20221008: version upgrade, update spec

2022-10-08 11:04:37 +08:00 · 2022-10-08 11:04:37 +08:00 · bdb4ba4518
commit bdb4ba4518
parent ef0a09dbec
7 changed files with 93 additions and 231 deletions
--- a/CVE-2021-3504.patch
+++ b/CVE-2021-3504.patch
@ -1,72 +0,0 @@
 From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 15 Apr 2021 15:50:13 +0100
 Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
 (CVE-2021-3504)
 Hives are encoded as fixed-sized pages containing smaller variable-
 length blocks:
  +-------------------+-------------------+-------------------+--
  | header            |[ blk ][blk][ blk ]|[blk][blk][blk]    |
  +-------------------+-------------------+-------------------+--
 Blocks should not straddle a page boundary.  However because blocks
 contain a 32 bit length field it is possible to construct an invalid
 hive where the last block in a page overlaps either the next page or
 the end of the file:
  +-------------------+-------------------+
  | header            |[ blk ][blk][ blk ..... ]
  +-------------------+-------------------+
 Hivex lacked a bounds check and would process the registry.  Because
 the rest of the code assumes this situation can never happen it was
 possible to have a block containing some field (eg. a registry key
 name) which would extend beyond the end of the file.  Hivex mmaps or
 mallocs the file, causing hivex to read memory beyond the end of the
 mapped region, resulting in reading other memory structures or a
 crash.  (Writing beyond the end of the mapped region seems to be
 impossible because we always allocate a new page before writing.)
 This commit adds a check which rejects the malformed registry on
 hivex_open.
 Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Fixes: CVE-2021-3504
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
 ---
 lib/handle.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/lib/handle.c b/lib/handle.c
 index 88b1563..2e4231a 100644
 --- a/lib/handle.c
 +++ b/lib/handle.c
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
 #pragma GCC diagnostic pop
         if (is_root || !h->unsafe) {
           SET_ERRNO (ENOTSUP,
 -                     "%s, the block at 0x%zx has invalid size %" PRIu32
 -                     ", bad registry",
 +                     "%s, the block at 0x%zx size %" PRIu32
 +                     " <= 4 or not a multiple of 4, bad registry",
                      filename, blkoff, le32toh (block->seg_len));
           goto error;
         } else {
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
         }
       }
 +      if (blkoff + seg_len > off + page_size) {
 +        SET_ERRNO (ENOTSUP,
 +                   "%s, the block at 0x%zx size %" PRIu32
 +                   " extends beyond the current page, bad registry",
 +                   filename, blkoff, le32toh (block->seg_len));
 +        goto error;
 +      }
 +
       if (h->msglvl >= 2) {
         unsigned char *id = (unsigned char *) block->id;
         int id0 = id[0], id1 = id[1];
--- a/CVE-2021-3622.patch
+++ b/CVE-2021-3622.patch
@ -1,92 +0,0 @@
 From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 8 Jul 2021 19:00:45 +0100
 Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
 Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
 structures:
  +-------------+
  | ri          |
  |-------------|
  | nr_offsets  |
  |   offset[0] ------>  points to another lf/lh/li/ri block
  |   offset[1] ------>
  |   offset[2] ------>
  +-------------+
 It is possible to construct a hive with a very deeply nested tree of
 ri-records, causing the internal _get_children function to recurse to
 any depth which can cause programs linked to hivex to crash with a
 stack overflow.
 Since it is not thought that deeply nested ri-records occur in real
 hives, limit recursion depth.  If you hit this limit you will see the
 following error and the operation will return an error instead of
 crashing:
  \> ls
  hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
  ls: Invalid argument
 Thanks to Jeremy Galindo for finding and reporting this bug.
 Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Fixes: CVE-2021-3622
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
 (cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
 ---
 lib/node.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)
 diff --git a/lib/node.c b/lib/node.c
 index 7b002a4..eb7fe93 100644
 --- a/lib/node.c
 +++ b/lib/node.c
@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
 static int _get_children (hive_h *h, hive_node_h blkoff,
                           offset_list *children, offset_list *blocks,
 -                          int flags);
 +                          int flags, unsigned depth);
 static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
 /* Iterate over children (ie. subkeys of a node), returning child
@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
     goto error;
   }
 -  if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
 +  if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
     goto error;
   /* Check the number of children we ended up reading matches
@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
 static int
 _get_children (hive_h *h, hive_node_h blkoff,
                offset_list *children, offset_list *blocks,
 -               int flags)
 +               int flags, unsigned depth)
 {
   /* Add this intermediate block. */
   if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
         }
       }
 -      if (_get_children (h, offset, children, blocks, flags) == -1)
 +      /* Although in theory hive ri records might be nested to any
 +       * depth, in practice this is unlikely.  Recursing here caused
 +       * CVE-2021-3622.  Thus limit the depth we will recurse to
 +       * something small.
 +       */
 +      if (depth >= 32) {
 +        SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
 +        return -1;
 +      }
 +
 +      if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
         return -1;
     }
   }
--- a/hivex-1.3.17.tar.gz
+++ b/hivex-1.3.17.tar.gz
--- a/hivex-1.3.17.tar.gz.sig
+++ b/hivex-1.3.17.tar.gz.sig
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAlxHnNsRHHJpY2hAYW5u
 ZXhpYS5vcmcACgkQkXOPc+G3aKCbkxAAortQKeA7TDTeiTk3dwI/tQ+4VVqe90lt
 L/xWnDtR6ZH5DZ4FgcJbaKx9PCBtaQxyFBjA5qcrEClK8fTfm3NGNPQuSX4YDN83
 3jJx2uOtM7Io5hpFrXeWC22m77dqQKeU0r1oblJtf1kK1SEef6HL44flCtGr+HlM
 37nwm29ToSl5Ksp9XvBqT5smQVuUPjqwcm+4jYUR88SnFmkTpneZYYTstDbqzvUm
 RT089O/q+4JLh6egfyA66wXTfzhsqe3HRZtG7pPhe+j/HBIfYmAigEi4Cm/6pFrc
 vNJAZ9KJ50no69A2jZ86Dfy4/4nwjYc/aDZ0vIZ4Fairj+LzTxQwfQeYk1BCqb2z
 XNNRl3pUDkrk3jrAPnxqR2z/2qsEgoSrVDEQlhVUZ1n/WOTqxst1F0YHOeHHWun5
 O1d2nV8i1A8JAysHx77smKscpKtu4jcymr4SmqXYSG90BvuqxJgpPsX6rln38DKX
 qA3Zj7wKkqOTBbX+JInBwMcWOzzAO38hQkQjuOG71CQ6CKVGdnovp4OHDcwsmkp4
 KbCjnXgIl5DOxCrnVaWtPV5Zy6smst982fG0zPD/m42Dz7+Tb4O1np8zfLH9C4Dx
 CdD3otIo0XOJM50Bvu9Oqn/SP8j8nDqMZtiCg+gXBRyVdl37EGqtwd/2bt7TRWSV
 xmddKuLdf6Q=
 =+f/m
 -----END PGP SIGNATURE-----
--- a/hivex-1.3.21.tar.gz
+++ b/hivex-1.3.21.tar.gz
--- a/hivex-1.3.21.tar.gz.sig
+++ b/hivex-1.3.21.tar.gz.sig
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmEHr1sRHHJpY2hAYW5u
 ZXhpYS5vcmcACgkQkXOPc+G3aKAdQRAAnKp8vh3Mn73YpNBzA4PgQm/wkhwU0vlG
 WEpcbz5sJnxd51XsLfPbHLC99CN3A47WBbwvUVlbY6QIzEgonKJvsWYPnRi9DURG
 9rrHGPNixitS+eZCwyhhqjDXzujQOC7h0YBRxOHp2HTE2uQ+l15o6H0i6sr2vNkG
 QwiUI50YVhtaAi3DVaXpPbb2vlA+3K6ImeLPQrSB+em1+n0g40Wze6B2tHN5wtxB
 XMRN8Hlw+Emc3Fe0Bx/4apg6YRqnXXCGyTyx25zHgtnf8cocOvjamt/cqsN3IspP
 pOi9aD4+LmPuToLzTfReLwmacch3p+QA4ZjSfcqmSXOpdl6ZtIBGHg3587Zv3j5+
 1WvpVVTeRsV8neRg9H+bnLFhjvCjbU+pPylmW+HdWargqFrzlhFrLAvGTzKhxWNy
 r3Xmbe/XnHHTWYeojg8mTZQ5mYt5MYfpbmywZusoyqhWVZV+bAHKJFk1q0UWLjfo
 L+TkJLka9wjB4r4uPylZion92hW4QEh3lRg7SJU6qfIvmOJMaihRWK77c4S7BvZ2
