packages/squashfs-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 4.5.1

Browse Source
This commit is contained in:
volcanodragon 2022-07-23 19:05:43 +08:00
parent 33438bdf76
commit 5dd4145a27
8 changed files with 6 additions and 891 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
0001-CVE-2021-41072.patch
View File

@ -1,126 +0,0 @@
From 80b8441a37fcf8bf07dacf24d9d6c6459a0f6e36 Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 19:58:19 +0100
Subject: [PATCH] unsquashfs: use squashfs_closedir() to delete directory
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 3 +--
squashfs-tools/unsquash-1234.c | 11 +++++++++--
squashfs-tools/unsquash-2.c | 3 +--
squashfs-tools/unsquash-3.c | 3 +--
squashfs-tools/unsquash-4.c | 3 +--
squashfs-tools/unsquashfs.c | 7 -------
squashfs-tools/unsquashfs.h | 1 +
7 files changed, 14 insertions(+), 17 deletions(-)
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
index acba821b..7598499d 100644
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -373,8 +373,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
index c2d4f42b..0c8dfbb6 100644
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -25,8 +25,8 @@
* unsquash-4.
*/
-#define TRUE 1
-#define FALSE 0
+#include "unsquashfs.h"
+
/*
* Check name for validity, name should not
* - be ".", "./", or
@@ -56,3 +56,10 @@ int check_name(char *name, int size)
return TRUE;
}
+
+
+void squashfs_closedir(struct dir *dir)
+{
+ free(dir->dirs);
+ free(dir);
+}
diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
index 0746b3d4..86f62ba8 100644
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -465,8 +465,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
index 094caaa6..c04aa9ee 100644
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -499,8 +499,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index 3a1b9e16..ff62dccc 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -436,8 +436,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
index 7b590bd5..04be53cd 100644
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -1350,13 +1350,6 @@ unsigned int *offset, unsigned int *type)
}
-void squashfs_closedir(struct dir *dir)
-{
- free(dir->dirs);
- free(dir);
-}
-
-
char *get_component(char *target, char **targname)
{
char *start;
diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
index 2e9201cd..5ecb2ab7 100644
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -291,4 +291,5 @@ extern long long *alloc_index_table(int);
/* unsquash-1234.c */
extern int check_name(char *, int);
+extern void squashfs_closedir(struct dir *);
#endif

99
0002-CVE-2021-41072.patch
View File

@ -1,99 +0,0 @@
From 1993a4e7aeda04962bf26e84c15fba8b58837e10 Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 20:09:13 +0100
Subject: [PATCH] unsquashfs: dynamically allocate name
Dynamically allocate name rather than store it
directly in structure.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 2 +-
squashfs-tools/unsquash-1234.c | 5 +++++
squashfs-tools/unsquash-2.c | 2 +-
squashfs-tools/unsquash-3.c | 2 +-
squashfs-tools/unsquash-4.c | 2 +-
squashfs-tools/unsquashfs.h | 2 +-
6 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
index 7598499d..d0121c6b 100644
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -360,7 +360,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
index 0c8dfbb6..ac46d9da 100644
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -60,6 +60,11 @@ int check_name(char *name, int size)
void squashfs_closedir(struct dir *dir)
{
+ int i;
+
+ for(i = 0; i < dir->dir_count; i++)
+ free(dir->dirs[i].name);
+
free(dir->dirs);
free(dir);
}
diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
index 86f62ba8..e8479807 100644
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -452,7 +452,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
index c04aa9ee..8223f274 100644
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -486,7 +486,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index ff62dccc..1e199a7c 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -423,7 +423,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
index 5ecb2ab7..583fbe4d 100644
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -164,7 +164,7 @@ struct queue {
#define DIR_ENT_SIZE 16
struct dir_ent {
- char name[SQUASHFS_NAME_LEN + 1];
+ char *name;
unsigned int start_block;
unsigned int offset;
unsigned int type;

