!54 [sync] PR-50: liblzma: Add overflow check for Unpadded size in lzma_index_append

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-CVE-2022-1271.patch

@@ -0,0 +1,94 @@
+From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index 9db5c3a..f64dddb 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -179,22 +179,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
+-- 
+1.8.3.1
+

backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch

@@ -0,0 +1,60 @@
+From 68bda971bb8b666a009331455fcedb4e18d837a4  Mon Sep 17 00:00:00 2001
+From: Jia Tan <jiat0218@gmail.com>
+Date: Mon, 28 Aug 2023 21:31:25 +0800
+Subject: [PATCH] liblzma: Add overflow check for Unpadded size in
+ lzma_index_append().
+
+This was not a security bug since there was no path to overflow
+UINT64_MAX in lzma_index_append() or when it calls index_file_size().
+The bug was discovered by a failing assert() in vli_ceil4() when called
+from index_file_size() when unpadded_sum (the sum of the compressed size
+of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX.
+
+Previously, the unpadded_size parameter was checked to be not greater
+than UNPADDED_SIZE_MAX, but no check was done once compressed_base was
+added.
+
+This could not have caused an integer overflow in index_file_size() when
+called by lzma_index_append(). The calculation for file_size breaks down
+into the sum of:
+
+- Compressed base from all previous Streams
+- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and
+  footer)
+- stream_padding (can be set by lzma_index_stream_padding())
+- Compressed base from the current Stream
+- Unpadded size (parameter to lzma_index_append())
+
+The sum of everything except for Unpadded size must be less than
+LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions
+that can set these values including lzma_index_stream_padding(),
+lzma_index_append(), and lzma_index_cat(). The maximum value for
+Unpadded size is enforced by lzma_index_append() to be less than or
+equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since
+LZMA_VLI_MAX is half of UINT64_MAX.
+
+Thanks to Joona Kannisto for reporting this.
+---
+ src/liblzma/common/index.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index a41e8f3..8c8ad46 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -656,6 +656,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
+ 	const uint32_t index_list_size_add = lzma_vli_size(unpadded_size)
+ 			+ lzma_vli_size(uncompressed_size);
+ 
++	// Check that the new unpadded sum will not overflow. This is
++	// checked again in index_file_size(), but the unpadded sum is
++	// passed to vli_ceil4() which expects a valid lzma_vli value.
++	if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX)
++		return LZMA_DATA_ERROR;
++
+ 	// Check that the file size will stay within limits.
+ 	if (index_file_size(s->node.compressed_base,
+ 			compressed_base + unpadded_size, s->record_count + 1,
+-- 
+2.23.0
+

colorxzgrep.csh

@@ -0,0 +1,5 @@
+/usr/libexec/grepconf.sh -c
+if ( $status == 1 ) exit
+alias xzgrep 'xzgrep --color=auto'
+alias xzfgrep 'xzfgrep --color=auto'
+alias xzegrep 'xzegrep --color=auto'

colorxzgrep.sh

@@ -0,0 +1,4 @@
+/usr/libexec/grepconf.sh -c || return
+alias xzgrep='xzgrep --color=auto' 2>/dev/null
+alias xzegrep='xzegrep --color=auto' 2>/dev/null
+alias xzfgrep='xzfgrep --color=auto' 2>/dev/null

