1 files changed, 51 insertions, 0 deletions

diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch
new file mode 100644
index 0000000000..77c531cb54
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch
@@ -0,0 +1,51 @@
+Partially fix CVE-2014-9112, part 2/5.
+
+From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Mon, 01 Dec 2014 19:10:39 +0000
+Subject: Bugfix
+
+* src/copyin.c (get_link_name): Fix range checking.
+* tests/symlink-bad-length.at: Change expected error message.
+---
+diff --git a/src/copyin.c b/src/copyin.c
+index c502c7d..042cc41 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset)
+ static char *
+ get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+-  off_t n = file_hdr->c_filesize + 1;
+   char *link_name;
+   
+-  if (n == 0 || n > SIZE_MAX)
++  if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
+     {
+-      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++      error (0, 0, _("%s: stored filename length is out of range"),
++	     file_hdr->c_name);
+       link_name = NULL;
+     }
+   else
+     {
+-      link_name = xmalloc (n);
++      link_name = xmalloc (file_hdr->c_filesize);
+       tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+       link_name[file_hdr->c_filesize] = '\0';
+       tape_skip_padding (in_file_des, file_hdr->c_filesize);
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index 6f804b1..cbf4aa7 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -42,7 +42,7 @@ test $? -eq 2
+ ],
+ [0],
+ [-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length too big
++],[cpio: LINK: stored filename length is out of range
+ cpio: premature end of file
+ ])
+ 
+--
+cgit v0.9.0.2