packages/cpio
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix 2021-38185

Browse Source
This commit is contained in:
yang_zhuang_zhuang 2021-08-24 20:01:17 +08:00
parent 4573fa2982
commit 3d8fa3c0d7
5 changed files with 629 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
add-option-to-add-metadata-in-copy-out-mode.patch
View File

@ -45,7 +45,7 @@ index 31a15fa..03d9585 100644
Treat the archive file as local, even if its name contains colons.
@item -F [[@var{user}@@]@var{host}:]@var{archive-file}
diff --git a/src/copyout.c b/src/copyout.c
index 4b7336b..fdafb37 100644
index 421d36d..4cd60a3 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -22,6 +22,7 @@
@ -151,7 +151,7 @@ index 4b7336b..fdafb37 100644
/* Read a list of file names from the standard input
and write a cpio collection on the standard output.
The format of the header depends on the compatibility (-c) flag. */
@@ -603,6 +692,8 @@ process_copy_out ()
@@ -604,6 +693,8 @@ process_copy_out (void)
int in_file_des; /* Source file descriptor. */
int out_file_des; /* Output file descriptor. */
char *orig_file_name = NULL;
@ -159,8 +159,8 @@ index 4b7336b..fdafb37 100644
+ int ret, metadata_fd, metadata = 0, old_metadata, hard_link;
/* Initialize the copy out. */
ds_init (&input_name, 128);
@@ -635,9 +726,37 @@ process_copy_out ()
file_hdr.c_magic = 070707;
@@ -635,9 +726,37 @@ process_copy_out (void)
prepare_append (out_file_des);
}
@ -199,8 +199,8 @@ index 4b7336b..fdafb37 100644
/* Check for blank line. */
if (input_name.ds_string[0] == 0)
{
@@ -667,8 +786,15 @@ process_copy_out ()
}
@@ -662,8 +781,15 @@ process_copy_out (void)
ds_append (&input_name, '/');
}
}
-
@ -217,7 +217,7 @@ index 4b7336b..fdafb37 100644
cpio_safer_name_suffix (input_name.ds_string, false,
!no_abs_paths_flag, true);
cpio_set_c_name (&file_hdr, input_name.ds_string);
@@ -700,6 +826,7 @@ process_copy_out ()
@@ -695,6 +821,7 @@ process_copy_out (void)
else
{
add_link_defer (&file_hdr);
@ -225,7 +225,7 @@ index 4b7336b..fdafb37 100644
break;
}
}
@@ -836,6 +963,8 @@ process_copy_out ()
@@ -831,6 +958,8 @@ process_copy_out (void)
fprintf (stderr, "%s\n", orig_file_name);
if (dot_flag)
fputc ('.', stderr);
@ -234,10 +234,10 @@ index 4b7336b..fdafb37 100644
}
}
@@ -875,6 +1004,11 @@ process_copy_out ()
(unsigned long) blocks), (unsigned long) blocks);
@@ -871,6 +1000,11 @@ process_copy_out (void)
}
cpio_file_stat_free (&file_hdr);
ds_free (&input_name);
+
+ if (metadata_type != TYPE_NONE) {
+ close(metadata_fd);
@ -247,10 +247,10 @@ index 4b7336b..fdafb37 100644
diff --git a/src/dstring.c b/src/dstring.c
index e9c063f..1021d21 100644
index 0f597cc..07e827f 100644
--- a/src/dstring.c
+++ b/src/dstring.c
@@ -58,8 +58,8 @@ ds_resize (dynamic_string *string, int size)
@@ -74,8 +74,8 @@ ds_reset (dynamic_string *s, size_t len)
Return NULL if end of file is detected. Otherwise,
Return a pointer to the null-terminated string in S. */
@ -259,33 +259,29 @@ index e9c063f..1021d21 100644
+static char *
+ds_fgetstr_common (FILE *f, char *input_string, dynamic_string *s, char eos)
{
int insize; /* Amount needed for line. */
int strsize; /* Amount allocated for S. */
@@ -70,7 +70,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
strsize = s->ds_length;
int next_ch;
@@ -83,10 +83,18 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
s->ds_idx = 0;
/* Read the input string. */
