packages/squashfs-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:4140b0eac1c7bf765adf0c43e915c81260a9dd53
Branches Tags
packages:main
...
compare: packages:4d083048fcc6b86593cd165922361a9cf0e6398b
Branches Tags
packages:main

10 Commits
4140b0eac1 ... 4d083048fc

Author SHA1 Message Date
openeuler-ci-bot
4d083048fc
!37 upgrade to 4.6.1 
From: @wguanghao 
Reviewed-by: @swf504 
Signed-off-by: @swf504
 2024-01-19 08:56:16 +00:00
wguanghao
9050c75df8 upgrade to 4.6.1 2024-01-19 11:29:36 +08:00
openeuler-ci-bot
8324fdbec2
!35 【轻量级 PR】:Add safe compilation options PIE/pie/PIC 
From: @wguanghao 
Reviewed-by: @liuzhiqiang26 
Signed-off-by: @liuzhiqiang26
 2023-03-09 06:34:29 +00:00
wguanghao
c8328c302f
Add safe compilation options PIE/pie/PIC 
Signed-off-by: wguanghao <wuguanghao3@huawei.com>
 2023-03-08 01:11:39 +00:00
openeuler-ci-bot
3a511ea1a3
!25 修复changelog中CVE-41053->40153 
From: @handsome_brother 
Reviewed-by: @liuzhiqiang26 
Signed-off-by: @liuzhiqiang26
 2022-11-17 02:57:38 +00:00
lihaoxiang
320b0c0fd7 fix changelog error which wrote wrong CVE number 41053 2022-11-16 20:46:28 -05:00
openeuler-ci-bot
1adc7616f0
!18 update version to 4.5.1 
From: @volcanodragon 
Reviewed-by: @liuzhiqiang26 
Signed-off-by: @liuzhiqiang26
 2022-08-16 01:46:48 +00:00
volcanodragon
5dd4145a27 update version to 4.5.1 2022-08-16 09:26:59 +08:00
openeuler-ci-bot
33438bdf76 !14 update to 4.5 
From: @markeryang
Reviewed-by: @liuzhiqiang26
Signed-off-by: @liuzhiqiang26
 2021-11-26 02:54:11 +00:00
markeryang
0d65f0f8fe update to 4.5 2021-11-25 17:17:48 +08:00
13 changed files with 19 additions and 1305 deletions
Show Stats Expand all files Collapse all files

65
0001-Fix-typos-update-URLs-in-squashfs-tools-Makefile.patch
View File

@ -1,65 +0,0 @@
From 515b2579acd24241eefd7237debcecab11c7f2cd Mon Sep 17 00:00:00 2001
From: Blake Riley <blake.riley@gmail.com>
Date: Thu, 29 Aug 2019 14:41:50 +1000
Subject: [PATCH 1/4] Fix typos, update URLs in squashfs-tools Makefile
This updates URLs for a few compression libraries, which have moved since the Makefile instructions were written.
Also, instructions now refer to the appropriate compressor arg, not always "the XZ_SUPPORT line below".
---
squashfs-tools/Makefile | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
index 46c0772..aee4b96 100644
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -42,7 +42,7 @@ GZIP_SUPPORT = 1
# your distribution package manager.
#
# To build install the library and uncomment
-# the XZ_SUPPORT line below.
+# the LZO_SUPPORT line below.
#
#LZO_SUPPORT = 1
@@ -50,8 +50,8 @@ GZIP_SUPPORT = 1
########### Building LZ4 support #############
#
# Yann Collet's LZ4 tools are supported
-# LZ4 homepage: http://fastcompression.blogspot.com/p/lz4.html
-# LZ4 source repository: http://code.google.com/p/lz4
+# LZ4 homepage: https://lz4.github.io/lz4/
+# LZ4 source repository: https://github.com/lz4/lz4/
#
# Development packages (libraries and header files) should be
# supported by most modern distributions. Please refer to
@@ -66,7 +66,7 @@ GZIP_SUPPORT = 1
########### Building ZSTD support ############
#
# The ZSTD library is supported
-# ZSTD homepage: http://zstd.net
+# ZSTD homepage: https://facebook.github.io/zstd/
# ZSTD source repository: https://github.com/facebook/zstd
#
# Development packages (libraries and header files) should be
@@ -74,7 +74,7 @@ GZIP_SUPPORT = 1
# your distribution package manager.
#
# To build install the library and uncomment
-# the XZ_SUPPORT line below.
+# the ZSTD_SUPPORT line below.
#
#ZSTD_SUPPORT = 1
@@ -273,7 +273,7 @@ endif
# COMP_DEFAULT must be a selected compressor
#
ifeq (, $(findstring $(COMP_DEFAULT), $(COMPRESSORS)))
-$(error "COMP_DEFAULT is set to ${COMP_DEFAULT}, which isn't selected to be \
+$(error "COMP_DEFAULT is set to ${COMP_DEFAULT}, which isn't selected to be \
built!")
endif
--
1.8.3.1