liblzma-Avoid-memcpy-NULL-foo-0-because-it-is-undefi.patch

@@ -1,101 +0,0 @@
-From 2a22de439ec63da1927b640eda309296a1e8dce5 Mon Sep 17 00:00:00 2001
-From: Lasse Collin <lasse.collin@tukaani.org>
-Date: Mon, 13 May 2019 20:05:17 +0300
-Subject: [PATCH 14/14] liblzma: Avoid memcpy(NULL, foo, 0) because it is
- undefined behavior.
-
-I should have always known this but I didn't. Here is an example
-as a reminder to myself:
-
-    int mycopy(void *dest, void *src, size_t n)
-    {
-        memcpy(dest, src, n);
-        return dest == NULL;
-    }
-
-In the example, a compiler may assume that dest != NULL because
-passing NULL to memcpy() would be undefined behavior. Testing
-with GCC 8.2.1, mycopy(NULL, NULL, 0) returns 1 with -O0 and -O1.
-With -O2 the return value is 0 because the compiler infers that
-dest cannot be NULL because it was already used with memcpy()
-and thus the test for NULL gets optimized out.
-
-In liblzma, if a null-pointer was passed to memcpy(), there were
-no checks for NULL *after* the memcpy() call, so I cautiously
-suspect that it shouldn't have caused bad behavior in practice,
-but it's hard to be sure, and the problematic cases had to be
-fixed anyway.
-
-Thanks to Jeffrey Walton.
----
- src/liblzma/common/common.c       |  6 +++++-
- src/liblzma/lz/lz_decoder.c       | 12 +++++++++---
- src/liblzma/simple/simple_coder.c | 10 +++++++++-
- 3 files changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/src/liblzma/common/common.c b/src/liblzma/common/common.c
-index 1399b92..18453ae 100644
---- a/src/liblzma/common/common.c
-+++ b/src/liblzma/common/common.c
-@@ -99,7 +99,11 @@ lzma_bufcpy(const uint8_t *restrict in, size_t *restrict in_pos,
- 	const size_t out_avail = out_size - *out_pos;
- 	const size_t copy_size = my_min(in_avail, out_avail);
- 
--	memcpy(out + *out_pos, in + *in_pos, copy_size);
-+	// Call memcpy() only if there is something to copy. If there is
-+	// nothing to copy, in or out might be NULL and then the memcpy()
-+	// call would trigger undefined behavior.
-+	if (copy_size > 0)
-+		memcpy(out + *out_pos, in + *in_pos, copy_size);
- 
- 	*in_pos += copy_size;
- 	*out_pos += copy_size;
-diff --git a/src/liblzma/lz/lz_decoder.c b/src/liblzma/lz/lz_decoder.c
-index bb21d0d..6c9024e 100644
---- a/src/liblzma/lz/lz_decoder.c
-+++ b/src/liblzma/lz/lz_decoder.c
-@@ -91,11 +91,17 @@ decode_buffer(lzma_coder *coder,
- 				in, in_pos, in_size);
- 
- 		// Copy the decoded data from the dictionary to the out[]
--		// buffer.
-+		// buffer. Do it conditionally because out can be NULL
-+		// (in which case copy_size is always 0). Calling memcpy()
-+		// with a null-pointer is undefined even if the third
-+		// argument is 0.
- 		const size_t copy_size = coder->dict.pos - dict_start;
- 		assert(copy_size <= out_size - *out_pos);
--		memcpy(out + *out_pos, coder->dict.buf + dict_start,
--				copy_size);
-+
-+		if (copy_size > 0)
-+			memcpy(out + *out_pos, coder->dict.buf + dict_start,
-+					copy_size);
-+
- 		*out_pos += copy_size;
- 
- 		// Reset the dictionary if so requested by coder->lz.code().
-diff --git a/src/liblzma/simple/simple_coder.c b/src/liblzma/simple/simple_coder.c
-index 13ebabc..4f499be 100644
---- a/src/liblzma/simple/simple_coder.c
-+++ b/src/liblzma/simple/simple_coder.c
-@@ -118,7 +118,15 @@ simple_code(void *coder_ptr, const lzma_allocator *allocator,
- 		// coder->pos and coder->size yet. This way the coder can be
- 		// restarted if the next filter in the chain returns e.g.
- 		// LZMA_MEM_ERROR.
--		memcpy(out + *out_pos, coder->buffer + coder->pos, buf_avail);
-+		//
-+		// Do the memcpy() conditionally because out can be NULL
-+		// (in which case buf_avail is always 0). Calling memcpy()
-+		// with a null-pointer is undefined even if the third
-+		// argument is 0.
-+		if (buf_avail > 0)
-+			memcpy(out + *out_pos, coder->buffer + coder->pos,
-+					buf_avail);
-+
- 		*out_pos += buf_avail;
- 
- 		// Copy/Encode/Decode more data to out[].
--- 
-1.8.3.1
-

xz.spec

@@ -1,12 +1,15 @@
 Name:           xz
-Version:        5.2.4
+Version:        5.2.5
-Release:        10
+Release:        4
 Summary:        A free general-purpose data compreession software with LZMA2 algorithm
 License:        Public Domain, LGPLv2.1 and GPLv2+
 URL:            http://tukaani.org/xz
 Source0:        http://tukaani.org/%{name}/%{name}-%{version}.tar.xz
+Source1:        colorxzgrep.sh
+Source2:        colorxzgrep.csh
 
-Patch0:         liblzma-Avoid-memcpy-NULL-foo-0-because-it-is-undefi.patch
+Patch6000:      backport-CVE-2022-1271.patch
+Patch6001:      backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
 
 BuildRequires:  perl-interpreter gcc
 
@@ -65,6 +68,12 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %install
 %make_install
 
+# config color alias for xz*grep
+%global profiledir %{_sysconfdir}/profile.d
+mkdir -p %{buildroot}%{profiledir}
+install -p -m 644 %{SOURCE1} %{buildroot}%{profiledir}
+install -p -m 644 %{SOURCE2} %{buildroot}%{profiledir}
+
 %find_lang %name
 
 %check
@@ -75,6 +84,7 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %doc %{_pkgdocdir}
 %license %{_pkgdocdir}/COPYING*
 %{_bindir}/*xz*
+%{profiledir}/*
 
 %exclude %_pkgdocdir/examples*
 %exclude %{_libdir}/*.la
@@ -98,8 +108,34 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %files help
 %{_mandir}/man1/*lz*
 %{_mandir}/man1/*xz*
+%{_mandir}/de/man1/*lz*
+%{_mandir}/de/man1/*xz*
 
 %changelog
+* Wed May 22 2024 kouwenqi <kouwenqi@kylinos.cn> - 5.2.5-4
+- Type:enhancement
+- CVE:NA
+- SUG:NA
+- DESC:Add overflow check for Unpadded size in lzma_index_append
+
+* Fri Sep 23 2022 wangjiang <wangjiang37@h-partners.com> - 5.2.5-3
+- Type:enhancement
+- CVE:NA
+- SUG:NA
+- DESC:config color alias for xz*grep
+
+* Fri Apr 15 2022 liudabo <liudabo1@h-partners.com> - 5.2.5-2
+- Type:CVE
+- ID:CVE-2022-1271
+- SUG:NA
+- DESC:Fix CVE-2022-1271
+
+* Thu Jul 23 2020 shixuantong <shixuantong@huawei.com> - 5.2.5-1
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC:update to  5.2.5-1
+
 * Sat Mar 21 2020 shenyangyang<shenyangyang4@huawei.com> - 5.2.4-10
 - Type:enhancement
 - ID:NA

xz.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: xz-mirror/xz
+tag_prefix: ^v
+seperator: .