diff --git a/CVE-2021-3504.patch b/CVE-2021-3504.patch deleted file mode 100644 index e652399..0000000 --- a/CVE-2021-3504.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Thu, 15 Apr 2021 15:50:13 +0100 -Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length - (CVE-2021-3504) - -Hives are encoded as fixed-sized pages containing smaller variable- -length blocks: - - +-------------------+-------------------+-------------------+-- - | header |[ blk ][blk][ blk ]|[blk][blk][blk] | - +-------------------+-------------------+-------------------+-- - -Blocks should not straddle a page boundary. However because blocks -contain a 32 bit length field it is possible to construct an invalid -hive where the last block in a page overlaps either the next page or -the end of the file: - - +-------------------+-------------------+ - | header |[ blk ][blk][ blk ..... ] - +-------------------+-------------------+ - -Hivex lacked a bounds check and would process the registry. Because -the rest of the code assumes this situation can never happen it was -possible to have a block containing some field (eg. a registry key -name) which would extend beyond the end of the file. Hivex mmaps or -mallocs the file, causing hivex to read memory beyond the end of the -mapped region, resulting in reading other memory structures or a -crash. (Writing beyond the end of the mapped region seems to be -impossible because we always allocate a new page before writing.) - -This commit adds a check which rejects the malformed registry on -hivex_open. - -Credit: Jeremy Galindo, Sr Security Engineer, Datto.com -Signed-off-by: Richard W.M. Jones -Fixes: CVE-2021-3504 -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687 ---- - lib/handle.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/lib/handle.c b/lib/handle.c -index 88b1563..2e4231a 100644 ---- a/lib/handle.c -+++ b/lib/handle.c -@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags) - #pragma GCC diagnostic pop - if (is_root || !h->unsafe) { - SET_ERRNO (ENOTSUP, -- "%s, the block at 0x%zx has invalid size %" PRIu32 -- ", bad registry", -+ "%s, the block at 0x%zx size %" PRIu32 -+ " <= 4 or not a multiple of 4, bad registry", - filename, blkoff, le32toh (block->seg_len)); - goto error; - } else { -@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags) - } - } - -+ if (blkoff + seg_len > off + page_size) { -+ SET_ERRNO (ENOTSUP, -+ "%s, the block at 0x%zx size %" PRIu32 -+ " extends beyond the current page, bad registry", -+ filename, blkoff, le32toh (block->seg_len)); -+ goto error; -+ } -+ - if (h->msglvl >= 2) { - unsigned char *id = (unsigned char *) block->id; - int id0 = id[0], id1 = id[1]; diff --git a/CVE-2021-3622.patch b/CVE-2021-3622.patch deleted file mode 100644 index dd3c553..0000000 --- a/CVE-2021-3622.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Thu, 8 Jul 2021 19:00:45 +0100 -Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622) - -Windows Registry hive "ri"-records are arbitrarily nested B-tree-like -structures: - - +-------------+ - | ri | - |-------------| - | nr_offsets | - | offset[0] ------> points to another lf/lh/li/ri block - | offset[1] ------> - | offset[2] ------> - +-------------+ - -It is possible to construct a hive with a very deeply nested tree of -ri-records, causing the internal _get_children function to recurse to -any depth which can cause programs linked to hivex to crash with a -stack overflow. - -Since it is not thought that deeply nested ri-records occur in real -hives, limit recursion depth. If you hit this limit you will see the -following error and the operation will return an error instead of -crashing: - - \> ls - hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32 - ls: Invalid argument - -Thanks to Jeremy Galindo for finding and reporting this bug. - -Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com -Signed-off-by: Richard W.M. Jones -Fixes: CVE-2021-3622 -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489 -(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e) ---- - lib/node.