67
0002-Support-creating-sockets-in-unsquashfs.patch
View File

@ -1,67 +0,0 @@
From 585656b9aeb942c48b810149f976d59c54b9199d Mon Sep 17 00:00:00 2001
From: Kevin Vigor <kvigor@gmail.com>
Date: Mon, 9 Sep 2019 08:55:40 -0700
Subject: [PATCH 2/4] Support creating sockets in unsquashfs.
---
squashfs-tools/unsquashfs.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
index 727f1d5..aec66c7 100644
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -55,7 +55,7 @@ squashfs_operations *(*read_filesystem_tables)();
struct compressor *comp;
int bytes = 0, swap, file_count = 0, dir_count = 0, sym_count = 0,
- dev_count = 0, fifo_count = 0;
+ dev_count = 0, fifo_count = 0, socket_count = 0;
struct hash_table_entry *inode_table_hash[65536], *directory_table_hash[65536];
int fd;
unsigned int cached_frag = SQUASHFS_INVALID_FRAG;
@@ -1192,7 +1192,14 @@ int create_inode(char *pathname, struct inode *i)
case SQUASHFS_SOCKET_TYPE:
case SQUASHFS_LSOCKET_TYPE:
TRACE("create_inode: socket\n");
- ERROR("create_inode: socket %s ignored\n", pathname);
+
+ if (mknod(pathname, S_IFSOCK | i->mode, 0) == -1) {
+ ERROR("create_inode: failed to create socket %s, "
+ "because %s\n",
+ pathname, strerror(errno));
+ goto failed;
+ }
+ socket_count++;
break;
default:
EXIT_UNSQUASH_STRICT("Unknown inode type %d in create_inode_table!\n",
@@ -2217,7 +2224,7 @@ void *progress_thread(void *arg)
if(progress_enabled) {
pthread_mutex_lock(&screen_mutex);
progress_bar(sym_count + dev_count +
- fifo_count + cur_blocks, total_inodes -
+ fifo_count + socket_count + cur_blocks, total_inodes -
total_files + total_blocks, columns);
pthread_mutex_unlock(&screen_mutex);
}
@@ -2410,7 +2417,7 @@ void disable_progress_bar()
{
pthread_mutex_lock(&screen_mutex);
if(progress_enabled) {
- progress_bar(sym_count + dev_count + fifo_count + cur_blocks,
+ progress_bar(sym_count + dev_count + fifo_count + socket_count + cur_blocks,
total_inodes - total_files + total_blocks, columns);
printf("\n");
}
@@ -2983,6 +2990,7 @@ options:
printf("created %d symlinks\n", sym_count);
printf("created %d devices\n", dev_count);
printf("created %d fifos\n", fifo_count);
+ printf("created %d sockets\n", socket_count);
}
return exit_code;
--
1.8.3.1

46
0003-squashfs-tools-fix-build-failure-against-gcc-10.patch
View File

@ -1,46 +0,0 @@
From ce42828b8f2001eb691bf378ff5a351484f1f4c2 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sun, 26 Jan 2020 18:35:13 +0000
Subject: [PATCH 3/4] squashfs-tools: fix build failure against gcc-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On gcc-10 (and gcc-9 -fno-common) build fails as:
```
cc ... -o mksquashfs
ld: read_fs.o:(.bss+0x0):
multiple definition of `fwriter_buffer'; mksquashfs.o:(.bss+0x400c90): first defined here
ld: read_fs.o:(.bss+0x8):
multiple definition of `bwriter_buffer'; mksquashfs.o:(.bss+0x400c98): first defined here
```
gcc-10 will change the default from -fcommon to fno-common:
https://gcc.gnu.org/PR85678.
The error also happens if CFLAGS=-fno-common passed explicitly.
Reported-by: Toralf Förster
Bug: https://bugs.gentoo.org/706456
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
squashfs-tools/mksquashfs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/squashfs-tools/mksquashfs.h b/squashfs-tools/mksquashfs.h
index 1beefef..b650306 100644
--- a/squashfs-tools/mksquashfs.h
+++ b/squashfs-tools/mksquashfs.h
@@ -143,7 +143,7 @@ struct append_file {
#endif
extern struct cache *reader_buffer, *fragment_buffer, *reserve_cache;
-struct cache *bwriter_buffer, *fwriter_buffer;
+extern struct cache *bwriter_buffer, *fwriter_buffer;
extern struct queue *to_reader, *to_deflate, *to_writer, *from_writer,
*to_frag, *locked_fragment, *to_process_frag;
extern struct append_file **file_mapping;
--
1.8.3.1