- next_ch = getc (f);
- while ((next_ch = getc (f)) != eos && next_ch != EOF)
+ if (input_string)
+ next_ch = *input_string++;
+ else
+ next_ch = getc (f);
while (next_ch != eos && next_ch != EOF)
+ while (next_ch != eos && next_ch != EOF)
{
if (insize >= strsize - 1)
@@ -79,7 +82,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
strsize = s->ds_length;
}
s->ds_string[insize++] = next_ch;
- next_ch = getc (f);
ds_resize (s, 0);
s->ds_string[s->ds_idx++] = next_ch;
+ if (input_string)
+ next_ch = *input_string++;
+ next_ch = *input_string++;
+ else
+ next_ch = getc (f);
+ next_ch = getc (f);
}
s->ds_string[insize++] = '\0';
@@ -90,6 +96,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
ds_resize (s, 0);
s->ds_string[s->ds_idx] = '\0';
@@ -121,6 +129,12 @@ ds_concat (dynamic_string *s, char const *str)
}
char *
@ -298,25 +294,31 @@ index e9c063f..1021d21 100644
ds_fgets (FILE *f, dynamic_string *s)
{
return ds_fgetstr (f, s, '\n');
@@ -100,3 +112,9 @@ ds_fgetname (FILE *f, dynamic_string *s)
{
@@ -132,6 +146,12 @@ ds_fgetname (FILE *f, dynamic_string *s)
return ds_fgetstr (f, s, '\0');
}
+
+char *
+ds_sgetstr (char *input_string, dynamic_string *s, char eos)
+{
+ return ds_fgetstr_common (NULL, input_string, s, eos);
+}
+
/* Return true if the dynamic string S ends with character C. */
int
ds_endswith (dynamic_string *s, int c)
diff --git a/src/dstring.h b/src/dstring.h
index b5135fe..f5f95ec 100644
index f5b04ef..50c877d 100644
--- a/src/dstring.h
+++ b/src/dstring.h
@@ -49,3 +49,4 @@ void ds_resize (dynamic_string *string, int size);
@@ -41,6 +41,7 @@ void ds_reset (dynamic_string *s, size_t len);
char *ds_fgetname (FILE *f, dynamic_string *s);
char *ds_fgets (FILE *f, dynamic_string *s);
char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
+char *ds_sgetstr (char *input_string, dynamic_string *s, char eos);
void ds_append (dynamic_string *s, int c);
void ds_concat (dynamic_string *s, char const *str);
diff --git a/src/extern.h b/src/extern.h
index 11ac6bf..f295fcf 100644
--- a/src/extern.h
@ -340,10 +342,10 @@ index 11ac6bf..f295fcf 100644
/* copyin.c */
void warn_junk_bytes (long bytes_skipped);
diff --git a/src/global.c b/src/global.c
index fb3abe9..0c40be0 100644
index acf92bc..d45e19b 100644
--- a/src/global.c
+++ b/src/global.c
@@ -199,3 +199,5 @@ char *change_directory_option;
@@ -196,3 +196,5 @@ char *change_directory_option;
int renumber_inodes_option;
int ignore_devno_option;

462
backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch Normal file
View File

@ -0,0 +1,462 @@
From dd96882877721703e19272fe25034560b794061b Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Sat, 7 Aug 2021 12:52:21 +0300
Subject: [PATCH 11/13] Rewrite dynamic string support.
* src/dstring.c (ds_init): Take a single argument.
(ds_free): New function.
(ds_resize): Take a single argument. Use x2nrealloc to expand
the storage.
(ds_reset,ds_append,ds_concat,ds_endswith): New function.
(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.
* src/dstring.h (dynamic_string): Keep both the allocated length
(ds_size) and index of the next free byte in the string (ds_idx).
(ds_init,ds_resize): Change signature.
(ds_len): New macro.
(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.
* src/copyin.c: Use new ds_ functions.
* src/copyout.c: Likewise.
* src/copypass.c: Likewise.
* src/util.c: Likewise.
