packages/hivex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

20221008: version upgrade, update spec

Browse Source
This commit is contained in:
lordvv 2022-10-08 11:04:37 +08:00
parent ef0a09dbec
commit bdb4ba4518
7 changed files with 93 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
CVE-2021-3504.patch
View File

@ -1,72 +0,0 @@
From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 15 Apr 2021 15:50:13 +0100
Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
(CVE-2021-3504)
Hives are encoded as fixed-sized pages containing smaller variable-
length blocks:
+-------------------+-------------------+-------------------+--
| header |[ blk ][blk][ blk ]|[blk][blk][blk] |
+-------------------+-------------------+-------------------+--
Blocks should not straddle a page boundary. However because blocks
contain a 32 bit length field it is possible to construct an invalid
hive where the last block in a page overlaps either the next page or
the end of the file:
+-------------------+-------------------+
| header |[ blk ][blk][ blk ..... ]
+-------------------+-------------------+
Hivex lacked a bounds check and would process the registry. Because
the rest of the code assumes this situation can never happen it was
possible to have a block containing some field (eg. a registry key
name) which would extend beyond the end of the file. Hivex mmaps or
mallocs the file, causing hivex to read memory beyond the end of the
mapped region, resulting in reading other memory structures or a
crash. (Writing beyond the end of the mapped region seems to be
impossible because we always allocate a new page before writing.)
This commit adds a check which rejects the malformed registry on
hivex_open.
Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: CVE-2021-3504
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
---
lib/handle.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/handle.c b/lib/handle.c
index 88b1563..2e4231a 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
#pragma GCC diagnostic pop
if (is_root || !h->unsafe) {
SET_ERRNO (ENOTSUP,
- "%s, the block at 0x%zx has invalid size %" PRIu32
- ", bad registry",
+ "%s, the block at 0x%zx size %" PRIu32
+ " <= 4 or not a multiple of 4, bad registry",
filename, blkoff, le32toh (block->seg_len));
goto error;
} else {
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
}
}
+ if (blkoff + seg_len > off + page_size) {
+ SET_ERRNO (ENOTSUP,
+ "%s, the block at 0x%zx size %" PRIu32
+ " extends beyond the current page, bad registry",
+ filename, blkoff, le32toh (block->seg_len));
+ goto error;
+ }
+
if (h->msglvl >= 2) {
unsigned char *id = (unsigned char *) block->id;
int id0 = id[0], id1 = id[1];

92
CVE-2021-3622.patch
View File

@ -1,92 +0,0 @@
From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 8 Jul 2021 19:00:45 +0100
Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
structures:
+-------------+
| ri |
|-------------|
| nr_offsets |
| offset[0] ------> points to another lf/lh/li/ri block
| offset[1] ------>
| offset[2] ------>
+-------------+
It is possible to construct a hive with a very deeply nested tree of
ri-records, causing the internal _get_children function to recurse to
any depth which can cause programs linked to hivex to crash with a
stack overflow.
Since it is not thought that deeply nested ri-records occur in real
hives, limit recursion depth. If you hit this limit you will see the
following error and the operation will return an error instead of
crashing:
\> ls
hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
ls: Invalid argument
Thanks to Jeremy Galindo for finding and reporting this bug.
Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: CVE-2021-3622
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
---
lib/node.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/lib/node.c b/lib/node.c
index 7b002a4..eb7fe93 100644
--- a/lib/node.c
+++ b/lib/node.c
@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
static int _get_children (hive_h *h, hive_node_h blkoff,
offset_list *children, offset_list *blocks,
- int flags);
+ int flags, unsigned depth);
static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
/* Iterate over children (ie. subkeys of a node), returning child
@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
goto error;
}
- if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
+ if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
goto error;
/* Check the number of children we ended up reading matches
@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
static int
_get_children (hive_h *h, hive_node_h blkoff,
offset_list *children, offset_list *blocks,
- int flags)
+ int flags, unsigned depth)
{
/* Add this intermediate block. */
if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
}
}
- if (_get_children (h, offset, children, blocks, flags) == -1)
+ /* Although in theory hive ri records might be nested to any
+ * depth, in practice this is unlikely. Recursing here caused
+ * CVE-2021-3622. Thus limit the depth we will recurse to
+ * something small.
+ */
+ if (depth >= 32) {
+ SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
+ return -1;
+ }
+
+ if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
return -1;
}
}

BIN
hivex-1.3.17.tar.gz
View File

Binary file not shown.