30
0004-xattr-Initialize-header-to-avoid-valgrind-warning.patch
View File

@ -1,30 +0,0 @@
From 250f2f52fa3074c66b426a20200ad6934bc071de Mon Sep 17 00:00:00 2001
From: Henrik Grindal Bakken <henribak@cisco.com>
Date: Wed, 6 Dec 2017 13:18:51 +0100
Subject: [PATCH 4/4] xattr: Initialize header to avoid valgrind warning
The 'unused' field was written uninitialized to disk. This introduces
a randomness into the file system, and it also ends up as a valgrind
warning.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/squashfs-tools/xattr.c b/squashfs-tools/xattr.c
index 64dfd82..b802965 100644
--- a/squashfs-tools/xattr.c
+++ b/squashfs-tools/xattr.c
@@ -425,7 +425,7 @@ long long write_xattrs()
int i, avail_bytes;
char *datap = data_cache;
long long start_bytes = bytes;
- struct squashfs_xattr_table header;
+ struct squashfs_xattr_table header = {};
if(xattr_ids == 0)
return SQUASHFS_INVALID_BLK;
--
1.8.3.1

264
0005-CVE-2021-40153.patch
View File

@ -1,264 +0,0 @@
From 39971ca17a17520cefeb84f65e028d5004a579b2 Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sat, 16 Jan 2021 20:08:55 +0000
Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
shows how some specially crafted Squashfs filesystems containing
invalid file names (with '/' and ..) can cause Unsquashfs to write
files outside of the destination directory.
This commit fixes this exploit by checking all names for
validity.
In doing so I have also added checks for '.' and for names that
are shorter than they should be (names in the file system should
not have '\0' terminators).
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/Makefile | 5 ++-
squashfs-tools/unsquash-1.c | 9 +++++-
squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
squashfs-tools/unsquash-2.c | 9 +++++-
squashfs-tools/unsquash-3.c | 9 +++++-
squashfs-tools/unsquash-4.c | 9 +++++-
squashfs-tools/unsquashfs.c | 4 +--
squashfs-tools/unsquashfs.h | 5 ++-
8 files changed, 100 insertions(+), 8 deletions(-)
create mode 100644 squashfs-tools/unsquash-1234.c
diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
index 46c0772..de06bb2 100644
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
caches-queues-lists.o
UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
- unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
+ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
+ compressor.o unsquashfs_info.o
CFLAGS ?= -O2
CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
unsquash-34.o: unsquashfs.h unsquash-34.c
+unsquash-1234.o: unsquash-1234.c
+
unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
unsquashfs_info.o: unsquashfs.h squashfs_fs.h
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
index 34eced3..28326cb 100644
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -2,7 +2,7 @@
* Unsquash a squashfs filesystem. This is a highly compressed read only
* filesystem.
*
- * Copyright (c) 2009, 2010, 2011, 2012, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
memcpy(dire->name, directory_table + bytes,
dire->size + 1);
dire->name[dire->size + 1] = '\0';
+
+ /* check name for invalid characters (i.e /, ., ..) */
+ if(check_name(dire->name, dire->size + 1) == FALSE) {
+ ERROR("File system corrupted: invalid characters in name\n");
+ goto corrupted;
+ }
+
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
new file mode 100644
index 0000000..c2d4f42
--- /dev/null
+++ b/squashfs-tools/unsquash-1234.c
@@ -0,0 +1,58 @@
+/*
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+ * Copyright (c) 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * unsquash-1234.c
+ *
+ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
+ * unsquash-4.
+ */
+
+#define TRUE 1
+#define FALSE 0
+/*
+ * Check name for validity, name should not
+ * - be ".", "./", or
+ * - be "..", "../" or
+ * - have a "/" anywhere in the name, or
+ * - be shorter than the expected size
+ */
+int check_name(char *name, int size)
+{
+ char *start = name;
+
+ if(name[0] == '.') {
+ if(name[1] == '.')
+ name++;
+ if(name[1] == '/' || name[1] == '\0')
+ return FALSE;
+ }
+
+ while(name[0] != '/' && name[0] != '\0')
+ name ++;
+
+ if(name[0] == '/')
+ return FALSE;
+
+ if((name - start) != size)
+ return FALSE;
+
+ return TRUE;
+}
diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
index 4b3d767..474064e 100644
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -2,7 +2,7 @@
* Unsquash a squashfs filesystem. This is a highly compressed read only
* filesystem.
*
- * Copyright (c) 2009, 2010, 2013, 2019
+ * Copyright (c) 2009, 2010, 2013, 2019, 2021
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
memcpy(dire->name, directory_table + bytes,
dire->size + 1);
dire->name[dire->size + 1] = '\0';
+
+ /* check name for invalid characters (i.e /, ., ..) */
+ if(check_name(dire->name, dire->size + 1) == FALSE) {
+ ERROR("File system corrupted: invalid characters in name\n");
+ goto corrupted;
+ }
+
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
index 02c31fc..65cfe4d 100644
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -2,7 +2,7 @@
* Unsquash a squashfs filesystem. This is a highly compressed read only
* filesystem.
*
- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
memcpy(dire->name, directory_table + bytes,
dire->size + 1);
dire->name[dire->size + 1] = '\0';
+
+ /* check name for invalid characters (i.e /, ., ..) */
+ if(check_name(dire->name, dire->size + 1) == FALSE) {
+ ERROR("File system corrupted: invalid characters in name\n");
+ goto corrupted;
+ }
+
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index 8475835..aa23a84 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -2,7 +2,7 @@
* Unsquash a squashfs filesystem. This is a highly compressed read only
* filesystem.
*
- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
memcpy(dire->name, directory_table + bytes,
dire->size + 1);
dire->name[dire->size + 1] = '\0';
+
+ /* check name for invalid characters (i.e /, ., ..) */
+ if(check_name(dire->name, dire->size + 1) == FALSE) {
+ ERROR("File system corrupted: invalid characters in name\n");
+ goto corrupted;
+ }
+
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
index 727f1d5..f1c3552 100644
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -2610,8 +2610,8 @@ int parse_number(char *start, int *res)
#define VERSION() \
- printf("unsquashfs version 4.4 (2019/08/29)\n");\
- printf("copyright (C) 2019 Phillip Lougher "\
+ printf("unsquashfs version 4.4-git (2021/01/17)\n");\
+ printf("copyright (C) 2021 Phillip Lougher "\
"<phillip@squashfs.org.uk>\n\n");\
printf("This program is free software; you can redistribute it and/or"\
"\n");\
diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
index 934618b..db1da7a 100644
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -4,7 +4,7 @@
* Unsquash a squashfs filesystem. This is a highly compressed read only
* filesystem.
*
- * Copyright (c) 2009, 2010, 2013, 2014, 2019
+ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
/* unsquash-34.c */
extern long long *alloc_index_table(int);
+
+/* unsquash-1234.c */
+extern int check_name(char *, int);
#endif
--
2.23.0