---
src/copyin.c | 40 +++++++++++++-------------
src/copyout.c | 16 ++++-------
src/copypass.c | 34 +++++++++++------------
src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++++++++----------------
src/dstring.h | 31 ++++++++++-----------
src/util.c | 6 ++--
6 files changed, 123 insertions(+), 92 deletions(-)
diff --git a/src/copyin.c b/src/copyin.c
index bf3b0a8..c7f4b49 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
char *str_res; /* Result for string function. */
static dynamic_string new_name; /* New file name for rename option. */
static int initialized_new_name = false;
+
if (!initialized_new_name)
- {
- ds_init (&new_name, 128);
- initialized_new_name = true;
- }
+ {
+ ds_init (&new_name);
+ initialized_new_name = true;
+ }
if (rename_flag)
{
@@ -778,39 +779,41 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name)
already in `save_patterns' (from the command line) are preserved. */
static void
-read_pattern_file ()
+read_pattern_file (void)
{
- int max_new_patterns;
- char **new_save_patterns;
- int new_num_patterns;
+ char **new_save_patterns = NULL;
+ size_t max_new_patterns;
+ size_t new_num_patterns;
int i;
- dynamic_string pattern_name;
+ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER;
FILE *pattern_fp;
if (num_patterns < 0)
num_patterns = 0;
- max_new_patterns = 1 + num_patterns;
- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *));
new_num_patterns = num_patterns;
- ds_init (&pattern_name, 128);
+ max_new_patterns = num_patterns;
+ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0]));
pattern_fp = fopen (pattern_file_name, "r");
if (pattern_fp == NULL)
+ {
open_error (pattern_file_name);
+ ds_free (&pattern_name);
+ }
else
{
while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL)
{
- if (new_num_patterns >= max_new_patterns)
- {
- max_new_patterns += 1;
- new_save_patterns = (char **)
- xrealloc ((char *) new_save_patterns,
- max_new_patterns * sizeof (char *));
- }
+ if (new_num_patterns == max_new_patterns)
+ new_save_patterns = x2nrealloc (new_save_patterns,
+ &max_new_patterns,
+ sizeof (new_save_patterns[0]));
new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string);
++new_num_patterns;
}
+
+ ds_free (&pattern_name);
+
if (ferror (pattern_fp) || fclose (pattern_fp) == EOF)
close_error (pattern_file_name);
}
@@ -1198,7 +1201,7 @@ swab_array (char *ptr, int count)
in the file system. */
void
-process_copy_in ()
+process_copy_in (void)
{
char done = false; /* True if trailer reached. */
FILE *tty_in = NULL; /* Interactive file for rename option. */
diff --git a/src/copyout.c b/src/copyout.c
index 4b7336b..421d36d 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value)
The format of the header depends on the compatibility (-c) flag. */
void
-process_copy_out ()
+process_copy_out (void)
{
- dynamic_string input_name; /* Name of file read from stdin. */
+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
+ /* Name of file read from stdin. */
struct stat file_stat; /* Stat record for file. */
struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
/* Output header information. */
@@ -605,7 +606,6 @@ process_copy_out ()
char *orig_file_name = NULL;
/* Initialize the copy out. */
- ds_init (&input_name, 128);
file_hdr.c_magic = 070707;
/* Check whether the output file might be a tape. */
@@ -657,14 +657,9 @@ process_copy_out ()
{
if (file_hdr.c_mode & CP_IFDIR)
{
- int len = strlen (input_name.ds_string);
/* Make sure the name ends with a slash */
- if (input_name.ds_string[len-1] != '/')
- {
- ds_resize (&input_name, len + 2);
- input_name.ds_string[len] = '/';
- input_name.ds_string[len+1] = 0;
- }
+ if (!ds_endswith (&input_name, '/'))
+ ds_append (&input_name, '/');
}
}
@@ -875,6 +870,7 @@ process_copy_out ()
(unsigned long) blocks), (unsigned long) blocks);
}
cpio_file_stat_free (&file_hdr);
+ ds_free (&input_name);
}
diff --git a/src/copypass.c b/src/copypass.c
index dc13b5b..62f31c6 100644
--- a/src/copypass.c
+++ b/src/copypass.c
@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st)
