~alpine/aports

[alpine-aports] [PATCH] community/cpio: add minor security fixes, fix tests

alpine-mips-patches <info@mobile-stream.com>
Details
Message ID
<20181220144425.B8EE4604ED@mx12.valuehost.ru>
Sender timestamp
1545314818
DKIM signature
missing
Download raw message
Patch: +466 -5
 - add fixes for CVE-2016-2037, integer overflow and inconsistent
   argument passing to printf-like functions, all from upstream.
 - add autoconf to checkdepends as autom4te is required to create
   built-in tests from templates;
 - remove bash from checkdepends (as it is useless without passing
   CONFIG_SHELL=/bin/bash to ./configure anyway) and replace the
   bash-style sequence expression at tests/symlink-long.at:30 to
   resolve test failure;
 - disable NLS and make explicit other default ./configure options.

---
 community/cpio/APKBUILD                       |  30 +-
 community/cpio/CVE-2016-2037.patch            | 330 ++++++++++++++++++
 community/cpio/cast-arguments-to-printf.patch |  81 +++++
 .../cpio/fix-bash-sequence-expression.patch   |  11 +
 ...ned-integer-overflow-big-block-sizes.patch |  19 +
 5 files changed, 466 insertions(+), 5 deletions(-)
 create mode 100644 community/cpio/CVE-2016-2037.patch
 create mode 100644 community/cpio/cast-arguments-to-printf.patch
 create mode 100644 community/cpio/fix-bash-sequence-expression.patch
 create mode 100644 community/cpio/fix-signed-integer-overflow-big-block-sizes.patch

diff --git a/community/cpio/APKBUILD b/community/cpio/APKBUILD
index 64ad52497d..eb8840d660 100644
--- a/community/cpio/APKBUILD
+++ b/community/cpio/APKBUILD
@@ -2,24 +2,40 @@
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=cpio
pkgver=2.12
pkgrel=2
pkgrel=3
pkgdesc="A tool to copy files into or out of a cpio or tar archive"
url="https://www.gnu.org/software/cpio"
arch="all"
license="GPL"
depends=""
checkdepends="bash"
checkdepends="autoconf"
subpackages="$pkgname-doc"
source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2"
source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2
	fix-bash-sequence-expression.patch
	fix-signed-integer-overflow-big-block-sizes.patch
	CVE-2016-2037.patch
	cast-arguments-to-printf.patch"

# secfixes:
#   2.12-r3:
#     - CVE-2016-2037

builddir="$srcdir"/$pkgname-$pkgver

build() {
	cd "$builddir"
	./configure \
		--build=$CBUILD \
		--host=$CHOST \
		--prefix=/usr \
		--sysconfdir=/etc \
		--localstatedir=/var \
		--mandir=/usr/share/man \
		--infodir=/usr/share/info
		--infodir=/usr/share/info \
		--enable-largefile \
		--disable-mt \
		--disable-rpath \
		--disable-nls
	make
}