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/lib/node.c b/lib/node.c -index 7b002a4..eb7fe93 100644 ---- a/lib/node.c -+++ b/lib/node.c -@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node) - - static int _get_children (hive_h *h, hive_node_h blkoff, - offset_list *children, offset_list *blocks, -- int flags); -+ int flags, unsigned depth); - static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags); - - /* Iterate over children (ie. subkeys of a node), returning child -@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, - goto error; - } - -- if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1) -+ if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1) - goto error; - - /* Check the number of children we ended up reading matches -@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, - static int - _get_children (hive_h *h, hive_node_h blkoff, - offset_list *children, offset_list *blocks, -- int flags) -+ int flags, unsigned depth) - { - /* Add this intermediate block. */ - if (_hivex_add_to_offset_list (blocks, blkoff) == -1) -@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff, - } - } - -- if (_get_children (h, offset, children, blocks, flags) == -1) -+ /* Although in theory hive ri records might be nested to any -+ * depth, in practice this is unlikely. Recursing here caused -+ * CVE-2021-3622. Thus limit the depth we will recurse to -+ * something small. -+ */ -+ if (depth >= 32) { -+ SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth); -+ return -1; -+ } -+ -+ if (_get_children (h, offset, children, blocks, flags, depth+1) == -1) - return -1; - } - } diff --git a/hivex-1.3.17.tar.gz b/hivex-1.3.17.tar.gz deleted file mode 100644 index 5499491..0000000 Binary files a/hivex-1.3.17.tar.gz and /dev/null differ diff --git a/hivex-1.3.17.tar.gz.sig b/hivex-1.3.17.tar.gz.sig deleted file mode 100644 index 9fedfc2..0000000 --- a/hivex-1.3.17.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAlxHnNsRHHJpY2hAYW5u -ZXhpYS5vcmcACgkQkXOPc+G3aKCbkxAAortQKeA7TDTeiTk3dwI/tQ+4VVqe90lt -L/xWnDtR6ZH5DZ4FgcJbaKx9PCBtaQxyFBjA5qcrEClK8fTfm3NGNPQuSX4YDN83 -3jJx2uOtM7Io5hpFrXeWC22m77dqQKeU0r1oblJtf1kK1SEef6HL44flCtGr+HlM -37nwm29ToSl5Ksp9XvBqT5smQVuUPjqwcm+4jYUR88SnFmkTpneZYYTstDbqzvUm -RT089O/q+4JLh6egfyA66wXTfzhsqe3HRZtG7pPhe+j/HBIfYmAigEi4Cm/6pFrc -vNJAZ9KJ50no69A2jZ86Dfy4/4nwjYc/aDZ0vIZ4Fairj+LzTxQwfQeYk1BCqb2z -XNNRl3pUDkrk3jrAPnxqR2z/2qsEgoSrVDEQlhVUZ1n/WOTqxst1F0YHOeHHWun5 -O1d2nV8i1A8JAysHx77smKscpKtu4jcymr4SmqXYSG90BvuqxJgpPsX6rln38DKX -qA3Zj7wKkqOTBbX+JInBwMcWOzzAO38hQkQjuOG71CQ6CKVGdnovp4OHDcwsmkp4 -KbCjnXgIl5DOxCrnVaWtPV5Zy6smst982fG0zPD/m42Dz7+Tb4O1np8zfLH9C4Dx -CdD3otIo0XOJM50Bvu9Oqn/SP8j8nDqMZtiCg+gXBRyVdl37EGqtwd/2bt7TRWSV -xmddKuLdf6Q= -=+f/m ------END PGP SIGNATURE----- diff --git a/hivex-1.3.21.tar.gz b/hivex-1.3.21.tar.gz new file mode 100644 index 0000000..0073633 Binary files /dev/null and b/hivex-1.3.21.tar.gz differ diff --git a/hivex-1.3.21.tar.gz.sig b/hivex-1.3.21.tar.gz.sig new file mode 100644 index 0000000..521d711 --- /dev/null +++ b/hivex-1.3.21.