17
hivex-1.3.17.tar.gz.sig
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAlxHnNsRHHJpY2hAYW5u
ZXhpYS5vcmcACgkQkXOPc+G3aKCbkxAAortQKeA7TDTeiTk3dwI/tQ+4VVqe90lt
L/xWnDtR6ZH5DZ4FgcJbaKx9PCBtaQxyFBjA5qcrEClK8fTfm3NGNPQuSX4YDN83
3jJx2uOtM7Io5hpFrXeWC22m77dqQKeU0r1oblJtf1kK1SEef6HL44flCtGr+HlM
37nwm29ToSl5Ksp9XvBqT5smQVuUPjqwcm+4jYUR88SnFmkTpneZYYTstDbqzvUm
RT089O/q+4JLh6egfyA66wXTfzhsqe3HRZtG7pPhe+j/HBIfYmAigEi4Cm/6pFrc
vNJAZ9KJ50no69A2jZ86Dfy4/4nwjYc/aDZ0vIZ4Fairj+LzTxQwfQeYk1BCqb2z
XNNRl3pUDkrk3jrAPnxqR2z/2qsEgoSrVDEQlhVUZ1n/WOTqxst1F0YHOeHHWun5
O1d2nV8i1A8JAysHx77smKscpKtu4jcymr4SmqXYSG90BvuqxJgpPsX6rln38DKX
qA3Zj7wKkqOTBbX+JInBwMcWOzzAO38hQkQjuOG71CQ6CKVGdnovp4OHDcwsmkp4
KbCjnXgIl5DOxCrnVaWtPV5Zy6smst982fG0zPD/m42Dz7+Tb4O1np8zfLH9C4Dx
CdD3otIo0XOJM50Bvu9Oqn/SP8j8nDqMZtiCg+gXBRyVdl37EGqtwd/2bt7TRWSV
xmddKuLdf6Q=
=+f/m
-----END PGP SIGNATURE-----

BIN
hivex-1.3.21.tar.gz Normal file
View File

Binary file not shown.

17
hivex-1.3.21.tar.gz.sig Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmEHr1sRHHJpY2hAYW5u
ZXhpYS5vcmcACgkQkXOPc+G3aKAdQRAAnKp8vh3Mn73YpNBzA4PgQm/wkhwU0vlG
WEpcbz5sJnxd51XsLfPbHLC99CN3A47WBbwvUVlbY6QIzEgonKJvsWYPnRi9DURG
9rrHGPNixitS+eZCwyhhqjDXzujQOC7h0YBRxOHp2HTE2uQ+l15o6H0i6sr2vNkG
QwiUI50YVhtaAi3DVaXpPbb2vlA+3K6ImeLPQrSB+em1+n0g40Wze6B2tHN5wtxB
XMRN8Hlw+Emc3Fe0Bx/4apg6YRqnXXCGyTyx25zHgtnf8cocOvjamt/cqsN3IspP
pOi9aD4+LmPuToLzTfReLwmacch3p+QA4ZjSfcqmSXOpdl6ZtIBGHg3587Zv3j5+
1WvpVVTeRsV8neRg9H+bnLFhjvCjbU+pPylmW+HdWargqFrzlhFrLAvGTzKhxWNy
r3Xmbe/XnHHTWYeojg8mTZQ5mYt5MYfpbmywZusoyqhWVZV+bAHKJFk1q0UWLjfo
L+TkJLka9wjB4r4uPylZion92hW4QEh3lRg7SJU6qfIvmOJMaihRWK77c4S7BvZ2
NG05XST/cRyZviSRtGbllqhzBjS50zl5oCCmwu/L4muZGaBYT0/DiQgvM8TI1XeB
9si16xg+KdE76tR+5g+Hn9Mh6ywi7hwp55UZHnRmgvvXHB6spBG2LQNqVNtPkWJV
CzY9MsNqjVc=
=y80J
-----END PGP SIGNATURE-----

