From f6c182b667fe22f97c982977d784ce56b9fb6bf1 Mon Sep 17 00:00:00 2001 From: Radek Brich Date: Oct 24 2007 12:21:40 +0000 Subject: CVE-2007-4476 --- diff --git a/tar-1.17-safer_name_suffix.patch b/tar-1.17-safer_name_suffix.patch new file mode 100644 index 0000000..796a999 --- /dev/null +++ b/tar-1.17-safer_name_suffix.patch @@ -0,0 +1,89 @@ +diff -up tar-1.17/lib/paxnames.c.safer_name_suffix tar-1.17/lib/paxnames.c +--- tar-1.17/lib/paxnames.c.safer_name_suffix 2005-05-22 00:55:55.000000000 +0200 ++++ tar-1.17/lib/paxnames.c 2007-10-22 17:32:54.000000000 +0200 +@@ -36,15 +36,27 @@ hash_string_compare (void const *name1, + return strcmp (name1, name2) == 0; + } + +-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a +- copy of STRING to TABLE and return 1. */ +-bool +-hash_string_insert (Hash_table **table, char const *string) ++/* Return zero if TABLE contains a LEN-character long prefix of STRING, ++ otherwise, insert a newly allocated copy of this prefix to TABLE and ++ return 1. If RETURN_PREFIX is not NULL, point it to the allocated ++ copy. */ ++static bool ++hash_string_insert_prefix (Hash_table **table, char const *string, size_t len, ++ const char **return_prefix) + { + Hash_table *t = *table; +- char *s = xstrdup (string); ++ char *s; + char *e; + ++ if (len) ++ { ++ s = xmalloc (len + 1); ++ memcpy (s, string, len); ++ s[len] = 0; ++ } ++ else ++ s = xstrdup (string); ++ + if (! ((t + || (*table = t = hash_initialize (0, 0, hash_string_hasher, + hash_string_compare, 0))) +@@ -52,7 +64,11 @@ hash_string_insert (Hash_table **table, + xalloc_die (); + + if (e == s) +- return 1; ++ { ++ if (return_prefix) ++ *return_prefix = s; ++ return 1; ++ } + else + { + free (s); +@@ -60,6 +76,14 @@ hash_string_insert (Hash_table **table, + } + } + ++/* Return zero if TABLE contains a copy of STRING; otherwise, insert a ++ copy of STRING to TABLE and return 1. */ ++bool ++hash_string_insert (Hash_table **table, char const *string) ++{ ++ return hash_string_insert_prefix (table, string, 0, NULL); ++} ++ + /* Return 1 if TABLE contains STRING. */ + bool + hash_string_lookup (Hash_table const *table, char const *string) +@@ -88,7 +112,8 @@ removed_prefixes_p (void) + If ABSOLUTE_NAMES is 0, strip filesystem prefix from the file name. */ + + char * +-safer_name_suffix (char const *file_name, bool link_target, bool absolute_names) ++safer_name_suffix (char const *file_name, bool link_target, ++ bool absolute_names) + { + char const *p; + +@@ -121,11 +146,9 @@ safer_name_suffix (char const *file_name + + if (prefix_len) + { +- char *prefix = alloca (prefix_len + 1); +- memcpy (prefix, file_name, prefix_len); +- prefix[prefix_len] = '\0'; +- +- if (hash_string_insert (&prefix_table[link_target], prefix)) ++ const char *prefix; ++ if (hash_string_insert_prefix (&prefix_table[link_target], file_name, ++ prefix_len, &prefix)) + { + static char const *const diagnostic[] = + { diff --git a/tar.spec b/tar.spec index 46f7cdc..842be5a 100644 --- a/tar.spec +++ b/tar.spec @@ -2,7 +2,7 @@ Summary: A GNU file archiving program Name: tar Epoch: 2 Version: 1.17 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: Applications/Archiving URL: http://www.gnu.org/software/tar/ @@ -15,6 +15,7 @@ Patch3: tar-1.17-testsuite.patch Patch4: tar-1.17-xattrs.patch Patch5: tar-1.17-wildcards.patch Patch6: tar-1.17-dot_dot_vuln.patch +Patch7: tar-1.17-safer_name_suffix.patch Prereq: info BuildRequires: autoconf automake gzip texinfo gettext libacl-devel libselinux-devel gawk Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -40,7 +41,8 @@ the rmt package. %patch3 -p1 -b .testsuite %patch4 -p1 -b .xattrs %patch5 -p1 -b .wildcards -%patch6 -p1 -b .dot_dot_vuln.patch +%patch6 -p1 -b .dot_dot_vuln +%patch7 -p1 -b .safer_name_suffix %build %configure --bindir=/bin --libexecdir=/sbin @@ -91,6 +93,10 @@ fi %{_infodir}/tar.info* %changelog +* Tue Oct 23 2007 Radek Brich 2:1.17-4 +- upstream patch for CVE-2007-4476 + (tar stack crashing in safer_name_suffix) + * Tue Aug 28 2007 Radek Brich 2:1.17-3 - gawk build dependency