summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch
blob: fa2e8530b26ac6ee3a685af3ec836ed83614c28a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
Partially fix CVE-2014-9112, part 4/5.  Backported to 2.11.

From fd262d116c4564c1796be9be2799619cf7785d07 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Thu, 11 Dec 2014 10:51:21 +0000
Subject: Fix error recovery in copy-in mode

* src/copyin.c (copyin_link): Fix null dereference.
(read_in_header): Fix error recovery (bug introduced by
27e0ae55).
* tests/symlink-bad-length.at: Test error recovery.
Catch various architecture-dependent error messages (suggested
by Pavel Raiskup).
---
diff --git a/src/copyin.c b/src/copyin.c
index 264bfcb..ca12356 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -655,7 +655,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
 }
 
 static void
-copyin_link(struct cpio_file_stat *file_hdr, int in_file_des)
+copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
 {
   char *link_name = NULL;	/* Name of hard and symbolic links.  */
   int res;			/* Result of various function calls.  */
@@ -666,6 +666,8 @@ copyin_link(struct cpio_file_stat *file_
   if (archive_format != arf_tar && archive_format != arf_ustar)
     {
       link_name = get_link_name (file_hdr, in_file_des);
+      if (!link_name)
+	return;
     }
   else
     {
@@ -1017,7 +1019,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 
   file_hdr->c_tar_linkname = NULL;
 
-  tape_buffered_read (magic.str, in_des, 6L);
+  tape_buffered_read (magic.str, in_des, sizeof (magic.str));
   while (1)
     {
       if (append_flag)
@@ -1062,8 +1064,8 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 	  break;
 	}
       bytes_skipped++;
-      memmove (magic.str, magic.str + 1, 5);
-      tape_buffered_read (magic.str, in_des, 1L);
+      memmove (magic.str, magic.str + 1, sizeof (magic.str) - 1);
+      tape_buffered_read (magic.str + sizeof (magic.str) - 1, in_des, 1L);
     }
 }
 
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
index cbf4aa7..4dbeaa3 100644
--- a/tests/symlink-bad-length.at
+++ b/tests/symlink-bad-length.at
@@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length])
 AT_KEYWORDS([symlink-long copyout])
 
 AT_DATA([ARCHIVE.base64],
-[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
-JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
-UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk
+AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA
+c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ -37,13 +37,23 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
 
 AT_CHECK([
 base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
-cpio -ntv < ARCHIVE
-test $? -eq 2
+TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+rc=$?
+cat stderr | grep -v \
+    -e 'stored filename length is out of range' \
+    -e 'premature end of file' \
+    -e 'archive header has reverse byte-order' \
+    -e 'memory exhausted' \
+    >&2
+echo >&2 STDERR
+test "$rc" -ne 0
 ],
-[0],
-[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
-],[cpio: LINK: stored filename length is out of range
-cpio: premature end of file
+[1],
+[-rw-rw-r--   1 1000     100            13 Dec 11 09:02 FILE
+-rw-r--r--   1 1000     100            18 Dec 11 10:13 FILE2
+],[cpio: warning: skipped 4 bytes of junk
+1 block
+STDERR
 ])
 
 AT_CLEANUP
--
cgit v0.9.0.2