126
hivex.spec
View File

@ -5,47 +5,78 @@
%endif
Name: hivex
Version: 1.3.17
Release: 5
Summary: Windows Registry "hive" extraction library
Version: 1.3.21
Release: 1
Summary: Read and write Windows Registry binary hive files
License: LGPLv2
URL: http://libguestfs.org/
Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
Source2: libguestfs.keyring
Patch0: CVE-2021-3504.patch
Patch1: CVE-2021-3622.patch
BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
BuildRequires: perl-interpreter
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: %{_bindir}/pod2html
BuildRequires: %{_bindir}/pod2man
BuildRequires: perl(bytes)
BuildRequires: perl(Carp)
BuildRequires: perl(Encode)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Exporter)
BuildRequires: perl(IO::Scalar)
BuildRequires: perl(IO::Stringy)
BuildRequires: perl(strict)
BuildRequires: perl(Test::More)
BuildRequires: perl(utf8)
BuildRequires: perl(vars)
BuildRequires: perl(warnings)
BuildRequires: perl(XSLoader)
BuildRequires: perl(Test::Pod) >= 1.00
BuildRequires: perl(Test::Pod::Coverage) >= 1.00
%if %{with ocaml}
BuildRequires: ocaml
BuildRequires: ocaml-findlib-devel
%endif
BuildRequires: python3-devel
BuildRequires: ruby-devel
BuildRequires: rubygem-rake
BuildRequires: rubygem(json)
BuildRequires: rubygem(minitest)
BuildRequires: rubygem(rdoc)
BuildRequires: readline-devel
BuildRequires: libxml2-devel
BuildRequires: gnupg2
BuildRequires: make
BuildRequires: python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2
Provides: bundled(gnulib)
Provides: bundled(gnulib)
%description
Hivex is a library for extracting the contents of Windows Registry "hive" files. It is designed to be secure against buggy or
malicious registry files.
Hive files are the undocumented binary files that Windows uses to store the Windows Registry on disk.
Hivex is a library that can read and write to these files.
Unlike other tools in this area, it doesn't use the textual .REG format, because parsing that is as much trouble as parsing the
original binary format. Instead it makes the file available through a C API, and then wraps this API in higher level scripting and GUI
tools.
'hivexsh' is a shell you can use to interactively navigate a hive binary file.
There is a separate program to export the hive as XML (see hivexml(1)), or to navigate the file (see hivexsh(1)). There is also a Perl
script to export and merge the file as a textual .REG (regedit) file, see hivexregedit(1).
'hivexregedit' (in perl-hivex) lets you export and merge to the textual regedit format.
If you just want to export or modify the Registry of a Windows virtual machine, you should look at virt-win-reg(1).
'hivexml' can be used to convert a hive file to a more useful XML format.
Hivex is also comes with language bindings for OCaml, Perl, Python and Ruby.
In order to get access to the hive files themselves, you can copy them from a Windows machine. They are
usually found in %%systemroot%%\system32\config. For virtual machines we recommend using libguestfs or
guestfish to copy out these files. libguestfs also provides a useful high-level tool called 'virt-win-reg'
(based on hivex technology) which can be used to query specific registry keys in an existing Windows VM.
For OCaml bindings, see 'ocaml-hivex-devel'.
For Perl bindings, see 'perl-hivex'.
For Python 3 bindings, see 'python3-hivex'.
For Ruby bindings, see 'ruby-hivex'.
%package devel
Summary: Development package for %{name}