112
0006-CVE-2021-41072.patch
View File

@ -1,112 +0,0 @@
From 80b8441a37fcf8bf07dacf24d9d6c6459a0f6e36 Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 19:58:19 +0100
Subject: [PATCH] unsquashfs: use squashfs_closedir() to delete directory
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 3 +--
squashfs-tools/unsquash-1234.c | 11 +++++++++--
squashfs-tools/unsquash-2.c | 3 +--
squashfs-tools/unsquash-3.c | 3 +--
squashfs-tools/unsquash-4.c | 3 +--
squashfs-tools/unsquashfs.c | 7 -------
squashfs-tools/unsquashfs.h | 1 +
7 files changed, 14 insertions(+), 17 deletions(-)
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -316,8 +316,7 @@ static struct dir *squashfs_opendir(unsi
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -25,8 +25,8 @@
* unsquash-4.
*/
-#define TRUE 1
-#define FALSE 0
+#include "unsquashfs.h"
+
/*
* Check name for validity, name should not
* - be ".", "./", or
@@ -56,3 +56,10 @@ int check_name(char *name, int size)
return TRUE;
}
+
+
+void squashfs_closedir(struct dir *dir)
+{
+ free(dir->dirs);
+ free(dir);
+}
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -417,8 +417,7 @@ static struct dir *squashfs_opendir(unsi
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -444,8 +444,7 @@ static struct dir *squashfs_opendir(unsi
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -380,8 +380,7 @@ static struct dir *squashfs_opendir(unsi
return dir;
corrupted:
- free(dir->dirs);
- free(dir);
+ squashfs_closedir(dir);
return NULL;
}
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -1290,13 +1290,6 @@ unsigned int *offset, unsigned int *type
}
-void squashfs_closedir(struct dir *dir)
-{
- free(dir->dirs);
- free(dir);
-}
-
-
char *get_component(char *target, char **targname)
{
char *start;
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -264,4 +264,5 @@ extern long long *alloc_index_table(int)
/* unsquash-1234.c */
extern int check_name(char *, int);
+extern void squashfs_closedir(struct dir *);
#endif

87
0007-CVE-2021-41072.patch
View File

@ -1,87 +0,0 @@
From 1993a4e7aeda04962bf26e84c15fba8b58837e10 Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 20:09:13 +0100
Subject: [PATCH] unsquashfs: dynamically allocate name
Dynamically allocate name rather than store it
directly in structure.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 2 +-
squashfs-tools/unsquash-1234.c | 5 +++++
squashfs-tools/unsquash-2.c | 2 +-
squashfs-tools/unsquash-3.c | 2 +-
squashfs-tools/unsquash-4.c | 2 +-
squashfs-tools/unsquashfs.h | 2 +-
6 files changed, 10 insertions(+), 5 deletions(-)
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -303,7 +303,7 @@ static struct dir *squashfs_opendir(unsi
"realloc failed!\n");
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -60,6 +60,11 @@ int check_name(char *name, int size)
void squashfs_closedir(struct dir *dir)
{
+ int i;
+
+ for(i = 0; i < dir->dir_count; i++)
+ free(dir->dirs[i].name);
+
free(dir->dirs);
free(dir);
}
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -404,7 +404,7 @@ static struct dir *squashfs_opendir(unsi
"realloc failed!\n");
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -431,7 +431,7 @@ static struct dir *squashfs_opendir(unsi
"realloc failed!\n");
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -367,7 +367,7 @@ static struct dir *squashfs_opendir(unsi
"realloc failed!\n");
dir->dirs = new_dir;
}
- strcpy(dir->dirs[dir->dir_count].name, dire->name);
+ dir->dirs[dir->dir_count].name = strdup(dire->name);
dir->dirs[dir->dir_count].start_block =
dirh.start_block;
dir->dirs[dir->dir_count].offset = dire->offset;
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -165,7 +165,7 @@ struct queue {
#define DIR_ENT_SIZE 16
struct dir_ent {
- char name[SQUASHFS_NAME_LEN + 1];
+ char *name;
unsigned int start_block;
unsigned int offset;
unsigned int type;

