Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 124629 Details for
Bug 184984
app-arch/libarchive (former app-arch/bsdtar): multiple vulnerabilities
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libarchive-6stable.patch
libarchive-6stable.patch (text/plain), 6.53 KB, created by
Diego Elio Pettenò (RETIRED)
on 2007-07-12 10:37:53 UTC
(
hide
)
Description:
libarchive-6stable.patch
Filename:
MIME Type:
Creator:
Diego Elio Pettenò (RETIRED)
Created:
2007-07-12 10:37:53 UTC
Size:
6.53 KB
patch
obsolete
>Index: lib/libarchive/archive_read_support_format_tar.c >=================================================================== >RCS file: /home/ncvs/src/lib/libarchive/archive_read_support_format_tar.c,v >retrieving revision 1.57 >diff -u -I__FBSDID -I$FreeBSD -r1.57 archive_read_support_format_tar.c >--- lib/libarchive/archive_read_support_format_tar.c 13 Jun 2007 03:35:37 -0000 1.57 >+++ lib/libarchive/archive_read_support_format_tar.c 10 Jul 2007 09:10:10 -0000 >@@ -690,7 +690,13 @@ > } > } > --tar->header_recursion_depth; >- return (err); >+ /* We return warnings or success as-is. Anything else is fatal. */ >+ if (err == ARCHIVE_WARN || err == ARCHIVE_OK) >+ return (err); >+ if (err == ARCHIVE_EOF) >+ /* EOF when recursively reading a header is bad. */ >+ archive_set_error(&a->archive, EINVAL, "Damaged tar archive"); >+ return (ARCHIVE_FATAL); > } > > /* >@@ -761,32 +767,55 @@ > header_Solaris_ACL(struct archive_read *a, struct tar *tar, > struct archive_entry *entry, const void *h) > { >- int err, err2; >- char *p; >+ const struct archive_entry_header_ustar *header; >+ size_t size; >+ int err; >+ char *acl, *p; > wchar_t *wp; > >+ /* >+ * read_body_to_string adds a NUL terminator, but we need a little >+ * more to make sure that we don't overrun acl_text later. >+ */ >+ header = (const struct archive_entry_header_ustar *)h; >+ size = tar_atol(header->size, sizeof(header->size)); > err = read_body_to_string(a, tar, &(tar->acl_text), h); >- err2 = tar_read_header(a, tar, entry); >- err = err_combine(err, err2); >- >- /* XXX Ensure p doesn't overrun acl_text */ >+ if (err != ARCHIVE_OK) >+ return (err); >+ err = tar_read_header(a, tar, entry); >+ if ((err != ARCHIVE_OK) && (err != ARCHIVE_WARN)) >+ return (err); > > /* Skip leading octal number. */ > /* XXX TODO: Parse the octal number and sanity-check it. */ >- p = tar->acl_text.s; >- while (*p != '\0') >+ p = acl = tar->acl_text.s; >+ while (*p != '\0' && p < acl + size) > p++; > p++; > >- wp = (wchar_t *)malloc((strlen(p) + 1) * sizeof(wchar_t)); >- if (wp != NULL) { >- utf8_decode(wp, p, strlen(p)); >- err2 = __archive_entry_acl_parse_w(entry, wp, >- ARCHIVE_ENTRY_ACL_TYPE_ACCESS); >- err = err_combine(err, err2); >- free(wp); >+ if (p >= acl + size) { >+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, >+ "Malformed Solaris ACL attribute"); >+ return(ARCHIVE_WARN); > } > >+ /* Skip leading octal number. */ >+ size -= (p - acl); >+ acl = p; >+ >+ while (*p != '\0' && p < acl + size) >+ p++; >+ >+ wp = (wchar_t *)malloc((p - acl + 1) * sizeof(wchar_t)); >+ if (wp == NULL) { >+ archive_set_error(&a->archive, ENOMEM, >+ "Can't allocate work buffer for ACL parsing"); >+ return (ARCHIVE_FATAL); >+ } >+ utf8_decode(wp, acl, p - acl); >+ err = __archive_entry_acl_parse_w(entry, wp, >+ ARCHIVE_ENTRY_ACL_TYPE_ACCESS); >+ free(wp); > return (err); > } > >@@ -797,15 +826,17 @@ > header_longlink(struct archive_read *a, struct tar *tar, > struct archive_entry *entry, const void *h) > { >- int err, err2; >+ int err; > > err = read_body_to_string(a, tar, &(tar->longlink), h); >- err2 = tar_read_header(a, tar, entry); >- if (err == ARCHIVE_OK && err2 == ARCHIVE_OK) { >- /* Set symlink if symlink already set, else hardlink. */ >- archive_entry_set_link(entry, tar->longlink.s); >- } >- return (err_combine(err, err2)); >+ if (err != ARCHIVE_OK) >+ return (err); >+ err = tar_read_header(a, tar, entry); >+ if ((err != ARCHIVE_OK) && (err != ARCHIVE_WARN)) >+ return (err); >+ /* Set symlink if symlink already set, else hardlink. */ >+ archive_entry_set_link(entry, tar->longlink.s); >+ return (ARCHIVE_OK); > } > > /* >@@ -815,14 +846,17 @@ > header_longname(struct archive_read *a, struct tar *tar, > struct archive_entry *entry, const void *h) > { >- int err, err2; >+ int err; > > err = read_body_to_string(a, tar, &(tar->longname), h); >+ if (err != ARCHIVE_OK) >+ return (err); > /* Read and parse "real" header, then override name. */ >- err2 = tar_read_header(a, tar, entry); >- if (err == ARCHIVE_OK && err2 == ARCHIVE_OK) >- archive_entry_set_pathname(entry, tar->longname.s); >- return (err_combine(err, err2)); >+ err = tar_read_header(a, tar, entry); >+ if ((err != ARCHIVE_OK) && (err != ARCHIVE_WARN)) >+ return (err); >+ archive_entry_set_pathname(entry, tar->longname.s); >+ return (ARCHIVE_OK); > } > > >@@ -855,6 +889,11 @@ > (void)tar; /* UNUSED */ > header = (const struct archive_entry_header_ustar *)h; > size = tar_atol(header->size, sizeof(header->size)); >+ if ((size > 1048576) || (size < 0)) { >+ archive_set_error(&a->archive, EINVAL, >+ "Special header too large"); >+ return (ARCHIVE_FATAL); >+ } > > /* Read the body into the string. */ > archive_string_ensure(as, size+1); >@@ -862,6 +901,8 @@ > dest = as->s; > while (padded_size > 0) { > bytes_read = (a->decompressor->read_ahead)(a, &src, padded_size); >+ if (bytes_read == 0) >+ return (ARCHIVE_EOF); > if (bytes_read < 0) > return (ARCHIVE_FATAL); > if (bytes_read > padded_size) >@@ -1052,11 +1093,13 @@ > header_pax_global(struct archive_read *a, struct tar *tar, > struct archive_entry *entry, const void *h) > { >- int err, err2; >+ int err; > > err = read_body_to_string(a, tar, &(tar->pax_global), h); >- err2 = tar_read_header(a, tar, entry); >- return (err_combine(err, err2)); >+ if (err != ARCHIVE_OK) >+ return (err); >+ err = tar_read_header(a, tar, entry); >+ return (err); > } > > static int >@@ -1065,10 +1108,14 @@ > { > int err, err2; > >- read_body_to_string(a, tar, &(tar->pax_header), h); >+ err = read_body_to_string(a, tar, &(tar->pax_header), h); >+ if (err != ARCHIVE_OK) >+ return (err); > > /* Parse the next header. */ > err = tar_read_header(a, tar, entry); >+ if ((err != ARCHIVE_OK) && (err != ARCHIVE_WARN)) >+ return (err); > > /* > * TODO: Parse global/default options into 'entry' struct here >@@ -1165,8 +1212,11 @@ > l--; > break; > } >- if (*p < '0' || *p > '9') >- return (-1); >+ if (*p < '0' || *p > '9') { >+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, >+ "Ignoring malformed pax extended attributes"); >+ return (ARCHIVE_WARN); >+ } > line_length *= 10; > line_length += *p - '0'; > if (line_length > 999999) { >@@ -1178,8 +1228,19 @@ > l--; > } > >- if (line_length > attr_length) >- return (0); >+ /* >+ * Parsed length must be no bigger than available data, >+ * at least 1, and the last character of the line must >+ * be '\n'. >+ */ >+ if (line_length > attr_length >+ || line_length < 1 >+ || attr[line_length - 1] != '\n') >+ { >+ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, >+ "Ignoring malformed pax extended attribute"); >+ return (ARCHIVE_WARN); >+ } > > /* Ensure pax_entry buffer is big enough. */ > if (tar->pax_entry_length <= line_length) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=124629">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 184984
: 124629 |
124630
