From 632b774a4f44d17914e6ef15c80da94dda95939c Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Mon, 14 Sep 2020 16:35:07 +0800 Subject: [PATCH] fix CVE-2013-4420 --- CVE-2013-4420.patch | 113 ++++++++++++++++++++++++++++++++++++++++++++ libtar.spec | 6 ++- 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 CVE-2013-4420.patch diff --git a/CVE-2013-4420.patch b/CVE-2013-4420.patch new file mode 100644 index 0000000..477d130 --- /dev/null +++ b/CVE-2013-4420.patch @@ -0,0 +1,113 @@ +Author: Raphael Geissert +Bug-Debian: https://bugs.debian.org/731860 +Description: Avoid directory traversal when extracting archives + by skipping over leading slashes and any prefix containing ".." components. +Forwarded: yes + +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -22,13 +22,42 @@ + # include + #endif + ++char * ++safer_name_suffix (char const *file_name) ++{ ++ char const *p, *t; ++ p = t = file_name; ++ while (*p == '/') t = ++p; ++ while (*p) ++ { ++ while (p[0] == '.' && p[0] == p[1] && p[2] == '/') ++ { ++ p += 3; ++ t = p; ++ } ++ /* advance pointer past the next slash */ ++ while (*p && (p++)[0] != '/'); ++ } ++ ++ if (!*t) ++ { ++ t = "."; ++ } ++ ++ if (t != file_name) ++ { ++ /* TODO: warn somehow that the path was modified */ ++ } ++ return (char*)t; ++} ++ + + /* determine full path name */ + char * + th_get_pathname(TAR *t) + { + if (t->th_buf.gnu_longname) +- return t->th_buf.gnu_longname; ++ return safer_name_suffix(t->th_buf.gnu_longname); + + /* allocate the th_pathname buffer if not already */ + if (t->th_pathname == NULL) +@@ -51,7 +80,7 @@ th_get_pathname(TAR *t) + } + + /* will be deallocated in tar_close() */ +- return t->th_pathname; ++ return safer_name_suffix(t->th_pathname); + } + + +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real + if (mkdirhier(dirname(filename)) == -1) + return -1; + libtar_hashptr_reset(&hp); +- if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), ++ if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)), + (libtar_matchfunc_t)libtar_str_match) != 0) + { + lnp = (char *)libtar_hashptr_data(&hp); + linktgt = &lnp[strlen(lnp) + 1]; + } + else +- linktgt = th_get_linkname(t); ++ linktgt = safer_name_suffix(th_get_linkname(t)); + + #ifdef DEBUG + printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); +@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna + + #ifdef DEBUG + printf(" ==> extracting: %s (symlink to %s)\n", +- filename, th_get_linkname(t)); ++ filename, safer_name_suffix(th_get_linkname(t))); + #endif +- if (symlink(th_get_linkname(t), filename) == -1) ++ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) + { + #ifdef DEBUG + perror("symlink()"); +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -21,3 +21,4 @@ + #define TLS_THREAD + #endif + ++char* safer_name_suffix(char const*); +--- a/lib/output.c ++++ b/lib/output.c +@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t) + else + printf(" link to "); + if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL) +- printf("%s", t->th_buf.gnu_longlink); ++ printf("%s", safer_name_suffix(t->th_buf.gnu_longlink)); + else +- printf("%.100s", t->th_buf.linkname); ++ printf("%.100s", safer_name_suffix(t->th_buf.linkname)); + } + + putchar('\n'); diff --git a/libtar.spec b/libtar.spec index 96e439a..e69e6bb 100644 --- a/libtar.spec +++ b/libtar.spec @@ -1,6 +1,6 @@ Name: libtar Version: 1.2.20 -Release: 17 +Release: 18 Summary: Library for manipulating tar files from within C programs. License: BSD URL: http://repo.or.cz/libtar.git @@ -11,6 +11,7 @@ Patch1: libtar-1.2.11-mem-deref.patch Patch2: libtar-1.2.20-fix-resource-leaks.patch Patch3: libtar-1.2.11-bz729009.patch Patch4: libtar-1.2.20-no-static-buffer.patch +Patch5: CVE-2013-4420.patch BuildRequires: libtool git gdb %description @@ -68,6 +69,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %{_mandir}/man3/*.3* %changelog +* Mon Sep 14 2020 shixuantong - 1.2.20-18 +- fix CVE-2013-4420 + * Wed Dec 18 2019 openEuler Buildteam - 1.2.20-17 - update license info