306
0008-CVE-2021-41072.patch
View File

@ -1,306 +0,0 @@
From 9938154174756ee48a94ea0b076397a2944b028d Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 22:58:11 +0100
Subject: [PATCH] unsquashfs: use linked list to store directory names
This should bring higher performance, and it allows sorting
if necessary (1.x and 2.0 filesystems).
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/unsquash-1.c | 30 +++++++++++++++---------------
squashfs-tools/unsquash-1234.c | 12 ++++++++----
squashfs-tools/unsquash-2.c | 29 +++++++++++++++--------------
squashfs-tools/unsquash-3.c | 29 +++++++++++++++--------------
squashfs-tools/unsquash-4.c | 29 +++++++++++++++--------------
squashfs-tools/unsquashfs.c | 16 ++++++++++------
squashfs-tools/unsquashfs.h | 3 ++-
7 files changed, 80 insertions(+), 68 deletions(-)
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -207,7 +207,7 @@ static struct dir *squashfs_opendir(unsi
long long start;
int bytes;
int dir_count, size;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -220,7 +220,7 @@ static struct dir *squashfs_opendir(unsi
EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -295,19 +295,20 @@ static struct dir *squashfs_opendir(unsi
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- EXIT_UNSQUASH("squashfs_opendir: "
- "realloc failed!\n");
- dir->dirs = new_dir;
- }
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
+
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -60,11 +60,15 @@ int check_name(char *name, int size)
void squashfs_closedir(struct dir *dir)
{
- int i;
+ struct dir_ent *ent = dir->dirs;
- for(i = 0; i < dir->dir_count; i++)
- free(dir->dirs[i].name);
+ while(ent) {
+ struct dir_ent *tmp = ent;
+
+ ent = ent->next;
+ free(tmp->name);
+ free(tmp);
+ }
- free(dir->dirs);
free(dir);
}
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -308,7 +308,7 @@ static struct dir *squashfs_opendir(unsi
long long start;
int bytes;
int dir_count, size;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -321,7 +321,7 @@ static struct dir *squashfs_opendir(unsi
EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -396,19 +396,20 @@ static struct dir *squashfs_opendir(unsi
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- EXIT_UNSQUASH("squashfs_opendir: "
- "realloc failed!\n");
- dir->dirs = new_dir;
- }
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
+
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -334,7 +334,7 @@ static struct dir *squashfs_opendir(unsi
long long start;
int bytes;
int dir_count, size;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -347,7 +347,7 @@ static struct dir *squashfs_opendir(unsi
EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -423,19 +423,20 @@ static struct dir *squashfs_opendir(unsi
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- EXIT_UNSQUASH("squashfs_opendir: "
- "realloc failed!\n");
- dir->dirs = new_dir;
- }
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
+
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -281,7 +281,7 @@ static struct dir *squashfs_opendir(unsi
long long start;
long long bytes;
int dir_count, size;
- struct dir_ent *new_dir;
+ struct dir_ent *ent, *cur_ent = NULL;
struct dir *dir;
TRACE("squashfs_opendir: inode start block %d, offset %d\n",
@@ -294,7 +294,7 @@ static struct dir *squashfs_opendir(unsi
EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
dir->dir_count = 0;
- dir->cur_entry = 0;
+ dir->cur_entry = NULL;
dir->mode = (*i)->mode;
dir->uid = (*i)->uid;
dir->guid = (*i)->gid;
@@ -359,19 +359,20 @@ static struct dir *squashfs_opendir(unsi
TRACE("squashfs_opendir: directory entry %s, inode "
"%d:%d, type %d\n", dire->name,
dirh.start_block, dire->offset, dire->type);
- if((dir->dir_count % DIR_ENT_SIZE) == 0) {
- new_dir = realloc(dir->dirs, (dir->dir_count +
- DIR_ENT_SIZE) * sizeof(struct dir_ent));
- if(new_dir == NULL)
- EXIT_UNSQUASH("squashfs_opendir: "
- "realloc failed!\n");
- dir->dirs = new_dir;
- }
- dir->dirs[dir->dir_count].name = strdup(dire->name);
- dir->dirs[dir->dir_count].start_block =
- dirh.start_block;
- dir->dirs[dir->dir_count].offset = dire->offset;
- dir->dirs[dir->dir_count].type = dire->type;
+ ent = malloc(sizeof(struct dir_ent));
+ if(ent == NULL)
+ MEM_ERROR();
+
+ ent->name = strdup(dire->name);
+ ent->start_block = dirh.start_block;
+ ent->offset = dire->offset;
+ ent->type = dire->type;
+ ent->next = NULL;
+ if(cur_ent == NULL)
+ dir->dirs = ent;
+ else
+ cur_ent->next = ent;
+ cur_ent = ent;
dir->dir_count ++;
bytes += dire->size + 1;
}
--- a/squashfs-tools/unsquashfs.c
+++ b/squashfs-tools/unsquashfs.c
@@ -1277,14 +1277,18 @@ failed:
int squashfs_readdir(struct dir *dir, char **name, unsigned int *start_block,
unsigned int *offset, unsigned int *type)
{
- if(dir->cur_entry == dir->dir_count)
+ if(dir->cur_entry == NULL)
+ dir->cur_entry = dir->dirs;
+ else
+ dir->cur_entry = dir->cur_entry->next;
+
+ if(dir->cur_entry == NULL)
return FALSE;
- *name = dir->dirs[dir->cur_entry].name;
- *start_block = dir->dirs[dir->cur_entry].start_block;
- *offset = dir->dirs[dir->cur_entry].offset;
- *type = dir->dirs[dir->cur_entry].type;
- dir->cur_entry ++;
+ *name = dir->cur_entry->name;
+ *start_block = dir->cur_entry->start_block;
+ *offset = dir->cur_entry->offset;
+ *type = dir->cur_entry->type;
return TRUE;
}
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -169,17 +169,18 @@ struct dir_ent {
unsigned int start_block;
unsigned int offset;
unsigned int type;
+ struct dir_ent *next;
};
struct dir {
int dir_count;
- int cur_entry;
unsigned int mode;
uid_t uid;
gid_t guid;
unsigned int mtime;
unsigned int xattr;
struct dir_ent *dirs;
+ struct dir_ent *cur_entry;
};
struct file_entry {

