X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mx12.valuehost.ru (mx12.valuehost.ru [217.112.42.215]) by lists.alpinelinux.org (Postfix) with ESMTP id 89693F85639 for ; Thu, 20 Dec 2018 14:44:26 +0000 (UTC) Received: from mx7.valuehost.ru (unknown [127.0.0.255]) by mx12.valuehost.ru (Postfix) with ESMTP id B8EE4604ED for ; Thu, 20 Dec 2018 17:44:25 +0300 (MSK) From: alpine-mips-patches Date: Thu, 20 Dec 2018 14:06:58 +0000 Subject: [alpine-aports] [PATCH] community/cpio: add minor security fixes, fix tests To: alpine-aports@lists.alpinelinux.org Message-Id: <20181220144425.B8EE4604ED@mx12.valuehost.ru> X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: - add fixes for CVE-2016-2037, integer overflow and inconsistent argument passing to printf-like functions, all from upstream. - add autoconf to checkdepends as autom4te is required to create built-in tests from templates; - remove bash from checkdepends (as it is useless without passing CONFIG_SHELL=/bin/bash to ./configure anyway) and replace the bash-style sequence expression at tests/symlink-long.at:30 to resolve test failure; - disable NLS and make explicit other default ./configure options. --- community/cpio/APKBUILD | 30 +- community/cpio/CVE-2016-2037.patch | 330 ++++++++++++++++++ community/cpio/cast-arguments-to-printf.patch | 81 +++++ .../cpio/fix-bash-sequence-expression.patch | 11 + ...ned-integer-overflow-big-block-sizes.patch | 19 + 5 files changed, 466 insertions(+), 5 deletions(-) create mode 100644 community/cpio/CVE-2016-2037.patch create mode 100644 community/cpio/cast-arguments-to-printf.patch create mode 100644 community/cpio/fix-bash-sequence-expression.patch create mode 100644 community/cpio/fix-signed-integer-overflow-big-block-sizes.patch diff --git a/community/cpio/APKBUILD b/community/cpio/APKBUILD index 64ad52497d..eb8840d660 100644 --- a/community/cpio/APKBUILD +++ b/community/cpio/APKBUILD @@ -2,24 +2,40 @@ # Maintainer: Stuart Cardall pkgname=cpio pkgver=2.12 -pkgrel=2 +pkgrel=3 pkgdesc="A tool to copy files into or out of a cpio or tar archive" url="https://www.gnu.org/software/cpio" arch="all" license="GPL" depends="" -checkdepends="bash" +checkdepends="autoconf" subpackages="$pkgname-doc" -source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2" +source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2 + fix-bash-sequence-expression.patch + fix-signed-integer-overflow-big-block-sizes.patch + CVE-2016-2037.patch + cast-arguments-to-printf.patch" + +# secfixes: +# 2.12-r3: +# - CVE-2016-2037 builddir="$srcdir"/$pkgname-$pkgver build() { cd "$builddir" ./configure \ + --build=$CBUILD \ + --host=$CHOST \ --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ --mandir=/usr/share/man \ - --infodir=/usr/share/info + --infodir=/usr/share/info \ + --enable-largefile \ + --disable-mt \ + --disable-rpath \ + --disable-nls make } @@ -36,4 +52,8 @@ package() { rm "$pkgdir"/usr/share/man/*/rmt.* } -sha512sums="0cd4da5f2fbca179ab4e666a5f878414c086a5f98bce4c76273f21d9b2a6fe422d901b5d453826c5f81bbe363aa015047a1e99779ad1a451c8feca6205c63120 cpio-2.12.tar.bz2" +sha512sums="0cd4da5f2fbca179ab4e666a5f878414c086a5f98bce4c76273f21d9b2a6fe422d901b5d453826c5f81bbe363aa015047a1e99779ad1a451c8feca6205c63120 cpio-2.12.tar.bz2 +228ae9f3832589eea742534953e3d28eafe8295893232b33f060a4ad35d7da7eae4608e1d675d9ece1a8ff107157a3c9c43eb2d282b3a95b22324c27d54fd787 fix-bash-sequence-expression.patch +979a67a0071389fd385c118062e8f3a89488c94c7b3674396f17311e891134ea328d948da4bfeb45bbc620c67e411717cd1cc1ff890d72db479bb484e8d1839c fix-signed-integer-overflow-big-block-sizes.patch +0c3884389be446a927e387ccf8a3e658b38e3d2b94bb3262703bbd6806835e7f5d1cccfbdf090ce7be27913eef6b67c30e37e7b9fee363a9d9ee6c4d830da4c1 