packages/tar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!47 [sync] PR-46: fix CVE-2023-39804

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @gaoruoshu 
Signed-off-by: @gaoruoshu
This commit is contained in:
openeuler-ci-bot 2023-12-22 03:15:32 +00:00 committed by Gitee
commit b7aeace1f0
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2023-39804.patch Normal file
View File

@ -0,0 +1,59 @@
From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Sat, 28 Aug 2021 16:02:12 +0300
Subject: Fix handling of extended header prefixes
* src/xheader.c (locate_handler): Recognize prefix keywords only
when followed by a dot.
(xattr_decoder): Use xmalloc/xstrdup instead of alloc
---
src/xheader.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/xheader.c b/src/xheader.c
index 4f8b2b2..3cd694d 100644
--- a/src/xheader.c
+++ b/src/xheader.c
@@ -637,11 +637,11 @@ static struct xhdr_tab const *
locate_handler (char const *keyword)
{
struct xhdr_tab const *p;
-
for (p = xhdr_tab; p->keyword; p++)
if (p->prefix)
{
- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
+ size_t kwlen = strlen (p->keyword);
+ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
return p;
}
else
@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
char const *keyword, char const *arg, size_t size)
{
char *xstr, *xkey;
-
+
/* copy keyword */
- size_t klen_raw = strlen (keyword);
- xkey = alloca (klen_raw + 1);
- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
+ xkey = xstrdup (keyword);
/* copy value */
- xstr = alloca (size + 1);
+ xstr = xmalloc (size + 1);
memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
xattr_decode_keyword (xkey);
- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
+ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
+
+ free (xkey);
+ free (xstr);
}
static void
--
cgit v1.1

6
tar.spec
View File

@ -1,6 +1,6 @@
Name: tar Name: tar
Version: 1.34 Version: 1.34
Release: 4 Release: 5
Epoch: 2 Epoch: 2
Summary: An organized and systematic method of controlling a large amount of data Summary: An organized and systematic method of controlling a large amount of data
License: GPLv3+ License: GPLv3+
@ -20,6 +20,7 @@ Patch0003: tar-1.29-wildcards.patch
Patch0004: tar-1.28-atime-rofs.patch Patch0004: tar-1.28-atime-rofs.patch
Patch0005: tar-1.28-document-exclude-mistakes.patch Patch0005: tar-1.28-document-exclude-mistakes.patch
Patch0006: tar-Add-sw64-architecture.patch Patch0006: tar-Add-sw64-architecture.patch
Patch0007: backport-CVE-2023-39804.patch
%description %description
GNU Tar provides the ability to create tar archives, as well as various other GNU Tar provides the ability to create tar archives, as well as various other
@ -78,6 +79,9 @@ make check
%{_infodir}/tar.info* %{_infodir}/tar.info*
%changelog %changelog
* Mon Dec 04 2023 liningjie <liningjie@xfusion.com> 2:1.34-5
- fix CVE-2023-39840
* Wed Feb 08 2023 wangjiang <wangjiang37@h-partners.com> 2:1.34-4 * Wed Feb 08 2023 wangjiang <wangjiang37@h-partners.com> 2:1.34-4
- fix CVE-2022-48303 - fix CVE-2022-48303