289
0009-CVE-2021-41072.patch
View File

@ -1,289 +0,0 @@
From e0485802ec72996c20026da320650d8362f555bd Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Sun, 12 Sep 2021 23:50:06 +0100
Subject: [PATCH] Unsquashfs: additional write outside destination directory
exploit fix
An issue on github (https://github.com/plougher/squashfs-tools/issues/72)
showed how some specially crafted Squashfs filesystems containing
invalid file names (with '/' and '..') can cause Unsquashfs to write
files outside of the destination directory.
Since then it has been shown that specially crafted Squashfs filesystems
that contain a symbolic link pointing outside of the destination directory,
coupled with an identically named file within the same directory, can
cause Unsquashfs to write files outside of the destination directory.
Specifically the symbolic link produces a pathname pointing outside
of the destination directory, which is then followed when writing the
duplicate identically named file within the directory.
This commit fixes this exploit by explictly checking for duplicate
filenames within a directory. As directories in v2.1, v3.x, and v4.0
filesystems are sorted, this is achieved by checking for consecutively
identical filenames. Additionally directories are checked to
ensure they are sorted, to avoid attempts to evade the duplicate
check.
Version 1.x and 2.0 filesystems (where the directories were unsorted)
are sorted and then the above duplicate filename check is applied.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/Makefile | 6 +-
squashfs-tools/unsquash-1.c | 6 ++
squashfs-tools/unsquash-12.c | 110 +++++++++++++++++++++++++++++++++
squashfs-tools/unsquash-1234.c | 21 +++++++
squashfs-tools/unsquash-2.c | 16 +++++
squashfs-tools/unsquash-3.c | 6 ++
squashfs-tools/unsquash-4.c | 6 ++
squashfs-tools/unsquashfs.h | 4 ++
8 files changed, 173 insertions(+), 2 deletions(-)
create mode 100644 squashfs-tools/unsquash-12.c
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -156,8 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o
caches-queues-lists.o
UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
- unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
- compressor.o unsquashfs_info.o
+ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o unsquash-12.o \
+ swap.o compressor.o unsquashfs_info.o
CFLAGS ?= -O2
CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
@@ -353,6 +353,8 @@ unsquash-34.o: unsquashfs.h unsquash-34.
unsquash-1234.o: unsquash-1234.c
+unsquash-1234.o: unsquash-12.c
+
unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
unsquashfs_info.o: unsquashfs.h squashfs_fs.h
--- a/squashfs-tools/unsquash-1.c
+++ b/squashfs-tools/unsquash-1.c
@@ -314,6 +314,12 @@ static struct dir *squashfs_opendir(unsi
}
}
+ /* check directory for duplicate names. Need to sort directory first */
+ sort_directory(dir);
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names\n");
+ goto corrupted;
+ }
return dir;
corrupted:
--- /dev/null
+++ b/squashfs-tools/unsquash-12.c
@@ -0,0 +1,110 @@
+/*
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+ * Copyright (c) 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2,
+ * or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * unsquash-12.c
+ *
+ * Helper functions used by unsquash-1 and unsquash-2.
+ */
+
+#include "unsquashfs.h"
+
+/*
+ * Bottom up linked list merge sort.
+ *
+ */
+void sort_directory(struct dir *dir)
+{
+ struct dir_ent *cur, *l1, *l2, *next;
+ int len1, len2, stride = 1;
+
+ if(dir->dir_count < 2)
+ return;
+
+ /*
+ * We can consider our linked-list to be made up of stride length
+ * sublists. Eacn iteration around this loop merges adjacent