CVE-2016-2037.patch +209007a8c34f52a4a7539adf83b62925ea0013e11b0ec4c4faf6853384c34251e7898ed5822cb5a2f4a05d90baa574fc26f52504f2952e6e57c2b852a0d2d97a cast-arguments-to-printf.patch" diff --git a/community/cpio/CVE-2016-2037.patch b/community/cpio/CVE-2016-2037.patch new file mode 100644 index 0000000000..dc7bbc0be5 --- /dev/null +++ b/community/cpio/CVE-2016-2037.patch @@ -0,0 +1,330 @@ +commit d36ec5f4e93130efb24fb9678aafd88e8070095b +Author: Pavel Raiskup +Date: Tue Jan 26 23:17:54 2016 +0100 + + CVE-2016-2037 - 1 byte out-of-bounds write + + Ensure that cpio_safer_name_suffix always works with dynamically + allocated buffer, and that it has size of at least 32 bytes. + Then, any call to cpio_safer_name_suffix is safe (it requires at + least 2 bytes in the buffer). + + Also ensure that c_namesize is always correctly initialized (by + cpio_set_c_name) to avoid undefined behavior when reading + file_hdr.c_namesize (previously happened for tar archives). + + References: + http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html + + * src/copyin.c (query_rename): Drop the hack, as we now work with + dynamically allocated buffer. Use cpio_set_c_name. + (create_defered_links_to_skipped): Use cpio_set_c_name rather than + manual assignment. + (read_name_from_file): New function to avoid C&P. + (read_in_old_ascii, read_in_new_ascii, read_in_binary): Use + read_name_from_file. + (process_copy_in): Initialize file_hdr.c_namesize. + * src/copyout.c (process_copy_out): Use cpio_set_c_name. + * src/cpiohdr.h (cpio_set_c_name): New prototype. + * src/tar.c (read_in_tar_header): Use cpio_set_c_name. + * src/util.c (cpio_set_c_name): New function to set + file_hdr->c_name and c_namesize from arbitrary string. + (cpio_safer_name_suffix): Some docs fixes. + * tests/inout.at: Also test copy-in, and try various formats. + +diff --git a/src/copyin.c b/src/copyin.c +index 6a306ee..ba887ae 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + return -1; + } + else +- /* Debian hack: file_hrd.c_name is sometimes set to +- point to static memory by code in tar.c. This +- causes a segfault. This has been fixed and an +- additional check to ensure that the file name +- is not too long has been added. (Reported by +- Horst Knobloch.) This bug has been reported to +- "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */ +- { +- if (archive_format != arf_tar && archive_format != arf_ustar) +- { +- free (file_hdr->c_name); +- file_hdr->c_name = xstrdup (new_name.ds_string); +- } +- else +- { +- if (is_tar_filename_too_long (new_name.ds_string)) +- error (0, 0, _("%s: file name too long"), +- new_name.ds_string); +- else +- strcpy (file_hdr->c_name, new_name.ds_string); +- } +- } ++ cpio_set_c_name (file_hdr, new_name.ds_string); + return 0; + } + +@@ -342,8 +321,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr, + d_prev->next = d->next; + else + deferments = d->next; +- free (file_hdr->c_name); +- file_hdr->c_name = xstrdup(d->header.c_name); ++ cpio_set_c_name (file_hdr, d->header.c_name); + free_deferment (d); + copyin_regular_file(file_hdr, in_file_des); + return 0; +@@ -1012,6 +990,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) + } + } + ++static void ++read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len) ++{ ++ static char *tmp_filename; ++ static size_t buflen; ++ ++ if (buflen < len) ++ { ++ buflen = len; ++ tmp_filename = xrealloc (tmp_filename, buflen); ++ } ++ ++ tape_buffered_read (tmp_filename, fd, len); ++ cpio_set_c_name (file_hdr, tmp_filename); ++} ++ + /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from + file descriptor IN_DES, except for the magic number, which