/lib/block.c +index 092bc28..80b41ac 100644 +--- a/lib/block.c ++++ b/lib/block.c +@@ -118,6 +118,11 @@ th_read(TAR *t) + if (TH_ISLONGLINK(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +@@ -168,6 +173,11 @@ th_read(TAR *t) + if (TH_ISLONGNAME(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +-- +1.8.3.1 + diff --git a/openEuler-CVE-2021-33645-CVE-2021-33646.patch b/openEuler-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000..9110901 --- /dev/null +++ b/openEuler-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,119 @@ +From 8ba8e71a2b86d08ddd3478a4797170f95766c2af Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Sat, 7 May 2022 17:04:46 +0800 +Subject: [PATCH] fix memory leak + +--- + lib/libtar.h | 1 + + lib/util.c | 9 ++++++++- + lib/wrapper.c | 11 +++++++++++ + libtar/libtar.c | 3 +++ + 4 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/lib/libtar.h b/lib/libtar.h +index 08a8e0f..8b00e93 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -285,6 +285,7 @@ int oct_to_int(char *oct); + /* integer to string-octal conversion, no NULL */ + void int_to_oct_nonull(int num, char *oct, size_t octlen); + ++void free_longlink_longname(struct tar_header th_buf); + + /***** wrapper.c **********************************************************/ + +diff --git a/lib/util.c b/lib/util.c +index 11438ef..8a42e62 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #ifdef STDC_HEADERS + # include +@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen) + oct[octlen - 1] = ' '; + } + +- ++void free_longlink_longname(struct tar_header th_buf) ++{ ++ if (th_buf.gnu_longname != NULL) ++ free(th_buf.gnu_longname); ++ if (th_buf.gnu_longlink !=NULL) ++ free(th_buf.gnu_longlink); ++} +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 44cc435..df6d617 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD)) + { + if (TH_ISREG(t) && tar_skip_regfile(t)) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + continue; + } + if (t->options & TAR_VERBOSE) +@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix) + else + strlcpy(buf, filename, sizeof(buf)); + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix) + "\"%s\")\n", buf); + #endif + if (tar_extract_file(t, buf) != 0) ++ { ++ free_longlink_longname(t->th_buf); + return -1; ++ } + } + ++ free_longlink_longname(t->th_buf); + return (i == 1 ? 0 : -1); + } + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 23f8741..7e7354f 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -196,6 +196,7 @@ list(char *tarfile) + { + fprintf(stderr, "tar_skip_regfile(): %s\n", + strerror(errno)); ++ free_longlink_longname(t->th_buf); + return -1; + } + } +@@ -217,10 +218,12 @@ list(char *tarfile) + + if (tar_close(t) != 0) + { ++ free_longlink_longname(t->th_buf); + fprintf(stderr, "tar_close(): %s\n", strerror(errno)); + return -1; + } + ++ free_longlink_longname(t->th_buf); + return 0; + } + +-- +1.8.3.1 +