+ * stride length sublists into larger 2*stride sublists. We stop
+ * when stride becomes equal to the entire list.
+ *
+ * Initially stride = 1 (by definition a sublist of 1 is sorted), and
+ * these 1 element sublists are merged into 2 element sublists, which
+ * are then merged into 4 element sublists and so on.
+ */
+ do {
+ l2 = dir->dirs; /* head of current linked list */
+ cur = NULL; /* empty output list */
+
+ /*
+ * Iterate through the linked list, merging adjacent sublists.
+ * On each interation l2 points to the next sublist pair to be
+ * merged (if there's only one sublist left this is simply added
+ * to the output list)
+ */
+ while(l2) {
+ l1 = l2;
+ for(len1 = 0; l2 && len1 < stride; len1 ++, l2 = l2->next);
+ len2 = stride;
+
+ /*
+ * l1 points to first sublist.
+ * l2 points to second sublist.
+ * Merge them onto the output list
+ */
+ while(len1 && l2 && len2) {
+ if(strcmp(l1->name, l2->name) <= 0) {
+ next = l1;
+ l1 = l1->next;
+ len1 --;
+ } else {
+ next = l2;
+ l2 = l2->next;
+ len2 --;
+ }
+
+ if(cur) {
+ cur->next = next;
+ cur = next;
+ } else
+ dir->dirs = cur = next;
+ }
+ /*
+ * One sublist is now empty, copy the other one onto the
+ * output list
+ */
+ for(; len1; len1 --, l1 = l1->next) {
+ if(cur) {
+ cur->next = l1;
+ cur = l1;
+ } else
+ dir->dirs = cur = l1;
+ }
+ for(; l2 && len2; len2 --, l2 = l2->next) {
+ if(cur) {
+ cur->next = l2;
+ cur = l2;
+ } else
+ dir->dirs = cur = l2;
+ }
+ }
+ cur->next = NULL;
+ stride = stride << 1;
+ } while(stride < dir->dir_count);
+}
--- a/squashfs-tools/unsquash-1234.c
+++ b/squashfs-tools/unsquash-1234.c
@@ -72,3 +72,24 @@ void squashfs_closedir(struct dir *dir)
free(dir);
}
+
+
+/*
+ * Check directory for duplicate names. As the directory should be sorted,
+ * duplicates will be consecutive. Obviously we also need to check if the
+ * directory has been deliberately unsorted, to evade this check.
+ */
+int check_directory(struct dir *dir)
+{
+ int i;
+ struct dir_ent *ent;
+
+ if(dir->dir_count < 2)
+ return TRUE;
+
+ for(ent = dir->dirs, i = 0; i < dir->dir_count - 1; ent = ent->next, i++)
+ if(strcmp(ent->name, ent->next->name) >= 0)
+ return FALSE;
+
+ return TRUE;
+}
--- a/squashfs-tools/unsquash-2.c
+++ b/squashfs-tools/unsquash-2.c
@@ -29,6 +29,7 @@ static squashfs_fragment_entry_2 *fragme
static unsigned int *uid_table, *guid_table;
static char *inode_table, *directory_table;
static squashfs_operations ops;
+static int needs_sorting = FALSE;
static void read_block_list(unsigned int *block_list, char *block_ptr, int blocks)
{
@@ -415,6 +416,17 @@ static struct dir *squashfs_opendir(unsi
}
}
+ if(needs_sorting)
+ sort_directory(dir);
+
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ if(needs_sorting)
+ ERROR("File system corrupted: directory has duplicate names\n");
+ else
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
return dir;
corrupted:
--- a/squashfs-tools/unsquash-3.c
+++ b/squashfs-tools/unsquash-3.c
@@ -442,6 +442,12 @@ static struct dir *squashfs_opendir(unsi
}
}
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
+
return dir;
corrupted:
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -378,6 +378,12 @@ static struct dir *squashfs_opendir(unsi
}
}
+ /* check directory for duplicate names and sorting */
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
+ goto corrupted;
+ }
+
return dir;
corrupted:
--- a/squashfs-tools/unsquashfs.h
+++ b/squashfs-tools/unsquashfs.h
@@ -266,4 +266,8 @@ extern long long *alloc_index_table(int)
/* unsquash-1234.c */
extern int check_name(char *, int);
extern void squashfs_closedir(struct dir *);
+extern int check_directory(struct dir *);
+
+/* unsquash-12.c */
+extern void sort_directory(struct dir *);
#endif