is + already filled in. */ +@@ -1038,14 +1032,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des) + file_hdr->c_rdev_min = minor (dev); + + file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime); +- file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize); + file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize); +- +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize)); + + /* HP/UX cpio creates archives that look just like ordinary archives, + but for devices it sets major = 0, minor = 1, and puts the +@@ -1100,14 +1088,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des) + file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min); + file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj); + file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min); +- file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize); + file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum); +- +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize)); + + /* In SVR4 ASCII format, the amount of space allocated for the header + is rounded up to the next long-word, so we might need to drop +@@ -1155,16 +1137,9 @@ read_in_binary (struct cpio_file_stat *file_hdr, + file_hdr->c_rdev_min = minor (short_hdr->c_rdev); + file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 + | short_hdr->c_mtimes[1]; +- +- file_hdr->c_namesize = short_hdr->c_namesize; + file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 + | short_hdr->c_filesizes[1]; +- +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, short_hdr->c_namesize); + + /* In binary mode, the amount of space allocated in the header for + the filename is `c_namesize' rounded up to the next short-word, +@@ -1245,6 +1220,7 @@ process_copy_in () + read_pattern_file (); + } + file_hdr.c_name = NULL; ++ file_hdr.c_namesize = 0; + + if (rename_batch_file) + { +diff --git a/src/copyout.c b/src/copyout.c +index 87c1932..7532dac 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -660,8 +660,7 @@ process_copy_out () + cpio_safer_name_suffix (input_name.ds_string, false, + !no_abs_paths_flag, true); + #ifndef HPUX_CDF +- file_hdr.c_name = input_name.ds_string; +- file_hdr.c_namesize = strlen (input_name.ds_string) + 1; ++ cpio_set_c_name (&file_hdr, input_name.ds_string); + #else + if ( (archive_format != arf_tar) && (archive_format != arf_ustar) ) + { +@@ -670,16 +669,15 @@ process_copy_out () + properly recreate the directory as hidden (in case the + files of a directory go into the archive before the + directory itself (e.g from "find ... -depth ... | cpio")). */ +- file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string); +- file_hdr.c_namesize = strlen (file_hdr.c_name) + 1; ++ cpio_set_c_name (&file_hdr, ++ add_cdf_double_slashes (input_name.ds_string)); + } + else + { + /* We don't mark CDF's in tar files. We assume the "hidden" + directory will always go into the archive before any of + its files. */ +- file_hdr.c_name = input_name.ds_string; +- file_hdr.c_namesize = strlen (input_name.ds_string) + 1; ++ cpio_set_c_name (&file_hdr, input_name.ds_string); + } + #endif + +@@ -866,8 +864,7 @@ process_copy_out () + file_hdr.c_chksum = 0; + + file_hdr.c_filesize = 0; +- file_hdr.c_namesize = 11; +- file_hdr.c_name = CPIO_TRAILER_NAME; ++ cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME); + if (archive_format != arf_tar && archive_format != arf_ustar) + write_out_header (&file_hdr, out_file_des); + else +diff --git a/src/cpiohdr.h b/src/cpiohdr.h +index c297415..588135b 100644 +--- a/src/cpiohdr.h ++++ b/src/cpiohdr.h +@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */ + char *c_tar_linkname; + }; + ++void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name); + + #endif /* cpiohdr.h */ +diff --git a/src/tar.c b/src/tar.c +index 1b1156e..0a34845 100644 +--- a/src/tar.c ++++ b/src/tar.c +@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + if (null_block ((long *) &tar_rec, TARRECORDSIZE)) + #endif + { +- file_hdr->c_name = CPIO_TRAILER_NAME; ++ cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME); + return; + } + #if 0 +@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + } + + if (archive_format != arf_ustar) +- file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name); ++ cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name)); + else +- file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name); ++ cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix, ++ tar_hdr->name)); ++ + file_hdr->c_nlink = 1; + file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode); + file_hdr->c_mode = file_hdr->c_mode & 07777; +@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + case AREGTYPE: + /* Old tar format; if the last char in filename is '/' then it is + a directory, otherwise it's a regular file. */ +- if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/') ++ if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/') + file_hdr->c_mode |= CP_IFDIR; + else + file_hdr->c_mode |= CP_IFREG; +diff --git a/src/util.c b/src/util.c +index d78d576..10486dc 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1409,8 +1409,34 @@ set_file_times (int fd, + utime_error (name); + } + ++ ++void ++cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) ++{ ++ static size_t buflen = 0; ++ size_t len = strlen (name) + 1; ++ ++ if (buflen == 0) ++ { ++ buflen = len; ++ if (buflen < 32) ++ buflen = 32; ++ file_hdr->c_name = xmalloc (buflen); ++ } ++ else if (buflen < len) ++ { ++ buflen = len; ++ file_hdr->c_name = xrealloc (file_hdr->c_name, buflen); ++ } ++ ++ file_hdr->c_namesize = len; ++ memmove (file_hdr->c_name, name, len); ++} ++ + /* Do we have to ignore absolute paths, and if so, does the filename +- have an absolute path? */ ++ have an absolute path? Before calling this function make sure that the ++ allocated NAME buffer has capacity at least 2 bytes. */ ++ + void + cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + bool strip_leading_dots) +@@ -1425,6 +1451,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + ++p; + } + if (p != name) ++ /* The 'p' string is shortened version of 'name' with one exception; when ++ the 'name' points to an empty string (buffer where name[0] == '\0') the ++ 'p' then points to static string ".". So caller needs to ensure there ++ are at least two bytes available in 'name' buffer so memmove succeeds. */ + memmove (name, p, (size_t)(strlen (p) + 1)); + } + +diff --git a/tests/inout.at b/tests/inout.at +index 86c7d02..fd7baea 100644 +--- a/tests/inout.at ++++ b/tests/inout.at +@@ -35,7 +35,22 @@ while read NAME LENGTH + do + genfile --length $LENGTH > $NAME + echo $NAME +-done < filelist | +- cpio --quiet -o > archive]) ++done < filelist > filelist_raw ++ ++for format in bin odc newc crc tar ustar hpbin hpodc ++do ++ cpio --format=$format --quiet -o < filelist_raw > archive.$format ++ rm -rf output ++ mkdir output && cd output ++ cpio -i --quiet < ../archive.