If `link_flag', link instead of copying. */
void
-process_copy_pass ()
+process_copy_pass (void)
{
- dynamic_string input_name; /* Name of file from stdin. */
- dynamic_string output_name; /* Name of new file. */
+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
+ /* Name of file from stdin. */
+ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER;
+ /* Name of new file. */
size_t dirname_len; /* Length of `directory_name'. */
int res; /* Result of functions. */
char *slash; /* For moving past slashes in input name. */
@@ -65,25 +67,18 @@ process_copy_pass ()
created files */
/* Initialize the copy pass. */
- ds_init (&input_name, 128);
dirname_len = strlen (directory_name);
if (change_directory_option && !ISSLASH (directory_name[0]))
{
char *pwd = xgetcwd ();
-
- dirname_len += strlen (pwd) + 1;
- ds_init (&output_name, dirname_len + 2);
- strcpy (output_name.ds_string, pwd);
- strcat (output_name.ds_string, "/");
- strcat (output_name.ds_string, directory_name);
+
+ ds_concat (&output_name, pwd);
+ ds_append (&output_name, '/');
}
- else
- {
- ds_init (&output_name, dirname_len + 2);
- strcpy (output_name.ds_string, directory_name);
- }
- output_name.ds_string[dirname_len] = '/';
+ ds_concat (&output_name, directory_name);
+ ds_append (&output_name, '/');
+ dirname_len = ds_len (&output_name);
output_is_seekable = true;
change_dir ();
@@ -116,8 +111,8 @@ process_copy_pass ()
/* Make the name of the new file. */
for (slash = input_name.ds_string; *slash == '/'; ++slash)
;
- ds_resize (&output_name, dirname_len + strlen (slash) + 2);
- strcpy (output_name.ds_string + dirname_len + 1, slash);
+ ds_reset (&output_name, dirname_len);
+ ds_concat (&output_name, slash);
existing_dir = false;
if (lstat (output_name.ds_string, &out_file_stat) == 0)
@@ -333,6 +328,9 @@ process_copy_pass ()
(unsigned long) blocks),
(unsigned long) blocks);
}
+
+ ds_free (&input_name);
+ ds_free (&output_name);
}
/* Try and create a hard link from FILE_NAME to another file
diff --git a/src/dstring.c b/src/dstring.c
index e9c063f..358f356 100644
--- a/src/dstring.c
+++ b/src/dstring.c
@@ -20,8 +20,8 @@
#if defined(HAVE_CONFIG_H)
# include <config.h>
#endif
-
#include <stdio.h>
+#include <stdlib.h>
#if defined(HAVE_STRING_H) || defined(STDC_HEADERS)
#include <string.h>
#else
@@ -33,24 +33,41 @@
/* Initialiaze dynamic string STRING with space for SIZE characters. */
void
-ds_init (dynamic_string *string, int size)
+ds_init (dynamic_string *string)
+{
+ memset (string, 0, sizeof *string);
+}
+
+/* Free the dynamic string storage. */
+
+void
+ds_free (dynamic_string *string)
{
- string->ds_length = size;
- string->ds_string = (char *) xmalloc (size);
+ free (string->ds_string);
}
-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */
+/* Expand dynamic string STRING, if necessary. */
void
-ds_resize (dynamic_string *string, int size)
+ds_resize (dynamic_string *string)
{
- if (size > string->ds_length)
+ if (string->ds_idx == string->ds_size)
{
- string->ds_length = size;
- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size);
+ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
+ 1);
}
}
+/* Reset the index of the dynamic string S to LEN. */
+
+void
+ds_reset (dynamic_string *s, size_t len)
+{
+ while (len > s->ds_size)
+ ds_resize (s);
+ s->ds_idx = len;
+}
+
/* Dynamic string S gets a string terminated by the EOS character
(which is removed) from file F. S will increase
in size during the function if the string from F is longer than
@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size)
char *
ds_fgetstr (FILE *f, dynamic_string *s, char eos)
{
- int insize; /* Amount needed for line. */
- int strsize; /* Amount allocated for S. */
int next_ch;
/* Initialize. */
- insize = 0;
- strsize = s->ds_length;
+ s->ds_idx = 0;
/* Read the input string. */
- next_ch = getc (f);
- while (next_ch != eos && next_ch != EOF)
+ while ((next_ch = getc (f)) != eos && next_ch != EOF)
{
- if (insize >= strsize - 1)
- {
- ds_resize (s, strsize * 2 + 2);