Summary: Development tools and libraries for %{name}
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
@ -53,7 +84,7 @@ Provides: %{name}-static = %{version}-%{release}
Obsoletes: %{name}-static < %{version}-%{release}
%description devel
Development tools and libraries for %{name} are included in %{name}-devel.
%{name}-devel contains development tools and libraries for %{name}.
%package_help
@ -61,80 +92,74 @@ Development tools and libraries for %{name} are included in %{name}-devel.
%if %{with ocaml}
%package -n ocaml-%{name}
Summary: Provide OCaml bindings for %{name}
Summary: OCaml bindings for %{name}
Requires: %{name} = %{version}-%{release}
%description -n ocaml-%{name}
OCaml bindings for %{name} are included in ocaml-%{name}.
Only for toplevel and scripting access. To compile OCaml
programs which use %{name} you will also need ocaml-%{name}-devel package.
%description -n ocaml-%{name}
ocaml-%{name} contains OCaml bindings for %{name}.
This is for toplevel and scripting access only. To compile OCaml
programs which use %{name} you will also need ocaml-%{name}-devel.
%package -n ocaml-%{name}-devel
Summary: Development package for %{name} OCaml bindings
Summary: OCaml bindings for %{name}
Requires: ocaml-%{name} = %{version}-%{release}
Requires: %{name}-devel = %{version}-%{release}
%description -n ocaml-%{name}-devel
Development libraries required to use the OCaml bindings for %{name} are in ocaml-%{name}-devel.
ocaml-%{name}-devel contains development libraries
required to use the OCaml bindings for %{name}.
%endif
%package -n perl-%{name}
Summary: Provide perl bindings for %{name}
Summary: Perl bindings for %{name}
Requires: %{name} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description -n perl-%{name}
Perl bindings for %{name} are included in perl-%{name}.
perl-%{name} contains Perl bindings for %{name}.
%package -n python3-%{name}
Summary: Provide python 3 bindings for %{name}
Summary: Python 3 bindings for %{name}
Requires: %{name} = %{version}-%{release}
%description -n python3-%{name}
Python 3 bindings for %{name} are included in python3-%{name}.
python3-%{name} contains Python 3 bindings for %{name}.
%package -n ruby-%{name}
Summary: Provide ruby bindings for %{name}
Summary: Ruby bindings for %{name}
Requires: %{name} = %{version}-%{release}
Requires: ruby(release)
Requires: ruby
Provides: ruby(hivex) = %{version}
%description -n ruby-%{name}
Ruby bindings for %{name} are included ruby-%{name}.
ruby-%{name} contains Ruby bindings for %{name}.
%prep
tmphome="$(mktemp -d)" && gpgv2 --homedir "$tmphome" --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1 -n %{name}-%{version}
copy="$(mktemp -d)" && cp -a . "$copy" && mv "$copy" python3
%autosetup -n %{name}-%{version}
%build
%configure \
PYTHON=%{__python3} \
%if !%{with ocaml}
--disable-ocaml \
%endif
%{nil}
%make_build V=1 INSTALLDIRS=vendor
cd python3
%configure \
PYTHON=/usr/bin/python3 \
--disable-ocaml --disable-perl --disable-ruby
%make_build V=1 INSTALLDIRS=vendor
cd ..
%install
cd python3
%make_install INSTALLDIRS=vendor
cd ..
%make_install INSTALLDIRS=vendor
%find_lang %{name}
@ -143,8 +168,6 @@ cd ..
%check
make check
cd python3 && make check && cd ..
%files -f %{name}.lang
%doc README LICENSE
@ -211,6 +234,9 @@ cd python3 && make check && cd ..
%changelog
* Wed Oct 12 2022 hantingxiang <hantingxiang@gmail.com> - 1.3.21-1
- update version to 1.3.21
* Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-5
- Fix CVE-2021-3622