diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2019-11-06 09:56:30 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2019-11-06 09:56:30 +0200 |
commit | cd892d109a583e3a29e1da66b8374c29605bfdc8 (patch) | |
tree | bf867edb591ad90b33136e4baa9f059cc6a6e5a5 | |
parent | b7b5a9c456fdcd767c0f041d67af240de5b58fce (diff) | |
download | cpio-cd892d109a583e3a29e1da66b8374c29605bfdc8.tar.gz cpio-cd892d109a583e3a29e1da66b8374c29605bfdc8.tar.bz2 |
Version 2.13release_2_13
* NEWS: Describe new version.
* configure.ac: version 2.13
* src/copyin.c: Fix strict aliasing violation.
* tests/CVE-2019-14866.at: New file.
* tests/Makefile.am: Add new test.
* tests/testsuite.at: Add new test,
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | configure.ac | 5 | ||||
-rw-r--r-- | src/copyin.c | 22 | ||||
-rw-r--r-- | tests/CVE-2019-14866.at | 35 | ||||
-rw-r--r-- | tests/Makefile.am | 6 | ||||
-rw-r--r-- | tests/testsuite.at | 1 |
6 files changed, 61 insertions, 16 deletions
@@ -1,2 +1,2 @@ -GNU cpio NEWS -- history of user-visible changes. 2015-09-12 +GNU cpio NEWS -- history of user-visible changes. 2019-11-06 Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software @@ -7,2 +7,8 @@ Please send cpio bug reports to <bug-cpio@gnu.org>. +Version 2.13 - Sergey Poznyakoff, 2019-11-06 + +* Fix CVE-2015-1197 +* Fix CVE-2016-2037 +* Fix CVE-2019-14866 + Version 2.12 - Sergey Poznyakoff, 2015-09-12 diff --git a/configure.ac b/configure.ac index 561ecdd..2132256 100644 --- a/configure.ac +++ b/configure.ac @@ -2,4 +2,3 @@ dnl Process this file with autoconf to produce a configure script. dnl This file is part of GNU cpio -dnl Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software -dnl Foundation, Inc. +dnl Copyright (C) 2003-2019 Free Software Foundation, Inc. dnl @@ -18,3 +17,3 @@ dnl along with this program. If not, see <http://www.gnu.org/licenses/>. -AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],, +AC_INIT([GNU cpio], [2.13], [bug-cpio@gnu.org],, [http://www.gnu.org/software/cpio]) diff --git a/src/copyin.c b/src/copyin.c index fd20426..b29f348 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -891,3 +891,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) { - char tmpbuf[512]; + union + { + char s[512]; + unsigned short us; + } tmpbuf; int check_tar; @@ -897,3 +901,3 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) { - peeked_bytes = tape_buffered_peek (tmpbuf, in_des, 512); + peeked_bytes = tape_buffered_peek (tmpbuf.s, in_des, 512); if (peeked_bytes < 6) @@ -901,7 +905,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) - if (!strncmp (tmpbuf, "070701", 6)) + if (!strncmp (tmpbuf.s, "070701", 6)) archive_format = arf_newascii; - else if (!strncmp (tmpbuf, "070707", 6)) + else if (!strncmp (tmpbuf.s, "070707", 6)) archive_format = arf_oldascii; - else if (!strncmp (tmpbuf, "070702", 6)) + else if (!strncmp (tmpbuf.s, "070702", 6)) { @@ -910,7 +914,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) } - else if ((*((unsigned short *) tmpbuf) == 070707) || - (*((unsigned short *) tmpbuf) == swab_short ((unsigned short) 070707))) + else if (tmpbuf.us == 070707 + || tmpbuf.us == swab_short ((unsigned short) 070707)) archive_format = arf_binary; else if (peeked_bytes >= 512 - && (check_tar = is_tar_header (tmpbuf))) + && (check_tar = is_tar_header (tmpbuf.s))) { @@ -923,3 +927,3 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) { - tape_buffered_read ((char *) tmpbuf, in_des, 1L); + tape_buffered_read (tmpbuf.s, in_des, 1L); ++bytes_skipped; diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at new file mode 100644 index 0000000..e877b39 --- /dev/null +++ b/tests/CVE-2019-14866.at @@ -0,0 +1,35 @@ +# Process this file with autom4te to create testsuite. -*- Autotest -*- +# Copyright (C) 2009-2019 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +AT_SETUP([CVE-2019-14866 (tar header size overflow)]) +AT_CHECK([ +# Use -s (seek) instead of -l (size) to speed up file creation. +# This can fail if the device lacks sufficient space. Skip the test, then. +if genfile -s 16G -f file; then + echo file | cpio -H tar -o > a.tar + s=$? + rm -f file + exit $? +else + AT_SKIP_TEST +fi +], +[0], +[], +[cpio: file: value size 17179869184 out of allowed range 0..8589934591 +2 blocks +]) +AT_CLEANUP diff --git a/tests/Makefile.am b/tests/Makefile.am index 5b8e9ed..65bf470 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -2,4 +2,3 @@ -# Copyright (C) 2004, 2007-2010, 2014-2015, 2017 Free Software -# Foundation, Inc. +# Copyright (C) 2004-2019 Free Software Foundation, Inc. @@ -59,3 +58,4 @@ TESTSUITE_AT = \ big-block-size.at\ - CVE-2015-1197.at + CVE-2015-1197.at\ + CVE-2019-14866.at diff --git a/tests/testsuite.at b/tests/testsuite.at index 10cb8b9..aa56bb9 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -47 +47,2 @@ m4_include([big-block-size.at]) m4_include([CVE-2015-1197.at]) +m4_include([CVE-2019-14866.at]) |