gnu/packages/patches/cpio-CVE-2016-2037.patch

   1 Fix CVE-2016-2037 (out of bounds write in process_copy_in()).
   2
   3 Copied from upstream mailing list:
   4 https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
   5
   6 ---
   7
   8  Other calls to cpio_safer_name_suffix seem to be safe.
   9  .
  10  * src/copyin.c (process_copy_in):  Make sure that file_hdr.c_name
  11  has at least two bytes allocated.
  12  * src/util.c (cpio_safer_name_suffix): Document that use of this
  13  function requires to be careful.
  14 Author: Pavel Raiskup <praiskup@redhat.com>
  15
  16 ---
  17  src/copyin.c | 2 ++
  18  src/util.c   | 5 ++++-
  19  2 files changed, 6 insertions(+), 1 deletion(-)
  20
  21 Index: cpio-2.11+dfsg/src/copyin.c
  22 ===================================================================
  23 --- cpio-2.11+dfsg.orig/src/copyin.c
  24 +++ cpio-2.11+dfsg/src/copyin.c
  25 @@ -1433,6 +1433,8 @@ process_copy_in ()
  26           break;
  27         }
  28
  29 +      if (file_hdr.c_namesize <= 1)
  30 +        file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
  31        cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
  32                               false);
  33
  34 Index: cpio-2.11+dfsg/src/util.c
  35 ===================================================================
  36 --- cpio-2.11+dfsg.orig/src/util.c
  37 +++ cpio-2.11+dfsg/src/util.c
  38 @@ -1374,7 +1374,10 @@ set_file_times (int fd,
  39  }
  40
  41  /* Do we have to ignore absolute paths, and if so, does the filename
  42 -   have an absolute path?  */
  43 +   have an absolute path?
  44 +   Before calling this function make sure that the allocated NAME buffer has
  45 +   capacity at least 2 bytes to allow us to store the "." string inside.  */
  46 +
  47  void
  48  cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
  49                         bool strip_leading_dots)