$format ++ ++ while read file ++ do ++ test -f $file || echo "$file not found" ++ done < ../filelist_raw ++ ++ cd .. ++done ++]) + + AT_CLEANUP diff --git a/community/cpio/cast-arguments-to-printf.patch b/community/cpio/cast-arguments-to-printf.patch new file mode 100644 index 0000000000..f1eeabd757 --- /dev/null +++ b/community/cpio/cast-arguments-to-printf.patch @@ -0,0 +1,81 @@ +commit 3be097c12ec14a69b3f3df3e2138fa235a3154d7 +Author: Sergey Poznyakoff +Date: Sat Dec 1 12:01:21 2018 +0200 + + Minor fixes + + * src/copyin.c: Remove unused variable. + * src/util.c: Cast arguments to printf. + +diff --git a/src/copyin.c b/src/copyin.c +index ba887ae..a01873d 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -844,14 +844,14 @@ from_ascii (char const *where, size_t digs, unsigned logbase) + char *p = strchr (codetab, toupper (*buf)); + if (!p) + { +- error (0, 0, _("Malformed number %.*s"), digs, where); ++ error (0, 0, _("Malformed number %.*s"), (int) digs, where); + break; + } + + d = p - codetab; + if ((d >> logbase) > 1) + { +- error (0, 0, _("Malformed number %.*s"), digs, where); ++ error (0, 0, _("Malformed number %.*s"), (int) digs, where); + break; + } + value += d; +@@ -862,7 +862,7 @@ from_ascii (char const *where, size_t digs, unsigned logbase) + } + if (overflow) + error (0, 0, _("Archive value %.*s is out of range"), +- digs, where); ++ (int) digs, where); + return value; + } + +diff --git a/src/util.c b/src/util.c +index 4e49124..7303240 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -498,8 +498,9 @@ copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, + filename, STRINGIFY_BIGINT (num_bytes, buf)); + } + else +- error (0, 0, _("Read error at byte %lld in file %s, padding with zeros"), +- original_num_bytes - num_bytes, filename); ++ error (0, 0, ++ _("Read error at byte %lld in file %s, padding with zeros"), ++ (long long) (original_num_bytes - num_bytes), filename); + write_nuls_to_file (num_bytes, out_des, tape_buffered_write); + break; + } +@@ -548,8 +549,9 @@ copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, + filename, STRINGIFY_BIGINT (num_bytes, buf)); + } + else +- error (0, 0, _("Read error at byte %lld in file %s, padding with zeros"), +- original_num_bytes - num_bytes, filename); ++ error (0, 0, ++ _("Read error at byte %lld in file %s, padding with zeros"), ++ (long long) (original_num_bytes - num_bytes), filename); + write_nuls_to_file (num_bytes, out_des, disk_buffered_write); + break; + } +@@ -599,13 +601,11 @@ void + create_all_directories (char *name) + { + char *dir; +- int mode; + #ifdef HPUX_CDF + int cdf; + #endif + + dir = dir_name (name); +- mode = 0700; + #ifdef HPUX_CDF + cdf = islastparentcdf (name); + if (cdf) diff --git a/community/cpio/fix-bash-sequence-expression.patch b/community/cpio/fix-bash-sequence-expression.patch new file mode 100644 index 0000000000..a2eab0f261 --- /dev/null +++ b/community/cpio/fix-bash-sequence-expression.patch @@ -0,0 +1,11 @@ +--- a/tests/symlink-long.at ++++ b/tests/symlink-long.at +@@ -27,7 +27,7 @@ + + # len(dirname) > READBUFSIZE + dirname= +-for i in {1..52}; do ++for i in $(seq -s \ 52); do + dirname="xxxxxxxxx/$dirname" + mkdir "$dirname" + done diff --git a/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch b/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch new file mode 100644 index 0000000000..da2691ed87 --- /dev/null +++ b/community/cpio/fix-signed-integer-overflow-big-block-sizes.patch @@ -0,0 +1,19 @@ +commit 404600ebb4d417238bfabf7ec1561a62dc83c168 +Author: grajagandev +Date: Mon Feb 8 07:58:45 2016 -0800 + + Fix signed integer overflow - big block sizes + +diff --git a/src/main.c b/src/main.c +index a13861f..5a30a7b 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -321,7 +321,7 @@ parse_opt (int key, char *arg, struct argp_state *state) + + case BLOCK_SIZE_OPTION: /* --block-size */ + io_block_size = atoi (arg); +- if (io_block_size < 1) ++ if (io_block_size < 1 || io_block_size > INT_MAX/512) + USAGE_ERROR ((0, 0, _("invalid block size"))); + io_block_size *= 512; + break; -- 2.20.1 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---