317
0003-CVE-2021-41072.patch
View File

@ -1,317 +0,0 @@
From 9938154174756ee48a94ea0b076397a2944b028d Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 22:58:11 +0100
Subject: [PATCH] unsquashfs: use linked list to store directory names
This should bring higher performance, and it allows sorting
if necessary (1.x and 2.0 filesystems).
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 30 +++++++++++++++---------------
squashfs-tools/unsquash-1234.c | 12 ++++++++----
squashfs-tools/unsquash-2.c | 29 +++++++++++++++--------------
squashfs-tools/unsquash-3.c | 29 +++++++++++++++--------------
squashfs-tools/unsquash-4.c | 29 +++++++++++++++--------------
squashfs-tools/unsquashfs.c | 16 ++++++++++------
squashfs-tools/unsquashfs.h | 3 ++-
7 files changed, 80 insertions(+), 68 deletions(-)
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
index d0121c6b..b6044341 100644
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -254,7 +254,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
long long start;
int bytes = 0;
int dir_count, size, res;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -267,7 +267,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
MEM_ERROR();
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -351,20 +351,20 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- MEM_ERROR();
-
- dir->dirs = new_dir;
- }
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
index ac46d9da..e389f8d6 100644
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -60,11 +60,15 @@ int check_name(char *name, int size)
void squashfs_closedir(struct dir *dir)
{
- int i;
+ struct dir_ent *ent = dir->dirs;
- for(i = 0; i < dir->dir_count; i++)
- free(dir->dirs[i].name);
+ while(ent) {
+ struct dir_ent *tmp = ent;
+
+ ent = ent->next;
+ free(tmp->name);
+ free(tmp);
+ }
- free(dir->dirs);
free(dir);
}
diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
index e8479807..956f96f4 100644
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -347,7 +347,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
long long start;
int bytes = 0;
int dir_count, size, res;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -360,7 +360,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
MEM_ERROR();
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -444,19 +444,20 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- MEM_ERROR();
- dir->dirs = new_dir;
- }
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
index 8223f274..835a574c 100644
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -381,7 +381,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
long long start;
int bytes = 0;
int dir_count, size, res;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -394,7 +394,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
MEM_ERROR();
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -478,19 +478,20 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- MEM_ERROR();
- dir->dirs = new_dir;
- }
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index 1e199a7c..694783da 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -331,7 +331,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
struct squashfs_dir_entry *dire = (struct squashfs_dir_entry *) buffer;
long long start;
int bytes = 0, dir_count, size, res;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -344,7 +344,7 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
MEM_ERROR();
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -415,19 +415,20 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- MEM_ERROR();
- dir->dirs = new_dir;
- }
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
index 04be53cd..fee28ec1 100644
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -1337,14 +1337,18 @@ int create_inode(char *pathname, struct inode *i)
int squashfs_readdir(struct dir *dir, char **name, unsigned int *start_block,
unsigned int *offset, unsigned int *type)
{
- if(dir->cur_entry == dir->dir_count)
+ if(dir->cur_entry == NULL)
+ dir->cur_entry = dir->dirs;
+ else
+ dir->cur_entry = dir->cur_entry->next;
+
+ if(dir->cur_entry == NULL)
return FALSE;
- *name = dir->dirs[dir->cur_entry].name;
- *start_block = dir->dirs[dir->cur_entry].start_block;
- *offset = dir->dirs[dir->cur_entry].offset;
- *type = dir->dirs[dir->cur_entry].type;
- dir->cur_entry ++;
+ *name = dir->cur_entry->name;
+ *start_block = dir->cur_entry->start_block;
+ *offset = dir->cur_entry->offset;
+ *type = dir->cur_entry->type;
return TRUE;
}
diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
index 583fbe4d..f8cf78cb 100644
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -168,17 +168,18 @@ struct dir_ent {
unsigned int start_block;
unsigned int offset;
unsigned int type;
+ struct dir_ent *next;
};
struct dir {
int dir_count;
- int cur_entry;
unsigned int mode;
uid_t uid;
gid_t guid;
unsigned int mtime;
unsigned int xattr;
struct dir_ent *dirs;
+ struct dir_ent *cur_entry;
};
struct file_entry {