 NG05XST/cRyZviSRtGbllqhzBjS50zl5oCCmwu/L4muZGaBYT0/DiQgvM8TI1XeB
 9si16xg+KdE76tR+5g+Hn9Mh6ywi7hwp55UZHnRmgvvXHB6spBG2LQNqVNtPkWJV
 CzY9MsNqjVc=
 =y80J
 -----END PGP SIGNATURE-----
--- a/hivex.spec
+++ b/hivex.spec
@ -5,47 +5,78 @@
 %endif
 Name:           hivex
-Version:        1.3.17
+Version:        1.3.21
-Release:        5
+Release:        1
-Summary:        Windows Registry "hive" extraction library
+Summary:        Read and write Windows Registry binary hive files
 License:        LGPLv2
 URL:            http://libguestfs.org/
 Source0:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
 Source1:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
 Source2:        libguestfs.keyring
 Patch0:         CVE-2021-3504.patch
 Patch1:         CVE-2021-3622.patch
 BuildRequires:  perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
 BuildRequires:  perl-interpreter
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  %{_bindir}/pod2html
 BuildRequires:  %{_bindir}/pod2man
 BuildRequires:  perl(bytes)
 BuildRequires:  perl(Carp)
 BuildRequires:  perl(Encode)
 BuildRequires:  perl(ExtUtils::MakeMaker)
 BuildRequires:  perl(Exporter)
 BuildRequires:  perl(IO::Scalar)
 BuildRequires:  perl(IO::Stringy)
 BuildRequires:  perl(strict)
 BuildRequires:  perl(Test::More)
 BuildRequires:  perl(utf8)
 BuildRequires:  perl(vars)
 BuildRequires:  perl(warnings)
 BuildRequires:  perl(XSLoader)
 BuildRequires:  perl(Test::Pod) >= 1.00
 BuildRequires:  perl(Test::Pod::Coverage) >= 1.00
 %if %{with ocaml}
 BuildRequires:  ocaml
 BuildRequires:  ocaml-findlib-devel
 %endif
 BuildRequires:  python3-devel
 BuildRequires:  ruby-devel
 BuildRequires:  rubygem-rake
 BuildRequires:  rubygem(json)
 BuildRequires:  rubygem(minitest)
 BuildRequires:  rubygem(rdoc)
 BuildRequires:  readline-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  gnupg2
 BuildRequires:  make
-BuildRequires:  python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2
+Provides:       bundled(gnulib)
 Provides:      bundled(gnulib)
 %description
-Hivex is a library for extracting the contents of Windows Registry "hive" files.  It is designed to be secure against buggy or
+Hive files are the undocumented binary files that Windows uses to store the Windows Registry on disk.  
-malicious registry files.
+Hivex is a library that can read and write to these files.
-Unlike other tools in this area, it doesn't use the textual .REG format, because parsing that is as much trouble as parsing the
+'hivexsh' is a shell you can use to interactively navigate a hive binary file.
 original binary format.  Instead it makes the file available through a C API, and then wraps this API in higher level scripting and GUI
 tools.
-There is a separate program to export the hive as XML (see hivexml(1)), or to navigate the file (see hivexsh(1)).  There is also a Perl
+'hivexregedit' (in perl-hivex) lets you export and merge to the textual regedit format.
 script to export and merge the file as a textual .REG (regedit) file, see hivexregedit(1).
-If you just want to export or modify the Registry of a Windows virtual machine, you should look at virt-win-reg(1).
+'hivexml' can be used to convert a hive file to a more useful XML format.
-Hivex is also comes with language bindings for OCaml, Perl, Python and Ruby.
+In order to get access to the hive files themselves, you can copy them from a Windows machine.  They are 
 usually found in %%systemroot%%\system32\config.  For virtual machines we recommend using libguestfs or 
 guestfish to copy out these files.  libguestfs also provides a useful high-level tool called 'virt-win-reg'
 (based on hivex technology) which can be used to query specific registry keys in an existing Windows VM.