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmEHr1sRHHJpY2hAYW5u +ZXhpYS5vcmcACgkQkXOPc+G3aKAdQRAAnKp8vh3Mn73YpNBzA4PgQm/wkhwU0vlG +WEpcbz5sJnxd51XsLfPbHLC99CN3A47WBbwvUVlbY6QIzEgonKJvsWYPnRi9DURG +9rrHGPNixitS+eZCwyhhqjDXzujQOC7h0YBRxOHp2HTE2uQ+l15o6H0i6sr2vNkG +QwiUI50YVhtaAi3DVaXpPbb2vlA+3K6ImeLPQrSB+em1+n0g40Wze6B2tHN5wtxB +XMRN8Hlw+Emc3Fe0Bx/4apg6YRqnXXCGyTyx25zHgtnf8cocOvjamt/cqsN3IspP +pOi9aD4+LmPuToLzTfReLwmacch3p+QA4ZjSfcqmSXOpdl6ZtIBGHg3587Zv3j5+ +1WvpVVTeRsV8neRg9H+bnLFhjvCjbU+pPylmW+HdWargqFrzlhFrLAvGTzKhxWNy +r3Xmbe/XnHHTWYeojg8mTZQ5mYt5MYfpbmywZusoyqhWVZV+bAHKJFk1q0UWLjfo +L+TkJLka9wjB4r4uPylZion92hW4QEh3lRg7SJU6qfIvmOJMaihRWK77c4S7BvZ2 +NG05XST/cRyZviSRtGbllqhzBjS50zl5oCCmwu/L4muZGaBYT0/DiQgvM8TI1XeB +9si16xg+KdE76tR+5g+Hn9Mh6ywi7hwp55UZHnRmgvvXHB6spBG2LQNqVNtPkWJV +CzY9MsNqjVc= +=y80J +-----END PGP SIGNATURE----- diff --git a/hivex.spec b/hivex.spec index 01e1b84..338073a 100644 --- a/hivex.spec +++ b/hivex.spec @@ -5,47 +5,78 @@ %endif Name: hivex -Version: 1.3.17 -Release: 5 -Summary: Windows Registry "hive" extraction library +Version: 1.3.21 +Release: 1 +Summary: Read and write Windows Registry binary hive files License: LGPLv2 URL: http://libguestfs.org/ Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig Source2: libguestfs.keyring -Patch0: CVE-2021-3504.patch -Patch1: CVE-2021-3622.patch - -BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00 +BuildRequires: perl-interpreter +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: %{_bindir}/pod2html +BuildRequires: %{_bindir}/pod2man +BuildRequires: perl(bytes) +BuildRequires: perl(Carp) +BuildRequires: perl(Encode) +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(Exporter) +BuildRequires: perl(IO::Scalar) +BuildRequires: perl(IO::Stringy) +BuildRequires: perl(strict) +BuildRequires: perl(Test::More) +BuildRequires: perl(utf8) +BuildRequires: perl(vars) +BuildRequires: perl(warnings) +BuildRequires: perl(XSLoader) +BuildRequires: perl(Test::Pod) >= 1.00 +BuildRequires: perl(Test::Pod::Coverage) >= 1.00 %if %{with ocaml} BuildRequires: ocaml BuildRequires: ocaml-findlib-devel %endif +BuildRequires: python3-devel +BuildRequires: ruby-devel +BuildRequires: rubygem-rake +BuildRequires: rubygem(json) +BuildRequires: rubygem(minitest) +BuildRequires: rubygem(rdoc) +BuildRequires: readline-devel +BuildRequires: libxml2-devel +BuildRequires: gnupg2 +BuildRequires: make -BuildRequires: python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2 - -Provides: bundled(gnulib) - +Provides: bundled(gnulib) %description -Hivex is a library for extracting the contents of Windows Registry "hive" files. It is designed to be secure against buggy or -malicious registry files. +Hive files are the undocumented binary files that Windows uses to store the Windows Registry on disk. +Hivex is a library that can read and write to these files. -Unlike other tools in this area, it doesn't use the textual .REG format, because parsing that is as much trouble as parsing the -original binary format. Instead it makes the file available through a C API, and then wraps this API in higher level scripting and GUI -tools. +'hivexsh' is a shell you can use to interactively navigate a hive binary file. -There is a separate program to export the hive as XML (see hivexml(1)), or to navigate the file (see hivexsh(1)). There is also a Perl -script to export and merge the file as a textual .REG (regedit) file, see hivexregedit(1). +'hivexregedit' (in perl-hivex) lets you export and merge to the textual regedit format. -If you just want to export or modify the Registry of a Windows virtual machine, you should look at virt-win-reg(1). +'hivexml' can be used to convert a hive file to a more useful XML format. -Hivex is also comes with language bindings for OCaml, Perl, Python and Ruby. +In order to get access to the hive files themselves, you can copy them from a Windows machine. They are +usually found in %%systemroot%%\system32\config. For virtual machines we recommend using libguestfs or +guestfish to copy out these files. libguestfs also provides a useful high-level tool called 'virt-win-reg' + (based on hivex technology) which can be used to query specific registry keys in an existing Windows