libtar: patch CVEs

cve-check.bbclass reported unpatched vulnerabilities in libtar [1,2,3,4,5]. The NIST assigned base score for the worst vulnerability is 9.1 / critical. The patches were taken from the libtar [6] master branch after the latest tag v1.2.20 (the changes in libtar master mostly originate from Fedora and their patches), and from the Fedora 41 libtar source package [7] and the Debian libtar package 1.2.20-8 [8] where the patches were not available in the libtar repository itself. The Fedora patch series was taken in its entirety in order to minimize differences to Fedora's source tree instead of cherry-picking only CVE fixes. Minimizing the differences should avoid issues with potential inter-dependencies between the patches, and hopefully provide better confidence as even the newest patches have been in use in Fedora for nearly 2 years (since December 2022; Fedora rpms/libtar.git commit e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains changes *) that match the libtar commit ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static buffer in th_get_pathname()") whose commit message says Note this can break programs that expect sizeof(TAR) to be fixed. The patches applied cleanly except for the Fedora srpm patch libtar-1.2.11-bz729009.patch, which is identical with the pre-existing meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted. The meta-openembedded recipe does not include any of the patches in Kirkstone [9] nor the current master [10]. libtar does not have newer releases, and the libtar master doesn't contain all of the changes included in the patches. Fedora's libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release either but only in the master branch after the tag v1.2.20. The version number in the filename is supposedly due to the patches being created originally against v1.2.11 but have been upstreamed or at least committed to the master only after v1.2.20. The commit metadata could not be practically completed in most of the cases due to missing commit messages in the original commits and patches. The informal note about the author ("Authored by") was added to the patch commit messages where the commit message was missing the original author(s)' Signed-off-by. *) The patch also contains the changes split to the libtar commits 495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6 ("Added stdlib.h for malloc() in lib/decode.c")) [1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643 [2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644 [3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645 [4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646 [5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420 [6] https://repo.or.cz/libtar.git [7] https://src.fedoraproject.org/rpms/libtar/tree/f41 [8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/ [9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f [10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c Signed-off-by: Katariina Lounento <[email protected]> Signed-off-by: Khem Raj <[email protected]>
nxp-upstream · Oct 3, 2024 · 3c9b5b3 · 3c9b5b3
1 parent 7be0d59
commit 3c9b5b3
Show file tree

Hide file tree

Showing 13 changed files with 854 additions and 0 deletions.
diff --git a/meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch b/meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch
@@ -0,0 +1,53 @@
+From 9426ac3d232e2f90c571979a2166c5e1328967d1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <[email protected]>
+Date: Tue, 15 Oct 2013 14:39:04 +0200
+Subject: [PATCH] Fix missing prototype compiler warnings
+
+Signed-off-by: Kamil Dudka <[email protected]>
+
+Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/30e5556d1c9323e9f1887b28d42581c2954b53c9]
+
+Signed-off-by: Katariina Lounento <[email protected]>
+---
+ lib/append.c  | 2 ++
+ lib/output.c  | 1 +
+ lib/wrapper.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/lib/append.c b/lib/append.c
+index 13e1ace..e8bd89d 100644
+--- a/lib/append.c
++++ b/lib/append.c
+@@ -13,6 +13,8 @@
+ #include <internal.h>
+
+ #include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <sys/param.h>
+diff --git a/lib/output.c b/lib/output.c
+index a2db929..a5262ee 100644
+--- a/lib/output.c
++++ b/lib/output.c
+@@ -13,6 +13,7 @@
+ #include <internal.h>
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <pwd.h>
+ #include <grp.h>
+ #include <time.h>
+diff --git a/lib/wrapper.c b/lib/wrapper.c
+index 4cd0652..44cc435 100644
+--- a/lib/wrapper.c