- strsize = s->ds_length;
- }
- s->ds_string[insize++] = next_ch;
- next_ch = getc (f);
+ ds_resize (s);
+ s->ds_string[s->ds_idx++] = next_ch;
}
- s->ds_string[insize++] = '\0';
+ ds_resize (s);
+ s->ds_string[s->ds_idx] = '\0';
- if (insize == 1 && next_ch == EOF)
+ if (s->ds_idx == 0 && next_ch == EOF)
return NULL;
else
return s->ds_string;
}
+void
+ds_append (dynamic_string *s, int c)
+{
+ ds_resize (s);
+ s->ds_string[s->ds_idx] = c;
+ if (c)
+ {
+ s->ds_idx++;
+ ds_resize (s);
+ s->ds_string[s->ds_idx] = 0;
+ }
+}
+
+void
+ds_concat (dynamic_string *s, char const *str)
+{
+ size_t len = strlen (str);
+ while (len + 1 > s->ds_size)
+ ds_resize (s);
+ memcpy (s->ds_string + s->ds_idx, str, len);
+ s->ds_idx += len;
+ s->ds_string[s->ds_idx] = 0;
+}
+
char *
ds_fgets (FILE *f, dynamic_string *s)
{
@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s)
{
return ds_fgetstr (f, s, '\0');
}
+
+/* Return true if the dynamic string S ends with character C. */
+int
+ds_endswith (dynamic_string *s, int c)
+{
+ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c);
+}
diff --git a/src/dstring.h b/src/dstring.h
index b5135fe..f5b04ef 100644
--- a/src/dstring.h
+++ b/src/dstring.h
@@ -17,10 +17,6 @@
Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301 USA. */
-#ifndef NULL
-#define NULL 0
-#endif
-
/* A dynamic string consists of record that records the size of an
allocated string and the pointer to that string. The actual string
is a normal zero byte terminated string that can be used with the
@@ -30,22 +26,25 @@
typedef struct
{
- int ds_length; /* Actual amount of storage allocated. */
- char *ds_string; /* String. */
+ size_t ds_size; /* Actual amount of storage allocated. */
+ size_t ds_idx; /* Index of the next free byte in the string. */
+ char *ds_string; /* String storage. */
} dynamic_string;
+#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL }
-/* Macros that look similar to the original string functions.
- WARNING: These macros work only on pointers to dynamic string records.
- If used with a real record, an "&" must be used to get the pointer. */
-#define ds_strlen(s) strlen ((s)->ds_string)
-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string)
-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n)
-#define ds_index(s, c) index ((s)->ds_string, c)
-#define ds_rindex(s, c) rindex ((s)->ds_string, c)
+void ds_init (dynamic_string *string);
+void ds_free (dynamic_string *string);
+void ds_reset (dynamic_string *s, size_t len);
-void ds_init (dynamic_string *string, int size);
-void ds_resize (dynamic_string *string, int size);
+/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */
char *ds_fgetname (FILE *f, dynamic_string *s);
char *ds_fgets (FILE *f, dynamic_string *s);
char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
+void ds_append (dynamic_string *s, int c);
+void ds_concat (dynamic_string *s, char const *str);
+
+#define ds_len(s) ((s)->ds_idx)
+
+int ds_endswith (dynamic_string *s, int c);
+
diff --git a/src/util.c b/src/util.c
index 4421b20..6d6bbaa 100644
--- a/src/util.c
+++ b/src/util.c
@@ -846,11 +846,9 @@ get_next_reel (int tape_des)
FILE *tty_out; /* File for interacting with user. */
int old_tape_des;
char *next_archive_name;
- dynamic_string new_name;
+ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER;
char *str_res;
- ds_init (&new_name, 128);
-
/* Open files for interactive communication. */
tty_in = fopen (TTY_NAME, "r");
if (tty_in == NULL)
@@ -925,7 +923,7 @@ get_next_reel (int tape_des)
error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"),
old_tape_des, tape_des);
- free (new_name.ds_string);
+ ds_free (&new_name);
fclose (tty_in);
fclose (tty_out);
}
--
1.8.3.1

36
backport-0002-CVE-2021-38185-Fix-previous-commit.patch Normal file
View File

@ -0,0 +1,36 @@
From dfc801c44a93bed7b3951905b188823d6a0432c8 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Wed, 11 Aug 2021 18:10:38 +0300
Subject: [PATCH 12/13] Fix previous commit
* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a
loop.