 For OCaml bindings, see 'ocaml-hivex-devel'.
 For Perl bindings, see 'perl-hivex'.
 For Python 3 bindings, see 'python3-hivex'.
 For Ruby bindings, see 'ruby-hivex'.
 %package devel
-Summary:        Development package for %{name}
+Summary:        Development tools and libraries for %{name}
 Requires:       %{name} = %{version}-%{release}
 Requires:       pkgconfig
@ -53,7 +84,7 @@ Provides:       %{name}-static = %{version}-%{release}
 Obsoletes:      %{name}-static < %{version}-%{release}
 %description devel
-Development tools and libraries for %{name} are included in %{name}-devel.
+%{name}-devel contains development tools and libraries for %{name}.
 %package_help
@ -61,80 +92,74 @@ Development tools and libraries for %{name} are included in %{name}-devel.
 %if %{with ocaml}
 %package -n ocaml-%{name}
-Summary:       Provide OCaml bindings for %{name}
+Summary:       OCaml bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 %description -n ocaml-%{name}
 OCaml bindings for %{name} are included in ocaml-%{name}.
-Only for toplevel and scripting access. To compile OCaml
+%description -n ocaml-%{name}
-programs which use %{name} you will also need ocaml-%{name}-devel package.
+ocaml-%{name} contains OCaml bindings for %{name}.
 This is for toplevel and scripting access only.  To compile OCaml
 programs which use %{name} you will also need ocaml-%{name}-devel.
 %package -n ocaml-%{name}-devel
-Summary:       Development package for %{name} OCaml bindings
+Summary:       OCaml bindings for %{name}
 Requires:      ocaml-%{name} = %{version}-%{release}
 Requires:      %{name}-devel = %{version}-%{release}
 %description -n ocaml-%{name}-devel
-Development libraries required to use the OCaml bindings for %{name} are in ocaml-%{name}-devel.
+ocaml-%{name}-devel contains development libraries
 required to use the OCaml bindings for %{name}.
 %endif
 %package -n perl-%{name}
-Summary:       Provide perl bindings for %{name}
+Summary:       Perl bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 Requires:      perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 %description -n perl-%{name}
-Perl bindings for %{name} are included in perl-%{name}.
+perl-%{name} contains Perl bindings for %{name}.
 %package -n python3-%{name}
-Summary:       Provide python 3 bindings for %{name}
+Summary:       Python 3 bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 %description -n python3-%{name}
-Python 3 bindings for %{name} are included in python3-%{name}.
+python3-%{name} contains Python 3 bindings for %{name}.
 %package -n ruby-%{name}
-Summary:       Provide ruby bindings for %{name}
+Summary:       Ruby bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
 Requires:      ruby(release)
 Requires:      ruby
 Provides:      ruby(hivex) = %{version}
 %description -n ruby-%{name}
-Ruby bindings for %{name} are included ruby-%{name}.
+ruby-%{name} contains Ruby bindings for %{name}.
 %prep
 tmphome="$(mktemp -d)" && gpgv2 --homedir "$tmphome" --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
-%autosetup -p1 -n %{name}-%{version}
+%autosetup -n %{name}-%{version}
 copy="$(mktemp -d)" && cp -a . "$copy" && mv "$copy" python3
 %build
 %configure \
    PYTHON=%{__python3} \
 %if !%{with ocaml}
    --disable-ocaml \
 %endif
    %{nil}
 %make_build V=1 INSTALLDIRS=vendor
 cd python3
 %configure \
    PYTHON=/usr/bin/python3 \
    --disable-ocaml --disable-perl --disable-ruby
 %make_build V=1 INSTALLDIRS=vendor
 cd ..
 %install
 cd python3
 %make_install INSTALLDIRS=vendor
 cd ..
 %make_install INSTALLDIRS=vendor
 %find_lang %{name}
@ -143,8 +168,6 @@ cd ..
 %check
 make check
 cd python3 && make check && cd ..
 %files -f %{name}.lang
 %doc README LICENSE
@ -211,6 +234,9 @@ cd python3 && make check && cd ..
 %changelog
 * Wed Oct 12 2022 hantingxiang <hantingxiang@gmail.com> - 1.3.21-1
 - update version to 1.3.21
 * Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-5
 - Fix CVE-2021-3622