Skip to content

Commit

Permalink
app-arch/tar: Adding a patch to fix CVE-2022-48303
Browse files Browse the repository at this point in the history
This patch is cherry-picked from the upstream gnu/tar repository
which fixes a heap buffer overflow issue in the utility. This fix is
needed to resolve CVE-2022-48303.

Bug: https://bugs.gentoo.org/898176
Signed-off-by: Nobel Barakat <[email protected]>
Closes: gentoo#29776
Signed-off-by: Sam James <[email protected]>
  • Loading branch information
nobellium1997 authored and thesamesam committed Mar 25, 2023
1 parent 6c71de7 commit 3d066ac
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 0 deletions.
32 changes: 32 additions & 0 deletions app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
Gentoo Bug: https://bugs.gentoo.org/898176
Upstream Commit Link: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8

From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <[email protected]>
Date: Sat, 11 Feb 2023 11:57:39 +0200
Subject: [PATCH] Fix boundary checking in base-256 decoder

* src/list.c (from_header): Base-256 encoding is at least 2 bytes
long.
---
src/list.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/list.c b/src/list.c
index 9fafc425..86bcfdd1 100644
--- a/src/list.c
+++ b/src/list.c
@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
where++;
}
}
- else if (*where == '\200' /* positive base-256 */
- || *where == '\377' /* negative base-256 */)
+ else if (where <= lim - 2
+ && (*where == '\200' /* positive base-256 */
+ || *where == '\377' /* negative base-256 */))
{
/* Parse base-256 output. A nonnegative number N is
represented as (256**DIGS)/2 + N; a negative number -N is
--
2.39.2.637.g21b0678d19-goog
94 changes: 94 additions & 0 deletions app-arch/tar/tar-1.34-r3.ebuild
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7

VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/tar.asc
inherit verify-sig

DESCRIPTION="Use this to make tarballs :)"
HOMEPAGE="https://www.gnu.org/software/tar/"
SRC_URI="mirror://gnu/tar/${P}.tar.xz
https://alpha.gnu.org/gnu/tar/${P}.tar.xz"
SRC_URI+=" verify-sig? (
mirror://gnu/tar/${P}.tar.xz.sig
https://alpha.gnu.org/gnu/tar/${P}.tar.xz.sig
)"

LICENSE="GPL-3+"
SLOT="0"
if [[ -z "$(ver_cut 3)" ]] || [[ "$(ver_cut 3)" -lt 90 ]] ; then
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
fi
IUSE="acl minimal nls selinux xattr"

RDEPEND="
acl? ( virtual/acl )
selinux? ( sys-libs/libselinux )
"
DEPEND="${RDEPEND}
xattr? ( elibc_glibc? ( sys-apps/attr ) )
"
BDEPEND="
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-tar )
"
PDEPEND="
app-alternatives/tar
"

PATCHES=(
"${FILESDIR}"/${P}-fix-cve-2022-48303.patch
)

src_configure() {
local myeconfargs=(
--bindir="${EPREFIX}"/bin
--enable-backup-scripts
--libexecdir="${EPREFIX}"/usr/sbin
$(use_with acl posix-acls)
$(use_enable nls)
$(use_with selinux)
$(use_with xattr xattrs)

# autoconf looks for gtar before tar (in configure scripts), hence
# in Prefix it is important that it is there, otherwise, a gtar from
# the host system (FreeBSD, Solaris, Darwin) will be found instead
# of the Prefix provided (GNU) tar
--program-prefix=g
)

FORCE_UNSAFE_CONFIGURE=1 econf "${myeconfargs[@]}"
}

src_install() {
default

# a nasty yet required piece of baggage
exeinto /etc
doexe "${FILESDIR}"/rmt

mv "${ED}"/usr/sbin/{gbackup,backup-tar} || die
mv "${ED}"/usr/sbin/{grestore,restore-tar} || die
mv "${ED}"/usr/sbin/{g,}backup.sh || die
mv "${ED}"/usr/sbin/{g,}dump-remind || die

if use minimal ; then
find "${ED}"/etc "${ED}"/*bin/ "${ED}"/usr/*bin/ \
-type f -a '!' -name gtar \
-delete || die
fi

if ! use minimal; then
dosym grmt /usr/sbin/rmt
fi
dosym grmt.8 /usr/share/man/man8/rmt.8
}

pkg_postinst() {
# ensure to preserve the symlink before app-alternatives/tar
# is installed
if [[ ! -h ${EROOT}/bin/tar ]]; then
ln -s gtar "${EROOT}/bin/tar" || die
fi
}

0 comments on commit 3d066ac

Please sign in to comment.