VM. + +For OCaml bindings, see 'ocaml-hivex-devel'. + +For Perl bindings, see 'perl-hivex'. + +For Python 3 bindings, see 'python3-hivex'. + +For Ruby bindings, see 'ruby-hivex'. %package devel -Summary: Development package for %{name} +Summary: Development tools and libraries for %{name} Requires: %{name} = %{version}-%{release} Requires: pkgconfig @@ -53,7 +84,7 @@ Provides: %{name}-static = %{version}-%{release} Obsoletes: %{name}-static < %{version}-%{release} %description devel -Development tools and libraries for %{name} are included in %{name}-devel. +%{name}-devel contains development tools and libraries for %{name}. %package_help @@ -61,80 +92,74 @@ Development tools and libraries for %{name} are included in %{name}-devel. %if %{with ocaml} %package -n ocaml-%{name} -Summary: Provide OCaml bindings for %{name} +Summary: OCaml bindings for %{name} Requires: %{name} = %{version}-%{release} -%description -n ocaml-%{name} -OCaml bindings for %{name} are included in ocaml-%{name}. -Only for toplevel and scripting access. To compile OCaml -programs which use %{name} you will also need ocaml-%{name}-devel package. +%description -n ocaml-%{name} +ocaml-%{name} contains OCaml bindings for %{name}. + +This is for toplevel and scripting access only. To compile OCaml +programs which use %{name} you will also need ocaml-%{name}-devel. %package -n ocaml-%{name}-devel -Summary: Development package for %{name} OCaml bindings +Summary: OCaml bindings for %{name} Requires: ocaml-%{name} = %{version}-%{release} Requires: %{name}-devel = %{version}-%{release} + %description -n ocaml-%{name}-devel -Development libraries required to use the OCaml bindings for %{name} are in ocaml-%{name}-devel. +ocaml-%{name}-devel contains development libraries +required to use the OCaml bindings for %{name}. %endif %package -n perl-%{name} -Summary: Provide perl bindings for %{name} +Summary: Perl bindings for %{name} Requires: %{name} = %{version}-%{release} Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + %description -n perl-%{name} -Perl bindings for %{name} are included in perl-%{name}. +perl-%{name} contains Perl bindings for %{name}. + %package -n python3-%{name} -Summary: Provide python 3 bindings for %{name} +Summary: Python 3 bindings for %{name} Requires: %{name} = %{version}-%{release} %description -n python3-%{name} -Python 3 bindings for %{name} are included in python3-%{name}. +python3-%{name} contains Python 3 bindings for %{name}. %package -n ruby-%{name} -Summary: Provide ruby bindings for %{name} +Summary: Ruby bindings for %{name} Requires: %{name} = %{version}-%{release} Requires: ruby(release) Requires: ruby Provides: ruby(hivex) = %{version} %description -n ruby-%{name} -Ruby bindings for %{name} are included ruby-%{name}. +ruby-%{name} contains Ruby bindings for %{name}. %prep tmphome="$(mktemp -d)" && gpgv2 --homedir "$tmphome" --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} -%autosetup -p1 -n %{name}-%{version} - -copy="$(mktemp -d)" && cp -a . "$copy" && mv "$copy" python3 +%autosetup -n %{name}-%{version} %build %configure \ + PYTHON=%{__python3} \ %if !%{with ocaml} --disable-ocaml \ %endif %{nil} %make_build V=1 INSTALLDIRS=vendor -cd python3 -%configure \ - PYTHON=/usr/bin/python3 \ - --disable-ocaml --disable-perl --disable-ruby -%make_build V=1 INSTALLDIRS=vendor -cd .. - %install -cd python3 -%make_install INSTALLDIRS=vendor -cd .. %make_install INSTALLDIRS=vendor %find_lang %{name} @@ -143,8 +168,6 @@ cd .. %check make check -cd python3 && make check && cd .. - %files -f %{name}.lang %doc README LICENSE @@ -211,6 +234,9 @@ cd python3 && make check && cd .. %changelog +* Wed Oct 12 2022 hantingxiang - 1.3.21-1 +- update version to 1.3.21 + * Fri Sep 24 2021 yaoxin - 1.3.17-5 - Fix CVE-2021-3622