@@ -36,4 +52,8 @@ package() {
	rm "$pkgdir"/usr/share/man/*/rmt.*
}

sha512sums="0cd4da5f2fbca179ab4e666a5f878414c086a5f98bce4c76273f21d9b2a6fe422d901b5d453826c5f81bbe363aa015047a1e99779ad1a451c8feca6205c63120  cpio-2.12.tar.bz2"
sha512sums="0cd4da5f2fbca179ab4e666a5f878414c086a5f98bce4c76273f21d9b2a6fe422d901b5d453826c5f81bbe363aa015047a1e99779ad1a451c8feca6205c63120  cpio-2.12.tar.bz2
228ae9f3832589eea742534953e3d28eafe8295893232b33f060a4ad35d7da7eae4608e1d675d9ece1a8ff107157a3c9c43eb2d282b3a95b22324c27d54fd787  fix-bash-sequence-expression.patch
979a67a0071389fd385c118062e8f3a89488c94c7b3674396f17311e891134ea328d948da4bfeb45bbc620c67e411717cd1cc1ff890d72db479bb484e8d1839c  fix-signed-integer-overflow-big-block-sizes.patch
0c3884389be446a927e387ccf8a3e658b38e3d2b94bb3262703bbd6806835e7f5d1cccfbdf090ce7be27913eef6b67c30e37e7b9fee363a9d9ee6c4d830da4c1  CVE-2016-2037.patch
209007a8c34f52a4a7539adf83b62925ea0013e11b0ec4c4faf6853384c34251e7898ed5822cb5a2f4a05d90baa574fc26f52504f2952e6e57c2b852a0d2d97a  cast-arguments-to-printf.patch"
diff --git a/community/cpio/CVE-2016-2037.patch b/community/cpio/CVE-2016-2037.patch
new file mode 100644
index 0000000000..dc7bbc0be5
--- /dev/null
+++ b/community/cpio/CVE-2016-2037.patch
@@ -0,0 +1,330 @@
commit d36ec5f4e93130efb24fb9678aafd88e8070095b
Author: Pavel Raiskup <praiskup@redhat.com>
Date:   Tue Jan 26 23:17:54 2016 +0100

    CVE-2016-2037 - 1 byte out-of-bounds write
    
    Ensure that cpio_safer_name_suffix always works with dynamically
    allocated buffer, and that it has size of at least 32 bytes.
    Then, any call to cpio_safer_name_suffix is safe (it requires at
    least 2 bytes in the buffer).
    
    Also ensure that c_namesize is always correctly initialized (by
    cpio_set_c_name) to avoid undefined behavior when reading
    file_hdr.c_namesize (previously happened for tar archives).
    
    References:
    http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
    
    * src/copyin.c (query_rename): Drop the hack, as we now work with
    dynamically allocated buffer.  Use cpio_set_c_name.
    (create_defered_links_to_skipped): Use cpio_set_c_name rather than
    manual assignment.
    (read_name_from_file): New function to avoid C&P.
    (read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
    read_name_from_file.
    (process_copy_in): Initialize file_hdr.c_namesize.
    * src/copyout.c (process_copy_out): Use cpio_set_c_name.
    * src/cpiohdr.h (cpio_set_c_name): New prototype.
    * src/tar.c (read_in_tar_header): Use cpio_set_c_name.
    * src/util.c (cpio_set_c_name): New function to set
    file_hdr->c_name and c_namesize from arbitrary string.
    (cpio_safer_name_suffix): Some docs fixes.
    * tests/inout.at: Also test copy-in, and try various formats.

diff --git a/src/copyin.c b/src/copyin.c
index 6a306ee..ba887ae 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
       return -1;
     }
   else
-  /* Debian hack: file_hrd.c_name is sometimes set to
-     point to static memory by code in tar.c.  This
-     causes a segfault.  This has been fixed and an
-     additional check to ensure that the file name
-     is not too long has been added.  (Reported by
-     Horst Knobloch.)  This bug has been reported to
-     "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
-    {
-      if (archive_format != arf_tar && archive_format != arf_ustar)
-	{
-	  free (file_hdr->c_name);
-	  file_hdr->c_name = xstrdup (new_name.ds_string);
-	}
-      else
-	{
-	  if (is_tar_filename_too_long (new_name.ds_string))
-	    error (0, 0, _("%s: file name too long"),
-		   new_name.ds_string);
-	  else
-	    strcpy (file_hdr->c_name, new_name.ds_string);
-	}
-    }
+    cpio_set_c_name (file_hdr, new_name.ds_string);
   return 0;
 }
 
@@ -342,8 +321,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
 	    d_prev->next = d->next;
 	  else
 	    deferments = d->next;
-	  free (file_hdr->c_name);
-	  file_hdr->c_name = xstrdup(d->header.c_name);
+	  cpio_set_c_name (file_hdr, d->header.c_name);
 	  free_deferment (d);
 	  copyin_regular_file(file_hdr, in_file_des);
 	  return 0;
@@ -1012,6 +990,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
     }
 }
 