317
0004-CVE-2021-41072.patch
View File

@ -1,317 +0,0 @@
From e0485802ec72996c20026da320650d8362f555bd Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 23:50:06 +0100
Subject: [PATCH] Unsquashfs: additional write outside destination directory
exploit fix
An issue on github (https://github.com/plougher/squashfs-tools/issues/72)
showed how some specially crafted Squashfs filesystems containing
invalid file names (with '/' and '..') can cause Unsquashfs to write
files outside of the destination directory.
Since then it has been shown that specially crafted Squashfs filesystems
that contain a symbolic link pointing outside of the destination directory,
coupled with an identically named file within the same directory, can
cause Unsquashfs to write files outside of the destination directory.
Specifically the symbolic link produces a pathname pointing outside
of the destination directory, which is then followed when writing the
duplicate identically named file within the directory.
This commit fixes this exploit by explictly checking for duplicate
filenames within a directory. As directories in v2.1, v3.x, and v4.0
filesystems are sorted, this is achieved by checking for consecutively
identical filenames. Additionally directories are checked to
ensure they are sorted, to avoid attempts to evade the duplicate
check.
Version 1.x and 2.0 filesystems (where the directories were unsorted)
are sorted and then the above duplicate filename check is applied.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/Makefile | 6 +-
squashfs-tools/unsquash-1.c | 6 ++
squashfs-tools/unsquash-12.c | 110 +++++++++++++++++++++++++++++++++
squashfs-tools/unsquash-1234.c | 21 +++++++
squashfs-tools/unsquash-2.c | 16 +++++
squashfs-tools/unsquash-3.c | 6 ++
squashfs-tools/unsquash-4.c | 6 ++
squashfs-tools/unsquashfs.h | 4 ++
8 files changed, 173 insertions(+), 2 deletions(-)
create mode 100644 squashfs-tools/unsquash-12.c
diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
index 7262a2e0..1b544ed6 100755
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -160,8 +160,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
caches-queues-lists.o reader.o tar.o
UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
- unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
- compressor.o unsquashfs_info.o
+ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o unsquash-12.o \
+ swap.o compressor.o unsquashfs_info.o
CFLAGS ?= -O2
CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
@@ -393,6 +393,8 @@ unsquash-34.o: unsquashfs.h unsquash-34.c unsquashfs_error.h
unsquash-1234.o: unsquash-1234.c unsquashfs_error.h
+unsquash-1234.o: unsquash-12.c
+
unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h unsquashfs_error.h
unsquashfs_info.o: unsquashfs.h squashfs_fs.h unsquashfs_error.h
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
index b6044341..88866fcd 100644
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -370,6 +370,12 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
}
}
+ /* check directory for duplicate names. Need to sort directory first */
+ sort_directory(dir);
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names\n");
+ goto corrupted;
+ }
return dir;
corrupted:
diff --git a/squashfs-tools/unsquash-12.c b/squashfs-tools/unsquash-12.c
new file mode 100644
index 00000000..61bf1284
--- /dev/null
+++ b/squashfs-tools/unsquash-12.c
@@ -0,0 +1,110 @@
+/*
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+ * Copyright (c) 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * unsquash-12.c
+ *
+ * Helper functions used by unsquash-1 and unsquash-2.
+ */
+
+#include "unsquashfs.h"
+
+/*
+ * Bottom up linked list merge sort.
+ *
+ */
+void sort_directory(struct dir *dir)
+{
+ struct dir_ent *cur, *l1, *l2, *next;
+ int len1, len2, stride = 1;
+
+ if(dir->dir_count < 2)
+ return;
+
+ /*
+ * We can consider our linked-list to be made up of stride length
+ * sublists. Eacn iteration around this loop merges adjacent
+ * stride length sublists into larger 2*stride sublists. We stop
+ * when stride becomes equal to the entire list.
+ *
+ * Initially stride = 1 (by definition a sublist of 1 is sorted), and
+ * these 1 element sublists are merged into 2 element sublists, which
+ * are then merged into 4 element sublists and so on.
+ */
+ do {
+ l2 = dir->dirs; /* head of current linked list */
+ cur = NULL; /* empty output list */
+
+ /*
+ * Iterate through the linked list, merging adjacent sublists.
+ * On each interation l2 points to the next sublist pair to be
+ * merged (if there's only one sublist left this is simply added
+ * to the output list)
+ */
+ while(l2) {
+ l1 = l2;
+ for(len1 = 0; l2 && len1 < stride; len1 ++, l2 = l2->next);
+ len2 = stride;
+
+ /*
+ * l1 points to first sublist.
+ * l2 points to second sublist.
+ * Merge them onto the output list
+ */
+ while(len1 && l2 && len2) {
+ if(strcmp(l1->name, l2->name) <= 0) {
+ next = l1;
+ l1 = l1->next;
+ len1 --;
+ } else {
+ next = l2;
+ l2 = l2->next;
+ len2 --;
+ }
+
+ if(cur) {
+ cur->next = next;
+ cur = next;
+ } else
+ dir->dirs = cur = next;
+ }
+ /*
+ * One sublist is now empty, copy the other one onto the
+ * output list
+ */
+ for(; len1; len1 --, l1 = l1->next) {
+ if(cur) {
+ cur->next = l1;
+ cur = l1;
+ } else
+ dir->dirs = cur = l1;
+ }
+ for(; l2 && len2; len2 --, l2 = l2->next) {
+ if(cur) {
+ cur->next = l2;
+ cur = l2;
+ } else
+ dir->dirs = cur = l2;
+ }
+ }
+ cur->next = NULL;
+ stride = stride << 1;
+ } while(stride < dir->dir_count);
+}
diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
index e389f8d6..98a81ed0 100644
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -72,3 +72,24 @@ void squashfs_closedir(struct dir *dir)
free(dir);
}
+
+
+/*
+ * Check directory for duplicate names. As the directory should be sorted,
+ * duplicates will be consecutive. Obviously we also need to check if the
+ * directory has been deliberately unsorted, to evade this check.
+ */
+int check_directory(struct dir *dir)
+{
+ int i;
+ struct dir_ent *ent;
+
+ if(dir->dir_count < 2)
+ return TRUE;
+
+ for(ent = dir->dirs, i = 0; i < dir->dir_count - 1; ent = ent->next, i++)
+ if(strcmp(ent->name, ent->next->name) >= 0)
+ return FALSE;
+
+ return TRUE;
+}
diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
index 956f96f4..0e36f7d5 100644
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -29,6 +29,7 @@
static squashfs_fragment_entry_2 *fragment_table;
static unsigned int *uid_table, *guid_table;
static squashfs_operations ops;
+static int needs_sorting = FALSE;
static void read_block_list(unsigned int *block_list, long long start,
@@ -463,6 +464,17 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
}
}
+ if(needs_sorting)
+ sort_directory(dir);
+
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ if(needs_sorting)
+ ERROR("File system corrupted: directory has duplicate names\n");
+ else
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
return dir;
corrupted:
@@ -596,6 +608,10 @@ int read_super_2(squashfs_operations **s_ops, void *s)
* 2.x filesystems use gzip compression.
*/
comp = lookup_compressor("gzip");
+
+ if(sBlk_3->s_minor == 0)
+ needs_sorting = TRUE;
+
return TRUE;
}
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
index 835a574c..01235626 100644
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -497,6 +497,12 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
}
}
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
+
return dir;
corrupted:
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index 694783da..c615bb83 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -434,6 +434,12 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
}
}
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
+
return dir;
corrupted:
diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
index f8cf78cb..bf2a80d0 100644
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -293,4 +293,8 @@ extern long long *alloc_index_table(int);
/* unsquash-1234.c */
extern int check_name(char *, int);
extern void squashfs_closedir(struct dir *);
+extern int check_directory(struct dir *);
+
+/* unsquash-12.c */
+extern void sort_directory(struct dir *);
#endif

