diff --git a/CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch b/CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch new file mode 100644 index 0000000..e4dd143 --- /dev/null +++ b/CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch @@ -0,0 +1,99 @@ +From 056f9dbfe9e9c27452629ec48ef70686328e5a3c Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Thu, 24 Nov 2022 21:28:49 +0800 +Subject: [PATCH] fix memory leak and use-after-free bugs of struct TAR + *t + +[1] fix CVE-2021-33640 +The error information is as fllows: +Error: USE_AFTER_FREE (CWE-416): +libtar-v1.2.20/libtar/libtar.c:220:freeed_arg: "tar_close" frees "t". +libtar-v1.2.20/libtar/libtar.c:222:deref_after_free: Dereferencing freed +pointer "t". +# 220| if (tar_close(t) != 0) +# 221| { +# 222|-> free_longlink_longname(t->th_buf); +# 223| fprintf(stderr, "tar_close: %s\n", strerror(errno)); +# 224| return -1; + +Error: USE_AFTER_FREE(CWE-416): +libtar-v1.2.20/libtar/libtar.c:220:freeed_arg:"tar_close" frees "t". +libtar-v1.2.20/libtar/libtar.c:227:deref_after_free: Dereferencing freed +pointer"t". +# 225| } +# 226| +# 227|-> free_longlink_longname(t->th_buf); +# 228| return 0; +# 229|} + +The pointer "t" is freed in tar_close() function, but the pointer "t" is +still used after tar_close() is called in the list() function. Now, we put + the free_longlink_longname() function in tar_close() function. + +[2]fix one memory leak bug: +Release the memory of variable "TAR *t" in lib/extract.c:list() +--- + lib/handle.c | 1 + + lib/util.c | 6 ++++++ + libtar/libtar.c | 4 +--- + 3 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 28a7dc2..ae829a9 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -124,6 +124,7 @@ tar_close(TAR *t) + : (libtar_freefunc_t)tar_dev_free)); + if (t->th_pathname != NULL) + free(t->th_pathname); ++ free_longlink_longname(t->th_buf); + free(t); + + return i; +diff --git a/lib/util.c b/lib/util.c +index 8a42e62..108ce23 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -164,7 +164,13 @@ int_to_oct_nonull(int num, char *oct, size_t octlen) + void free_longlink_longname(struct tar_header th_buf) + { + if (th_buf.gnu_longname != NULL) ++ { + free(th_buf.gnu_longname); ++ th_buf.gnu_longname = NULL; ++ } + if (th_buf.gnu_longlink !=NULL) ++ { + free(th_buf.gnu_longlink); ++ th_buf.gnu_longlink = NULL; ++ } + } +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 7e7354f..8c89211 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -196,7 +196,7 @@ list(char *tarfile) + { + fprintf(stderr, "tar_skip_regfile(): %s\n", + strerror(errno)); +- free_longlink_longname(t->th_buf); ++ tar_close(t); + return -1; + } + } +@@ -218,12 +218,10 @@ list(char *tarfile) + + if (tar_close(t) != 0) + { +- free_longlink_longname(t->th_buf); + fprintf(stderr, "tar_close(): %s\n", strerror(errno)); + return -1; + } + +- free_longlink_longname(t->th_buf); + return 0; + } + +-- +2.27.0 + diff --git a/libtar.spec b/libtar.spec index bfba2c9..46e9507 100644 --- a/libtar.spec +++ b/libtar.spec @@ -1,6 +1,6 @@ Name: libtar Version: 1.2.20 -Release: 24 +Release: 25 Summary: Library for manipulating tar files from within C programs. License: BSD URL: http://repo.or.cz/libtar.git @@ -15,6 +15,7 @@ Patch5: CVE-2013-4420.patch Patch9000: openEuler-CVE-2021-33643-CVE-2021-33644.patch Patch9001: openEuler-CVE-2021-33645-CVE-2021-33646.patch +Patch9002: CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch BuildRequires: libtool @@ -73,6 +74,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %{_mandir}/man3/*.3* %changelog +* Thu Nov 24 2022 shixuantong - 1.2.20-25 +- fix memory leak and use-after-free bugs of struct TAR *t + * Fri Jul 29 2022 shixuantong - 1.2.20-24 - fix CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646