---
src/dstring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/dstring.c b/src/dstring.c
index 692d3e7..b7e0bb5 100644
--- a/src/dstring.c
+++ b/src/dstring.c
@@ -64,7 +64,7 @@ void
ds_reset (dynamic_string *s, size_t len)
{
while (len > s->ds_size)
- ds_resize (s);
+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
s->ds_idx = len;
}
@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str)
{
size_t len = strlen (str);
while (len + 1 > s->ds_size)
- ds_resize (s);
+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
memcpy (s->ds_string + s->ds_idx, str, len);
s->ds_idx += len;
s->ds_string[s->ds_idx] = 0;
--
1.8.3.1

78
backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch Normal file
View File

@ -0,0 +1,78 @@
From 236684f6deb3178043fe72a8e2faca538fa2aae1 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Wed, 18 Aug 2021 09:41:39 +0300
Subject: [PATCH 13/13] Fix dynamic string reallocations
* src/dstring.c (ds_resize): Take additional argument: number of
bytes to leave available after ds_idx. All uses changed.
---
src/dstring.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/dstring.c b/src/dstring.c
index b7e0bb5..fd4e030 100644
--- a/src/dstring.c
+++ b/src/dstring.c
@@ -49,9 +49,9 @@ ds_free (dynamic_string *string)
/* Expand dynamic string STRING, if necessary. */
void
-ds_resize (dynamic_string *string)
+ds_resize (dynamic_string *string, size_t len)
{
- if (string->ds_idx == string->ds_size)
+ while (len + string->ds_idx >= string->ds_size)
{
string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
1);
@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string)
void
ds_reset (dynamic_string *s, size_t len)
{
- while (len > s->ds_size)
- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+ ds_resize (s, len);
s->ds_idx = len;
}
@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
/* Read the input string. */
while ((next_ch = getc (f)) != eos && next_ch != EOF)
{
- ds_resize (s);
+ ds_resize (s, 0);
s->ds_string[s->ds_idx++] = next_ch;
}
- ds_resize (s);
+ ds_resize (s, 0);
s->ds_string[s->ds_idx] = '\0';
if (s->ds_idx == 0 && next_ch == EOF)
@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
void
ds_append (dynamic_string *s, int c)
{
- ds_resize (s);
+ ds_resize (s, 0);
s->ds_string[s->ds_idx] = c;
if (c)
{
s->ds_idx++;
- ds_resize (s);
+ ds_resize (s, 0);
s->ds_string[s->ds_idx] = 0;
}
}
@@ -115,8 +114,7 @@ void
ds_concat (dynamic_string *s, char const *str)
{
size_t len = strlen (str);
- while (len + 1 > s->ds_size)
- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+ ds_resize (s, len);
memcpy (s->ds_string + s->ds_idx, str, len);
s->ds_idx += len;
s->ds_string[s->ds_idx] = 0;
--
1.8.3.1

20
cpio.spec
View File

@ -1,6 +1,6 @@
Name: cpio
Version: 2.13
Release: 5
Release: 6
Summary: A GNU archiving program
License: GPLv3+
@ -14,10 +14,14 @@ Patch3: cpio-2.9.90-defaultremoteshell.patch
Patch4: cpio-2.10-patternnamesigsegv.patch
Patch5: cpio-2.10-longnames-split.patch
Patch6: cpio-2.11-crc-fips-nit.patch
Patch7: add-option-to-add-metadata-in-copy-out-mode.patch
Patch8: Fix-use-after-free-and-return-appropriate-error.patch
Patch9: revert-CVE-2015-1197.patch
Patch10: backport-cpio-2.13-mutiple-definition.patch
Patch7: revert-CVE-2015-1197.patch
Patch8: backport-cpio-2.13-mutiple-definition.patch
Patch9: backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch
Patch10: backport-0002-CVE-2021-38185-Fix-previous-commit.patch
Patch11: backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch
Patch9000: add-option-to-add-metadata-in-copy-out-mode.patch
Patch9001: Fix-use-after-free-and-return-appropriate-error.patch
Provides: bundled(gnulib)
Provides: /bin/cpio
@ -60,6 +64,12 @@ make check
%{_datadir}/man/man1/%{name}.1.gz
%changelog
* Tue Aug 24 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.13-6
- Type:CVE
- ID:CVE-2021-38185
- SUG:NA
- DESC:Fix CVE-2021-38185
* Fri Jul 30 2021 yixiangzhike <zhangxingliang3@huawei.com> - 2.13-5
- Type:bugfix
- ID:NA