23
0005-CVE-2021-41072.patch
View File

@ -1,23 +0,0 @@
From 19fcc9365dcdb2c22d232d42d11012940df64b7c Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Tue, 14 Sep 2021 05:41:27 +0100
Subject: [PATCH] Unsquashfs: Add makefile entry for unsquash-12.o
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
index 1b544ed6..5d6a8de2 100755
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -393,7 +393,7 @@ unsquash-34.o: unsquashfs.h unsquash-34.c unsquashfs_error.h
unsquash-1234.o: unsquash-1234.c unsquashfs_error.h
-unsquash-1234.o: unsquash-12.c
+unsquash-12.o: unsquash-12.c unsquashfs.h
unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h unsquashfs_error.h

BIN
squashfs-tools-4.5.1.tar.gz Normal file
View File

Binary file not shown.

15
squashfs-tools.spec
View File

@ -1,17 +1,11 @@
Name: squashfs-tools
Version: 4.5
Version: 4.5.1
Release: 1
Summary: Utility for the squashfs filesystems
License: GPLv2+
URL: http://squashfs.sourceforge.net/
Source0: http://downloads.sourceforge.net/squashfs/squashfs%{version}.tar.gz
Patch1: 0001-CVE-2021-41072.patch
Patch2: 0002-CVE-2021-41072.patch
Patch3: 0003-CVE-2021-41072.patch
Patch4: 0004-CVE-2021-41072.patch
Patch5: 0005-CVE-2021-41072.patch
Source0: http://downloads.sourceforge.net/squashfs/squashfs-tools-%{version}.tar.gz
BuildRequires: zlib-devel xz-devel libzstd-devel
BuildRequires: lzo-devel libattr-devel lz4-devel gcc
@ -34,7 +28,7 @@ install -D -m 755 squashfs-tools/unsquashfs %{buildroot}%{_sbindir}/unsquashfs
%files
%defattr(-,root,root)
%doc ACKNOWLEDGEMENTS README-4.5
%doc ACKNOWLEDGEMENTS README-4.5.1
%license COPYING
%{_sbindir}/mksquashfs
%{_sbindir}/unsquashfs
@ -42,6 +36,9 @@ install -D -m 755 squashfs-tools/unsquashfs %{buildroot}%{_sbindir}/unsquashfs
%changelog
* Sat Aug 13 2022 volcanodragon <linfeilong@huawei.com> - 4.5.1-1
- update version to 4.5.1
* Thu Nov 25 2021 yanglongkang <yanglongkang@huawei.com> - 4.5-1
- update to 4.5

BIN
squashfs4.5.tar.gz
View File

Binary file not shown.