+static void
+read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
+{
+  static char *tmp_filename;
+  static size_t buflen;
+
+  if (buflen < len)
+    {
+      buflen = len;
+      tmp_filename = xrealloc (tmp_filename, buflen);
+    }
+
+  tape_buffered_read (tmp_filename, fd, len);
+  cpio_set_c_name (file_hdr, tmp_filename);
+}
+
 /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
    file descriptor IN_DES, except for the magic number, which is
    already filled in.  */
@@ -1038,14 +1032,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
   file_hdr->c_rdev_min = minor (dev);
 
   file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
-  file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
   file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
-  
-  /* Read file name from input.  */
-  if (file_hdr->c_name != NULL)
-    free (file_hdr->c_name);
-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
 
   /* HP/UX cpio creates archives that look just like ordinary archives,
      but for devices it sets major = 0, minor = 1, and puts the
@@ -1100,14 +1088,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
   file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
   file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
   file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
-  file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
   file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
-  
-  /* Read file name from input.  */
-  if (file_hdr->c_name != NULL)
-    free (file_hdr->c_name);
-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
 
   /* In SVR4 ASCII format, the amount of space allocated for the header
      is rounded up to the next long-word, so we might need to drop
@@ -1155,16 +1137,9 @@ read_in_binary (struct cpio_file_stat *file_hdr,
   file_hdr->c_rdev_min = minor (short_hdr->c_rdev);
   file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
                       | short_hdr->c_mtimes[1];
-
-  file_hdr->c_namesize = short_hdr->c_namesize;
   file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
                       | short_hdr->c_filesizes[1];
-
-  /* Read file name from input.  */
-  if (file_hdr->c_name != NULL)
-    free (file_hdr->c_name);
-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
+  read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
 
   /* In binary mode, the amount of space allocated in the header for
      the filename is `c_namesize' rounded up to the next short-word,
@@ -1245,6 +1220,7 @@ process_copy_in ()
       read_pattern_file ();
     }
   file_hdr.c_name = NULL;
+  file_hdr.c_namesize = 0;
 
   if (rename_batch_file)
     {
diff --git a/src/copyout.c b/src/copyout.c
index 87c1932..7532dac 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -660,8 +660,7 @@ process_copy_out ()
 	  cpio_safer_name_suffix (input_name.ds_string, false,
 				  !no_abs_paths_flag, true);
 #ifndef HPUX_CDF
-	  file_hdr.c_name = input_name.ds_string;
-	  file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
+	  cpio_set_c_name (&file_hdr, input_name.ds_string);
 #else
 	  if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
 	    {
@@ -670,16 +669,15 @@ process_copy_out ()
 		 properly recreate the directory as hidden (in case the
 		 files of a directory go into the archive before the
 		 directory itself (e.g from "find ... -depth ... | cpio")).  */
-	      file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
-	      file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
+              cpio_set_c_name (&file_hdr,
+                               add_cdf_double_slashes (input_name.ds_string));
 	    }
 	  else
 	    {
 	      /* We don't mark CDF's in tar files.  We assume the "hidden"
 		 directory will always go into the archive before any of
 		 its files.  */
-	      file_hdr.c_name = input_name.ds_string;
-	      file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
+              cpio_set_c_name (&file_hdr, input_name.ds_string);
 	    }
 #endif
 
@@ -866,8 +864,7 @@ process_copy_out ()
   file_hdr.c_chksum = 0;
 
   file_hdr.c_filesize = 0;
-  file_hdr.c_namesize = 11;
-  file_hdr.c_name = CPIO_TRAILER_NAME;
+  cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
   if (archive_format != arf_tar && archive_format != arf_ustar)
     write_out_header (&file_hdr, out_file_des);
   else
diff --git a/src/cpiohdr.h b/src/cpiohdr.h
index c297415..588135b 100644
--- a/src/cpiohdr.h
+++ b/src/cpiohdr.h
@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
   char *c_tar_linkname;
 };
 
