libtar: patch CVE-2021-33640 (#4646)

2023-01-20 13:24:22 -08:00 · 2023-01-20 13:24:22 -08:00 · e412fe5f82
--- a/SPECS/libtar/CVE-2021-33640.patch
+++ b/SPECS/libtar/CVE-2021-33640.patch
@ -0,0 +1,29 @@
+From 78e95da690556874baac96dd1d655e577c6d8e95 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 4 Oct 2022 10:39:35 +0200
+Subject: [PATCH] free memory allocated by gnu_long* fields
+
+---
+ lib/handle.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 33a262c..f035e07 100644
+--- a/lib/handle.c
+++ b/lib/handle.c
+@@ -121,6 +121,11 @@ tar_close(TAR *t)
+ 		libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY
+ 					? free
+ 					: (libtar_freefunc_t)tar_dev_free));
+
+	free(t->th_pathname);
+	free(t->th_buf.gnu_longname);
+	free(t->th_buf.gnu_longlink);
+
+ 	free(t);
+ 
+ 	return i;
+-- 
+2.17.1
+
+
--- a/SPECS/libtar/CVE-2021-33645.nopatch
+++ b/SPECS/libtar/CVE-2021-33645.nopatch
@ -0,0 +1 @@
+CVE-2021-33645 - Already addressed in SPECS/libtar/CVE-2021-33640.patch
--- a/SPECS/libtar/CVE-2021-33646.nopatch
+++ b/SPECS/libtar/CVE-2021-33646.nopatch
@ -1 +1 @@
-CVE-2021-33646 - Already addressed in SPECS/libtar/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch
+CVE-2021-33646 - Already addressed in SPECS/libtar/CVE-2021-33640.patch
--- a/SPECS/libtar/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch
+++ b/SPECS/libtar/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch
@ -1,119 +0,0 @@
-From 3c7b1fd9bb63d74ecd38b71ffc876dca3ac87a8b Mon Sep 17 00:00:00 2001
-From: shixuantong <shixuantong@h-partners.com>
-Date: Sat, 7 May 2022 17:04:46 +0800
-Subject: [PATCH 2/2] fix memory leak
-
---
- lib/libtar.h    |  1 +
- lib/util.c      |  9 ++++++++-
- lib/wrapper.c   | 11 +++++++++++
- libtar/libtar.c |  3 +++
- 4 files changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/lib/libtar.h b/lib/libtar.h
-index 08a8e0f..8b00e93 100644
--- a/lib/libtar.h
-+++ b/lib/libtar.h
-@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
- /* integer to string-octal conversion, no NULL */
- void int_to_oct_nonull(int num, char *oct, size_t octlen);
- 
-+void free_longlink_longname(struct tar_header th_buf);
- 
- /***** wrapper.c **********************************************************/
- 
-diff --git a/lib/util.c b/lib/util.c
-index 11438ef..8a42e62 100644
--- a/lib/util.c
-+++ b/lib/util.c
-@@ -15,6 +15,7 @@
- #include <stdio.h>
- #include <sys/param.h>
- #include <errno.h>
-+#include <stdlib.h>
- 
- #ifdef STDC_HEADERS
- # include <string.h>
-@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
- 	oct[octlen - 1] = ' ';
- }
- 
-
-+void free_longlink_longname(struct tar_header th_buf)
-+{
-+	if (th_buf.gnu_longname != NULL)
-+		free(th_buf.gnu_longname);
-+	if (th_buf.gnu_longlink !=NULL)
-+		free(th_buf.gnu_longlink);
-+}
-diff --git a/lib/wrapper.c b/lib/wrapper.c
-index 2d3f5b9..9d2f3bf 100644
--- a/lib/wrapper.c
-+++ b/lib/wrapper.c
-@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
- 		if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
- 		{
- 			if (TH_ISREG(t) && tar_skip_regfile(t))
-+			{
-+				free_longlink_longname(t->th_buf);
- 				return -1;
-+			}
- 			continue;
- 		}
- 		if (t->options & TAR_VERBOSE)
-@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
- 		else
- 			strlcpy(buf, filename, sizeof(buf));
- 		if (tar_extract_file(t, buf) != 0)
-+		{
-+			free_longlink_longname(t->th_buf);
- 			return -1;
-+		}
- 	}
- 
-+	free_longlink_longname(t->th_buf);
- 	return (i == 1 ? 0 : -1);
- }
- 
-@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
- 		       "\"%s\")\n", buf);
- #endif
- 		if (tar_extract_file(t, buf) != 0)
-+		{
-+			free_longlink_longname(t->th_buf);
- 			return -1;
-+		}
- 	}
- 
-+	free_longlink_longname(t->th_buf);
- 	return (i == 1 ? 0 : -1);
- }
- 
-diff --git a/libtar/libtar.c b/libtar/libtar.c
-index ac339e7..b992abb 100644
--- a/libtar/libtar.c
-+++ b/libtar/libtar.c
-@@ -197,6 +197,7 @@ list(char *tarfile)