21
0010-CVE-2021-41072.patch
View File

@ -1,21 +0,0 @@
From 19fcc9365dcdb2c22d232d42d11012940df64b7c Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip@squashfs.org.uk>
Date: Tue, 14 Sep 2021 05:41:27 +0100
Subject: [PATCH] Unsquashfs: Add makefile entry for unsquash-12.o
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
---
squashfs-tools/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/squashfs-tools/Makefile
+++ b/squashfs-tools/Makefile
@@ -353,7 +353,7 @@ unsquash-34.o: unsquashfs.h unsquash-34.
unsquash-1234.o: unsquash-1234.c
-unsquash-1234.o: unsquash-12.c
+unsquash-12.o: unsquash-12.c unsquashfs.h
unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h

37
squashfs-tools.spec
View File

@ -1,22 +1,11 @@
Name: squashfs-tools
Version: 4.4
Release: 5
Version: 4.6.1
Release: 1
Summary: Utility for the squashfs filesystems
License: GPLv2+
URL: http://squashfs.sourceforge.net/
Source0: http://downloads.sourceforge.net/squashfs/squashfs%{version}.tar.gz
Patch1: 0001-Fix-typos-update-URLs-in-squashfs-tools-Makefile.patch
Patch2: 0002-Support-creating-sockets-in-unsquashfs.patch
Patch3: 0003-squashfs-tools-fix-build-failure-against-gcc-10.patch
Patch4: 0004-xattr-Initialize-header-to-avoid-valgrind-warning.patch
Patch5: 0005-CVE-2021-40153.patch
Patch6: 0006-CVE-2021-41072.patch
Patch7: 0007-CVE-2021-41072.patch
Patch8: 0008-CVE-2021-41072.patch
Patch9: 0009-CVE-2021-41072.patch
Patch10: 0010-CVE-2021-41072.patch
Source0: https://sourceforge.net/projects/squashfs/files/squashfs/squashfs%{version}/squashfs%{version}.tar.gz
BuildRequires: zlib-devel xz-devel libzstd-devel
BuildRequires: lzo-devel libattr-devel lz4-devel gcc
@ -27,10 +16,10 @@ It uses either gzip/xz/lzo/lz4/zstd compression to compress both files, inodes
and directories.
%prep
%autosetup -n squashfs%{version} -p1
%autosetup -n squashfs-tools-%{version} -p1
%build
CFLAGS="%{optflags}" XZ_SUPPORT=1 LZO_SUPPORT=1 LZMA_XZ_SUPPORT=1 LZ4_SUPPORT=1 ZSTD_SUPPORT=1 \
CFLAGS="%{optflags} -fPIE -pie -fPIC" XZ_SUPPORT=1 LZO_SUPPORT=1 LZMA_XZ_SUPPORT=1 LZ4_SUPPORT=1 ZSTD_SUPPORT=1 \
%make_build -C squashfs-tools
%install
@ -39,7 +28,7 @@ install -D -m 755 squashfs-tools/unsquashfs %{buildroot}%{_sbindir}/unsquashfs
%files
%defattr(-,root,root)
%doc ACKNOWLEDGEMENTS README-4.4
%doc ACKNOWLEDGEMENTS README-%{version}
%license COPYING
%{_sbindir}/mksquashfs
%{_sbindir}/unsquashfs
@ -47,8 +36,20 @@ install -D -m 755 squashfs-tools/unsquashfs %{buildroot}%{_sbindir}/unsquashfs
%changelog
* Fri Jul 21 2023 wuguanghao <wuguanghao3@huawei.com> - 4.6.1-1
- upgrade to 4.6.1
* Wed Mar 8 2023 wuguanghao <wuguanghao3@huawei.com> - 4.5.1-2
- add safe compilation options PIE/pie/PIC
* Sat Aug 13 2022 volcanodragon <linfeilong@huawei.com> - 4.5.1-1
- update version to 4.5.1
* Thu Nov 25 2021 yanglongkang <yanglongkang@huawei.com> - 4.5-1
- update to 4.5
* Tue Nov 9 2021 yanglongkang <yanglongkang@huawei.com> - 4.4-5
- Fix CVE-2021-41053 CVE-2021-41072
- Fix CVE-2021-40153 CVE-2021-41072
* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 4.4-4
- DESC: delete -S git from %autosetup, and delete BuildRequires git

BIN
squashfs4.4.tar.gz
View File

Binary file not shown.

BIN
squashfs4.6.1.tar.gz Normal file
View File

Binary file not shown.