+void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
 
 #endif /* cpiohdr.h */
diff --git a/src/tar.c b/src/tar.c
index 1b1156e..0a34845 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
       if (null_block ((long *) &tar_rec, TARRECORDSIZE))
 #endif
 	{
-	  file_hdr->c_name = CPIO_TRAILER_NAME;
+	  cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
 	  return;
 	}
 #if 0
@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
 	}
 
       if (archive_format != arf_ustar)
-	file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
+        cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
       else
-	file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
+        cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
+                                                      tar_hdr->name));
+
       file_hdr->c_nlink = 1;
       file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
       file_hdr->c_mode = file_hdr->c_mode & 07777;
@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
 	case AREGTYPE:
 	  /* Old tar format; if the last char in filename is '/' then it is
 	     a directory, otherwise it's a regular file.  */
-	  if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
+	  if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
 	    file_hdr->c_mode |= CP_IFDIR;
 	  else
 	    file_hdr->c_mode |= CP_IFREG;
diff --git a/src/util.c b/src/util.c
index d78d576..10486dc 100644
--- a/src/util.c
+++ b/src/util.c
@@ -1409,8 +1409,34 @@ set_file_times (int fd,
     utime_error (name);
 }
 
+
+void
+cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+{
+  static size_t buflen = 0;
+  size_t len = strlen (name) + 1;
+
+  if (buflen == 0)
+    {
+      buflen = len;
+      if (buflen < 32)
+        buflen = 32;
+      file_hdr->c_name = xmalloc (buflen);
+    }
+  else if (buflen < len)
+    {
+      buflen = len;
+      file_hdr->c_name = xrealloc (file_hdr->c_name, buflen);
+    }
+
+  file_hdr->c_namesize = len;
+  memmove (file_hdr->c_name, name, len);
+}
+
 /* Do we have to ignore absolute paths, and if so, does the filename
-   have an absolute path?  */
+   have an absolute path?  Before calling this function make sure that the
+   allocated NAME buffer has capacity at least 2 bytes. */
+
 void
 cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
 			bool strip_leading_dots)
@@ -1425,6 +1451,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
 	  ++p;
       }
   if (p != name)
+    /* The 'p' string is shortened version of 'name' with one exception;  when
+       the 'name' points to an empty string (buffer where name[0] == '\0') the
+       'p' then points to static string ".".  So caller needs to ensure there
+       are at least two bytes available in 'name' buffer so memmove succeeds. */
     memmove (name, p, (size_t)(strlen (p) + 1));
 }
 
diff --git a/tests/inout.at b/tests/inout.at
index 86c7d02..fd7baea 100644
--- a/tests/inout.at
+++ b/tests/inout.at
@@ -35,7 +35,22 @@ while read NAME LENGTH
 do
 	genfile --length $LENGTH > $NAME
 	echo $NAME
-done < filelist |
- cpio --quiet -o > archive])
+done < filelist > filelist_raw
+
+for format in bin odc newc crc tar ustar hpbin hpodc
+do
+    cpio --format=$format --quiet -o < filelist_raw > archive.$format
+    rm -rf output
+    mkdir output && cd output
+    cpio -i --quiet < ../archive.$format
+
+    while read file
+    do
+        test -f $file || echo "$file not found"
+    done < ../filelist_raw
+
+    cd ..
+done
+])
 
 AT_CLEANUP
diff --git a/community/cpio/cast-arguments-to-printf.patch b/community/cpio/cast-arguments-to-printf.patch
new file mode 100644
index 0000000000..f1eeabd757
--- /dev/null
+++ b/community/cpio/cast-arguments-to-printf.patch
@@ -0,0 +1,81 @@
commit 3be097c12ec14a69b3f3df3e2138fa235a3154d7
Author: Sergey Poznyakoff <gray@gnu.org>
Date:   Sat Dec 1 12:01:21 2018 +0200

    Minor fixes
    
    * src/copyin.c: Remove unused variable.
    * src/util.c: Cast arguments to printf.