- 		{
- 			fprintf(stderr, "tar_skip_regfile(): %s\n",
- 				strerror(errno));
-+			free_longlink_longname(t->th_buf);
- 			return -1;
- 		}
- 	}
-@@ -218,10 +219,12 @@ list(char *tarfile)
- 
- 	if (tar_close(t) != 0)
- 	{
-+		free_longlink_longname(t->th_buf);
- 		fprintf(stderr, "tar_close(): %s\n", strerror(errno));
- 		return -1;
- 	}
- 
-+	free_longlink_longname(t->th_buf);
- 	return 0;
- }
- 
-- 
-2.37.1
-
--- a/SPECS/libtar/libtar-1.2.20-no-static-buffer.patch
+++ b/SPECS/libtar/libtar-1.2.20-no-static-buffer.patch
@ -0,0 +1,77 @@
+From 11eb52b8e927b1a2f5bed2f386728b0948b9738f Mon Sep 17 00:00:00 2001
+From: Adit Jha <aditjha@microsoft.com>
+Date: Fri, 20 Jan 2023 10:38:31 -0800
+Subject: [PATCH] secondary patch for CVE modified from Fedora
+
+---
+ lib/decode.c | 22 ++++++++++++++++------
+ lib/libtar.h |  2 ++
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/lib/decode.c b/lib/decode.c
+index 2e290d1..6162135 100644
+--- a/lib/decode.c
+++ b/lib/decode.c
+@@ -13,6 +13,7 @@
+ #include <internal.h>
+ 
+ #include <stdio.h>
+#include <stdlib.h>
+ #include <sys/param.h>
+ #include <pwd.h>
+ #include <grp.h>
+@@ -53,23 +54,32 @@ safer_name_suffix (char const *file_name)
+ char *
+ th_get_pathname(TAR *t)
+ {
+-	static TLS_THREAD char filename[MAXPATHLEN];
+ 	char *safer_name;
+ 
+ 	if (t->th_buf.gnu_longname)
+ 		return safer_name_suffix(t->th_buf.gnu_longname);
+ 
+ 	safer_name = safer_name_suffix(t->th_buf.name);
+	/* allocate the th_pathname buffer if not already */
+	if (t->th_pathname == NULL)
+	{
+		t->th_pathname = malloc(MAXPATHLEN * sizeof(char));
+		if (t->th_pathname == NULL)
+			/* out of memory */
+			return NULL;
+	}
+ 
+ 	if (t->th_buf.prefix[0] != '\0')
+ 	{
+-		snprintf(filename, sizeof(filename), "%.155s/%.100s",
+-			 t->th_buf.prefix, safer_name);
+-		return filename;
+		snprintf(t->th_pathname, MAXPATHLEN, "%.100s", safer_name);
+	}
+	else
+	{
+		snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", t->th_buf.prefix, safer_name);
+ 	}
+ 
+-	snprintf(filename, sizeof(filename), "%.100s", safer_name);
+-	return filename;
+	/* will be deallocated in tar_close() */
+	return t->th_pathname;
+ }
+ 
+ 
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 7fc4d03..1f67749 100644
+--- a/lib/libtar.h
+++ b/lib/libtar.h
+@@ -85,6 +85,8 @@ typedef struct
+ 	int options;
+ 	struct tar_header th_buf;
+ 	libtar_hash_t *h;
+	/* introduced in libtar 1.2.21 */
+	char *th_pathname;
+ }
+ TAR;
+ 
+-- 
+2.17.1
+
--- a/SPECS/libtar/libtar.spec
+++ b/SPECS/libtar/libtar.spec
@ -1,7 +1,7 @@
 Summary:        C library for manipulating tar files
 Name:           libtar
 Version:        1.2.20
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -18,11 +18,11 @@ Patch2:         libtar-1.2.11-mem-deref.patch
 # CVE-2021-33643
 # CVE-2021-33644
 Patch3:         libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch
-# CVE-2021-33645
-# CVE-2021-33646
-Patch4:         libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch
-Patch5:         libtar-1.2.20-fix-resource-leaks.patch
-Patch6:         libtar-1.2.20-static-analysis.patch
+# CVE-2021-33640, CVE-2021-33645, CVE-2021-33646
+Patch4:         CVE-2021-33640.patch
+Patch5:         libtar-1.2.20-no-static-buffer.patch
+Patch6:         libtar-1.2.20-fix-resource-leaks.patch
+Patch7:         libtar-1.2.20-static-analysis.patch

 %description
 libtar is a library for manipulating tar files from within C programs.
@ -69,6 +69,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libtar.so

 %changelog
+* Fri Jan 20 2023 Adit Jha <aditjha@microsoft.com> - 1.2.20-11
+- Fix CVE-2021-33640, which takes care of CVE-2021-33645, CVE-2021-33646
+
 * Tue Sep 06 2022 Daniel McIlvaney <damcilva@microsoft.com> - 1.2.20-10
 - Remove undesirable .la files
 - Rely on generators to provide libtar.so.0()(64bit)
				`@ -0,0 +1 @@`
				`CVE-2021-33645 - Already addressed in SPECS/libtar/CVE-2021-33640.patch`