packages/ant
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-36373 CVE-2021-36374

Browse Source
This commit is contained in:
starlet_dx 2021-07-19 11:22:48 +08:00
parent e7d27bd10a
commit 7f6fce9cb4
2 changed files with 128 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
CVE-2021-36373-CVE-2021-36374.patch Normal file
View File

@ -0,0 +1,122 @@
From 6594a2d66f7f060dafcbbf094dd60676db19a842 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sat, 10 Jul 2021 11:10:12 +0200
Subject: [PATCH] port some fixes from Commons Compress
---
.../org/apache/tools/tar/TarInputStream.java | 7 +++++--
.../org/apache/tools/zip/AsiExtraField.java | 12 +++++++----
src/main/org/apache/tools/zip/ZipFile.java | 20 ++++++++++++++++++-
3 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/src/main/org/apache/tools/tar/TarInputStream.java b/src/main/org/apache/tools/tar/TarInputStream.java
index 0477d5c..71e4cc0 100644
--- a/src/main/org/apache/tools/tar/TarInputStream.java
+++ b/src/main/org/apache/tools/tar/TarInputStream.java
@@ -436,11 +436,13 @@ public class TarInputStream extends FilterInputStream {
String keyword = coll.toString("UTF-8");
// Get rest of entry
final int restLen = len - read;
- byte[] rest = new byte[restLen];
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
int got = 0;
while (got < restLen && (ch = i.read()) != -1) {
- rest[got++] = (byte) ch;
+ bos.write((byte) ch);
+ got++;
}
+ bos.close();
if (got != restLen) {
throw new IOException("Failed to read "
+ "Paxheader. Expected "
@@ -448,6 +450,7 @@ public class TarInputStream extends FilterInputStream {
+ " bytes, read "
+ got);
}
+ byte[] rest = bos.toByteArray();
// Drop trailing NL
String value = new String(rest, 0,
restLen - 1, StandardCharsets.UTF_8);
diff --git a/src/main/org/apache/tools/zip/AsiExtraField.java b/src/main/org/apache/tools/zip/AsiExtraField.java
index 8afddb5..fdd81c6 100644
--- a/src/main/org/apache/tools/zip/AsiExtraField.java
+++ b/src/main/org/apache/tools/zip/AsiExtraField.java
@@ -307,14 +307,18 @@ public class AsiExtraField implements ZipExtraField, UnixStat, Cloneable {
int newMode = ZipShort.getValue(tmp, 0);
// CheckStyle:MagicNumber OFF
- byte[] linkArray = new byte[(int) ZipLong.getValue(tmp, 2)];
+ final int linkArrayLength = (int) ZipLong.getValue(tmp, 2);
+ if (linkArrayLength < 0 || linkArrayLength > tmp.length - 10) {
+ throw new ZipException("Bad symbolic link name length " + linkArrayLength
+ + " in ASI extra field");
+ }
uid = ZipShort.getValue(tmp, 6);
gid = ZipShort.getValue(tmp, 8);
-
- if (linkArray.length == 0) {
+ if (linkArrayLength == 0) {
link = "";
} else {
- System.arraycopy(tmp, 10, linkArray, 0, linkArray.length);
+ final byte[] linkArray = new byte[linkArrayLength];
+ System.arraycopy(tmp, 10, linkArray, 0, linkArrayLength);
link = new String(linkArray); // Uses default charset - see class Javadoc
}
// CheckStyle:MagicNumber ON
diff --git a/src/main/org/apache/tools/zip/ZipFile.java b/src/main/org/apache/tools/zip/ZipFile.java
index dfb6bcf..8806ae7 100644
--- a/src/main/org/apache/tools/zip/ZipFile.java
+++ b/src/main/org/apache/tools/zip/ZipFile.java
@@ -541,6 +541,9 @@ public class ZipFile implements Closeable {
ze.setExternalAttributes(ZipLong.getValue(CFH_BUF, off));
off += WORD;
+ if (archive.length() - archive.getFilePointer() < fileNameLen) {
+ throw new EOFException();
+ }
final byte[] fileName = new byte[fileNameLen];
archive.readFully(fileName);
ze.setName(entryEncoding.decode(fileName), fileName);
@@ -550,12 +553,18 @@ public class ZipFile implements Closeable {
// data offset will be filled later
entries.add(ze);
+ if (archive.length() - archive.getFilePointer() < extraLen) {
+ throw new EOFException();
+ }
final byte[] cdExtraData = new byte[extraLen];
archive.readFully(cdExtraData);
ze.setCentralDirectoryExtra(cdExtraData);
setSizesAndOffsetFromZip64Extra(ze, offset, diskStart);
+ if (archive.length() - archive.getFilePointer() < commentLen) {
+ throw new EOFException();
+ }
final byte[] comment = new byte[commentLen];
archive.readFully(comment);
ze.setComment(entryEncoding.decode(comment));
@@ -881,9 +890,18 @@ public class ZipFile implements Closeable {
}
lenToSkip -= skipped;
}
+ if (archive.length() - archive.getFilePointer() < extraFieldLen) {
+ throw new EOFException();
+ }
final byte[] localExtraData = new byte[extraFieldLen];
archive.readFully(localExtraData);
- ze.setExtra(localExtraData);
+ try {
+ ze.setExtra(localExtraData);
+ } catch (RuntimeException ex) {
+ final ZipException z = new ZipException("Invalid extra data in entry " + ze.getName());
+ z.initCause(ex);
+ throw z;
+ }
offsetEntry.dataOffset = offset + LFH_OFFSET_FOR_FILENAME_LENGTH
+ SHORT + SHORT + fileNameLen + extraFieldLen;
--
2.27.0

7
ant.spec
View File

@ -4,7 +4,7 @@
Name: ant
Summary: A Java-based build tool
Version: 1.10.8
Release: 3
Release: 4
Epoch: 0
License: ASL 2.0
URL: https://ant.apache.org/
@ -13,6 +13,8 @@ Source2: apache-ant-1.8.ant.conf
# Patch 0-1 are used for repair CVE-2020-11979
Patch0: Fallback-to-a-separate-owner-only-tempdir-if-possible.patch
Patch1: Document-why-we-are-actually-removing-the-file-before-writing.patch
Patch2: CVE-2021-36373-CVE-2021-36374.patch
BuildRequires: javapackages-local java-1.8.0-devel ant >= 1.10.2
BuildRequires: ant-junit xmlto mvn(antlr:antlr) mvn(bcel:bcel)
BuildRequires: mvn(bsf:bsf) mvn(com.jcraft:jsch) mvn(commons-logging:commons-logging-api)
@ -424,6 +426,9 @@ LC_ALL=en_US.utf8 %{ant} test
%{_javadocdir}/%{name}
%changelog
* Mon Jul 19 2021 yaoxin <yaoxin30@huawei.com> - 0:1.10.8-4
- Fix CVE-2021-36373 CVE-2021-36374
* Mon Nov 30 2020 huanghaitao <huanghaitao8@huawei.com> - 0:1.10.8-3
- Fix CVE-2020-11979