++++ b/lib/wrapper.c
+@@ -13,6 +13,7 @@
+ #include <internal.h>
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <sys/param.h>
+ #include <dirent.h>
+ #include <errno.h>
diff --git a/meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch b/meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch
@@ -0,0 +1,44 @@
+From c0a89709860acae5ef67727db7b23db385703bf6 Mon Sep 17 00:00:00 2001
+From: Huzaifa Sidhpurwala <[email protected]>
+Date: Tue, 15 Oct 2013 14:39:05 +0200
+Subject: [PATCH] Fix invalid memory de-reference issue
+
+Bug: https://bugzilla.redhat.com/551415
+
+Signed-off-by: Kamil Dudka <[email protected]>
+
+Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/560911b694055b0c677431cf85d4d0d5ebd1a3fd]
+
+Signed-off-by: Katariina Lounento <[email protected]>
+---
+ lib/libtar.h | 1 +
+ lib/util.c   | 4 +---
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 55f509a..7fc4d03 100644
+--- a/lib/libtar.h
++++ b/lib/libtar.h
+@@ -172,6 +172,7 @@ int th_write(TAR *t);
+ #define TH_ISDIR(t)	((t)->th_buf.typeflag == DIRTYPE \
+ 			 || S_ISDIR((mode_t)oct_to_int((t)->th_buf.mode)) \
+ 			 || ((t)->th_buf.typeflag == AREGTYPE \
++			     && strlen((t)->th_buf.name) \
+ 			     && ((t)->th_buf.name[strlen((t)->th_buf.name) - 1] == '/')))
+ #define TH_ISFIFO(t)	((t)->th_buf.typeflag == FIFOTYPE \
+ 			 || S_ISFIFO((mode_t)oct_to_int((t)->th_buf.mode)))
+diff --git a/lib/util.c b/lib/util.c
+index 31e8315..11438ef 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -148,9 +148,7 @@ oct_to_int(char *oct)
+ {
+ 	int i;
+
+-	sscanf(oct, "%o", &i);
+-
+-	return i;
++	return sscanf(oct, "%o", &i) == 1 ? i : 0;
+ }
+
+
diff --git a/...oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch b/...oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch
@@ -0,0 +1,101 @@
+From d998b9f75c79aab68255dace641dd30db239eff6 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <[email protected]>
+Date: Tue, 15 Oct 2013 19:48:41 -0400
+Subject: [PATCH] fix file descriptor leaks reported by cppcheck
+
+Bug: https://bugzilla.redhat.com/785760
+
+Authored by Kamil Dudka <[email protected]>.
+
+Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/abd0274e6b2f708e9eaa29414b07b3f542cec694]
+
+Signed-off-by: Katariina Lounento <[email protected]>
+---
+ lib/append.c    | 14 +++++++++-----
+ lib/extract.c   |  4 ++++
+ libtar/libtar.c |  3 +++
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/append.c b/lib/append.c
+index e8bd89d..ff58532 100644
+--- a/lib/append.c
++++ b/lib/append.c
+@@ -216,6 +216,7 @@ tar_append_regfile(TAR *t, const char *realname)
+ 	int filefd;
+ 	int i, j;
+ 	size_t size;
++	int rv = -1;
+
+ 	filefd = open(realname, O_RDONLY);
+ 	if (filefd == -1)
+@@ -234,25 +235,28 @@ tar_append_regfile(TAR *t, const char *realname)
+ 		{
+ 			if (j != -1)
+ 				errno = EINVAL;
+-			return -1;
++			goto fail;
+ 		}
+ 		if (tar_block_write(t, &block) == -1)
+-			return -1;
++			goto fail;
+ 	}
+
+ 	if (i > 0)
+ 	{
+ 		j = read(filefd, &block, i);
+ 		if (j == -1)
+-			return -1;
++			goto fail;
+ 		memset(&(block[i]), 0, T_BLOCKSIZE - i);
+ 		if (tar_block_write(t, &block) == -1)
+-			return -1;
++			goto fail;
+ 	}
+
++	/* success! */
++	rv = 0;
++fail:
+ 	close(filefd);
+
+-	return 0;
++	return rv;
+ }
+
+
+diff --git a/lib/extract.c b/lib/extract.c
+index 36357e7..9fc6ad5 100644
+--- a/lib/extract.c
++++ b/lib/extract.c
+@@ -228,13 +228,17 @@ tar_extract_regfile(TAR *t, char *realname)
+ 		{
+ 			if (k != -1)
+ 				errno = EINVAL;
++			close(fdout);
+ 			return -1;
+ 		}
+
+ 		/* write block to output file */
+ 		if (write(fdout, buf,
+ 			  ((i > T_BLOCKSIZE) ? T_BLOCKSIZE : i)) == -1)
++		{
++			close(fdout);
+ 			return -1;
++		}
+ 	}
+
+ 	/* close output file */
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index 9fa92b2..bb5644c 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -83,7 +83,10 @@ gzopen_frontend(char *pathname, int oflags, int mode)
+ 		return -1;
+
+ 	if ((oflags & O_CREAT) && fchmod(fd, mode))
++	{
++		close(fd);
+ 		return -1;
++	}
+
+ 	gzf = gzdopen(fd, gzoflags);
+ 	if (!gzf)
diff --git a/meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch b/meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch
@@ -0,0 +1,26 @@
+From f6c5cba59444ecda9bbc22b8e8e57fd1015a688d Mon Sep 17 00:00:00 2001
+From: Huzaifa Sidhpurwala <[email protected]>
+Date: Tue, 15 Oct 2013 20:02:58 -0400
+Subject: [PATCH] fix memleak on tar_open() failure
+
+Authored by Huzaifa Sidhpurwala <[email protected]>.
