forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
app-arch/tar: Adding a patch to fix CVE-2022-48303
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. This fix is needed to resolve CVE-2022-48303. Bug: https://bugs.gentoo.org/898176 Signed-off-by: Nobel Barakat <[email protected]> Closes: gentoo#29776 Signed-off-by: Sam James <[email protected]>
- Loading branch information
1 parent
6c71de7
commit 3d066ac
Showing
2 changed files
with
126 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
Gentoo Bug: https://bugs.gentoo.org/898176 | ||
Upstream Commit Link: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 | ||
|
||
From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 | ||
From: Sergey Poznyakoff <[email protected]> | ||
Date: Sat, 11 Feb 2023 11:57:39 +0200 | ||
Subject: [PATCH] Fix boundary checking in base-256 decoder | ||
|
||
* src/list.c (from_header): Base-256 encoding is at least 2 bytes | ||
long. | ||
--- | ||
src/list.c | 5 +++-- | ||
1 file changed, 3 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/list.c b/src/list.c | ||
index 9fafc425..86bcfdd1 100644 | ||
--- a/src/list.c | ||
+++ b/src/list.c | ||
@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, | ||
where++; | ||
} | ||
} | ||
- else if (*where == '\200' /* positive base-256 */ | ||
- || *where == '\377' /* negative base-256 */) | ||
+ else if (where <= lim - 2 | ||
+ && (*where == '\200' /* positive base-256 */ | ||
+ || *where == '\377' /* negative base-256 */)) | ||
{ | ||
/* Parse base-256 output. A nonnegative number N is | ||
represented as (256**DIGS)/2 + N; a negative number -N is | ||
-- | ||
2.39.2.637.g21b0678d19-goog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# Copyright 1999-2023 Gentoo Authors | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=7 | ||
|
||
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/tar.asc | ||
inherit verify-sig | ||
|
||
DESCRIPTION="Use this to make tarballs :)" | ||
HOMEPAGE="https://www.gnu.org/software/tar/" | ||
SRC_URI="mirror://gnu/tar/${P}.tar.xz | ||
https://alpha.gnu.org/gnu/tar/${P}.tar.xz" | ||
SRC_URI+=" verify-sig? ( | ||
mirror://gnu/tar/${P}.tar.xz.sig | ||
https://alpha.gnu.org/gnu/tar/${P}.tar.xz.sig | ||
)" | ||
|
||
LICENSE="GPL-3+" | ||
SLOT="0" | ||
if [[ -z "$(ver_cut 3)" ]] || [[ "$(ver_cut 3)" -lt 90 ]] ; then | ||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" | ||
fi | ||
IUSE="acl minimal nls selinux xattr" | ||
|
||
RDEPEND=" | ||
acl? ( virtual/acl ) | ||
selinux? ( sys-libs/libselinux ) | ||
" | ||
DEPEND="${RDEPEND} | ||
xattr? ( elibc_glibc? ( sys-apps/attr ) ) | ||
" | ||
BDEPEND=" | ||
nls? ( sys-devel/gettext ) | ||
verify-sig? ( sec-keys/openpgp-keys-tar ) | ||
" | ||
PDEPEND=" | ||
app-alternatives/tar | ||
" | ||
|
||
PATCHES=( | ||
"${FILESDIR}"/${P}-fix-cve-2022-48303.patch | ||
) | ||
|
||
src_configure() { | ||
local myeconfargs=( | ||
--bindir="${EPREFIX}"/bin | ||
--enable-backup-scripts | ||
--libexecdir="${EPREFIX}"/usr/sbin | ||
$(use_with acl posix-acls) | ||
$(use_enable nls) | ||
$(use_with selinux) | ||
$(use_with xattr xattrs) | ||
|
||
# autoconf looks for gtar before tar (in configure scripts), hence | ||
# in Prefix it is important that it is there, otherwise, a gtar from | ||
# the host system (FreeBSD, Solaris, Darwin) will be found instead | ||
# of the Prefix provided (GNU) tar | ||
--program-prefix=g | ||
) | ||
|
||
FORCE_UNSAFE_CONFIGURE=1 econf "${myeconfargs[@]}" | ||
} | ||
|
||
src_install() { | ||
default | ||
|
||
# a nasty yet required piece of baggage | ||
exeinto /etc | ||
doexe "${FILESDIR}"/rmt | ||
|
||
mv "${ED}"/usr/sbin/{gbackup,backup-tar} || die | ||
mv "${ED}"/usr/sbin/{grestore,restore-tar} || die | ||
mv "${ED}"/usr/sbin/{g,}backup.sh || die | ||
mv "${ED}"/usr/sbin/{g,}dump-remind || die | ||
|
||
if use minimal ; then | ||
find "${ED}"/etc "${ED}"/*bin/ "${ED}"/usr/*bin/ \ | ||
-type f -a '!' -name gtar \ | ||
-delete || die | ||
fi | ||
|
||
if ! use minimal; then | ||
dosym grmt /usr/sbin/rmt | ||
fi | ||
dosym grmt.8 /usr/share/man/man8/rmt.8 | ||
} | ||
|
||
pkg_postinst() { | ||
# ensure to preserve the symlink before app-alternatives/tar | ||
# is installed | ||
if [[ ! -h ${EROOT}/bin/tar ]]; then | ||
ln -s gtar "${EROOT}/bin/tar" || die | ||
fi | ||
} |