diff --git a/src/copyin.c b/src/copyin.c
index ba887ae..a01873d 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -844,14 +844,14 @@ from_ascii (char const *where, size_t digs, unsigned logbase)
       char *p = strchr (codetab, toupper (*buf));
       if (!p)
 	{
-	  error (0, 0, _("Malformed number %.*s"), digs, where);
+	  error (0, 0, _("Malformed number %.*s"), (int) digs, where);
 	  break;
 	}
       
       d = p - codetab;
       if ((d >> logbase) > 1)
 	{
-	  error (0, 0, _("Malformed number %.*s"), digs, where);
+	  error (0, 0, _("Malformed number %.*s"), (int) digs, where);
 	  break;
 	}
       value += d;
@@ -862,7 +862,7 @@ from_ascii (char const *where, size_t digs, unsigned logbase)
     }
   if (overflow)
     error (0, 0, _("Archive value %.*s is out of range"),
-	   digs, where);
+	   (int) digs, where);
   return value;
 }
 
diff --git a/src/util.c b/src/util.c
index 4e49124..7303240 100644
--- a/src/util.c
+++ b/src/util.c
@@ -498,8 +498,9 @@ copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes,
 			 filename,  STRINGIFY_BIGINT (num_bytes, buf));
 	      }
 	    else
-	      error (0, 0, _("Read error at byte %lld in file %s, padding with zeros"),
-			original_num_bytes - num_bytes, filename);
+	      error (0, 0,
+		     _("Read error at byte %lld in file %s, padding with zeros"),
+		     (long long) (original_num_bytes - num_bytes), filename);
 	    write_nuls_to_file (num_bytes, out_des, tape_buffered_write);
 	    break;
 	  }
@@ -548,8 +549,9 @@ copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes,
 		       filename,  STRINGIFY_BIGINT (num_bytes, buf));
 	      }
 	    else
-	      error (0, 0, _("Read error at byte %lld in file %s, padding with zeros"),
-			original_num_bytes - num_bytes, filename);
+	      error (0, 0,
+		     _("Read error at byte %lld in file %s, padding with zeros"),
+		     (long long) (original_num_bytes - num_bytes), filename);
 	    write_nuls_to_file (num_bytes, out_des, disk_buffered_write);
 	    break;
 	  }
@@ -599,13 +601,11 @@ void
 create_all_directories (char *name)
 {
   char *dir;
-  int   mode;
 #ifdef HPUX_CDF
   int   cdf;
 #endif
 
   dir = dir_name (name);
-  mode = 0700;
 #ifdef HPUX_CDF
   cdf = islastparentcdf (name);
   if (cdf)
diff --git a/community/cpio/fix-bash-sequence-expression.patch b/community/cpio/fix-bash-sequence-expression.patch
new file mode 100644
index 0000000000..a2eab0f261
--- /dev/null
+++ b/community/cpio/fix-bash-sequence-expression.patch
@@ -0,0 +1,11 @@
--- a/tests/symlink-long.at
+++ b/tests/symlink-long.at
@@ -27,7 +27,7 @@
 
 # len(dirname) > READBUFSIZE
 dirname=
-for i in {1..52}; do
+for i in $(seq -s \  52); do
     dirname="xxxxxxxxx/$dirname"
     mkdir "$dirname"
 done
diff --git a/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch b/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch
new file mode 100644
index 0000000000..da2691ed87
--- /dev/null
+++ b/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch
@@ -0,0 +1,19 @@
commit 404600ebb4d417238bfabf7ec1561a62dc83c168
Author: grajagandev <dmoorefo@gmail.com>
Date:   Mon Feb 8 07:58:45 2016 -0800

    Fix signed integer overflow - big block sizes

diff --git a/src/main.c b/src/main.c
index a13861f..5a30a7b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -321,7 +321,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
 
     case BLOCK_SIZE_OPTION:		/* --block-size */
       io_block_size = atoi (arg);
-      if (io_block_size < 1)
+      if (io_block_size < 1 || io_block_size > INT_MAX/512)
 	USAGE_ERROR ((0, 0, _("invalid block size")));
       io_block_size *= 512;
       break;
-- 
2.20.1




---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)