+
+Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/36629a41208375f5105427e98078127551692028]
+
+Signed-off-by: Katariina Lounento <[email protected]>
+---
+ lib/handle.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 33a262c..002d23c 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -82,6 +82,7 @@ tar_open(TAR **t, const char *pathname, tartype_t *type,
+ 	(*t)->fd = (*((*t)->type->openfunc))(pathname, oflags, mode);
+ 	if ((*t)->fd == -1)
+ 	{
++		libtar_hash_free((*t)->h, NULL);
+ 		free(*t);
+ 		return -1;
+ 	}
diff --git a/meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch b/meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch
@@ -0,0 +1,119 @@
+From e3888e452aee72e0d658185ac20e8e63bed1aff8 Mon Sep 17 00:00:00 2001
+From: Huzaifa Sidhpurwala <[email protected]>
+Date: Tue, 15 Oct 2013 20:05:04 -0400
+Subject: [PATCH] fix memleaks in libtar sample program
+
+Authored by Huzaifa Sidhpurwala <[email protected]>.
+
+Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/f3c711cf3054ff366a1a3500cdc8c64ecc2d2da6]
+
+Signed-off-by: Katariina Lounento <[email protected]>
+---
+ libtar/libtar.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index bb5644c..23f8741 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -253,6 +253,7 @@ extract(char *tarfile, char *rootdir)
+ 	if (tar_extract_all(t, rootdir) != 0)
+ 	{
+ 		fprintf(stderr, "tar_extract_all(): %s\n", strerror(errno));
++		tar_close(t);
+ 		return -1;
+ 	}
+
+@@ -270,12 +271,13 @@ extract(char *tarfile, char *rootdir)
+
+
+ void
+-usage()
++usage(void *rootdir)
+ {
+ 	printf("Usage: %s [-C rootdir] [-g] [-z] -x|-t filename.tar\n",
+ 	       progname);
+ 	printf("       %s [-C rootdir] [-g] [-z] -c filename.tar ...\n",
+ 	       progname);
++	free(rootdir);
+ 	exit(-1);
+ }
+
+@@ -292,6 +294,7 @@ main(int argc, char *argv[])
+ 	int c;
+ 	int mode = 0;
+ 	libtar_list_t *l;
++	int return_code = -2;
+
+ 	progname = basename(argv[0]);
+
+@@ -313,17 +316,17 @@ main(int argc, char *argv[])
+ 			break;
+ 		case 'c':
+ 			if (mode)
+-				usage();
++				usage(rootdir);
+ 			mode = MODE_CREATE;
+ 			break;
+ 		case 'x':
+ 			if (mode)
+-				usage();
++				usage(rootdir);
+ 			mode = MODE_EXTRACT;
+ 			break;
+ 		case 't':
+ 			if (mode)
+-				usage();
++				usage(rootdir);
+ 			mode = MODE_LIST;
+ 			break;
+ #ifdef HAVE_LIBZ
+@@ -332,7 +335,7 @@ main(int argc, char *argv[])
+ 			break;
+ #endif /* HAVE_LIBZ */
+ 		default:
+-			usage();
++			usage(rootdir);
+ 		}
+
+ 	if (!mode || ((argc - optind) < (mode == MODE_CREATE ? 2 : 1)))
+@@ -341,7 +344,7 @@ main(int argc, char *argv[])
+ 		printf("argc - optind == %d\tmode == %d\n", argc - optind,
+ 		       mode);
+ #endif
+-		usage();
++		usage(rootdir);
+ 	}
+
+ #ifdef DEBUG
+@@ -351,21 +354,25 @@ main(int argc, char *argv[])
+ 	switch (mode)
+ 	{
+ 	case MODE_EXTRACT:
+-		return extract(argv[optind], rootdir);
++		return_code = extract(argv[optind], rootdir);
++		break;
+ 	case MODE_CREATE:
+ 		tarfile = argv[optind];
+ 		l = libtar_list_new(LIST_QUEUE, NULL);
+ 		for (c = optind + 1; c < argc; c++)
+ 			libtar_list_add(l, argv[c]);
+-		return create(tarfile, rootdir, l);
++		return_code = create(tarfile, rootdir, l);
++		libtar_list_free(l, NULL);
++		break;
+ 	case MODE_LIST:
+-		return list(argv[optind]);
++		return_code = list(argv[optind]);
++		break;
+ 	default:
+ 		break;
+ 	}
+
+-	/* NOTREACHED */
+-	return -2;
++	free(rootdir);
++	return return_code;
+ }
+
+