Version 2.13release_2_13

* NEWS: Describe new version.
* configure.ac: version 2.13
* src/copyin.c: Fix strict aliasing violation.
* tests/CVE-2019-14866.at: New file.
* tests/Makefile.am: Add new test.
* tests/testsuite.at: Add new test,

6 files changed, 61 insertions, 16 deletions

diff --git a/NEWS b/NEWS
index 4706366..714657c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,2 +1,2 @@
-GNU cpio NEWS -- history of user-visible changes. 2015-09-12
+GNU cpio NEWS -- history of user-visible changes. 2019-11-06
 Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software
@@ -7,2 +7,8 @@ Please send cpio bug reports to <bug-cpio@gnu.org>.
 
+Version 2.13 - Sergey Poznyakoff, 2019-11-06
+
+* Fix CVE-2015-1197
+* Fix CVE-2016-2037
+* Fix CVE-2019-14866
+
 Version 2.12 - Sergey Poznyakoff, 2015-09-12
diff --git a/configure.ac b/configure.ac
index 561ecdd..2132256 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,4 +2,3 @@ dnl Process this file with autoconf to produce a configure script.
 dnl This file is part of GNU cpio
-dnl Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software
-dnl Foundation, Inc.
+dnl Copyright (C) 2003-2019 Free Software Foundation, Inc.
 dnl
@@ -18,3 +17,3 @@ dnl along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],,
+AC_INIT([GNU cpio], [2.13], [bug-cpio@gnu.org],,
         [http://www.gnu.org/software/cpio])
diff --git a/src/copyin.c b/src/copyin.c
index fd20426..b29f348 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -891,3 +891,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
     {
-      char tmpbuf[512];
+      union
+      {
+	char s[512];
+	unsigned short us;
+      }	tmpbuf;
       int check_tar;
@@ -897,3 +901,3 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 	{
-	  peeked_bytes = tape_buffered_peek (tmpbuf, in_des, 512);
+	  peeked_bytes = tape_buffered_peek (tmpbuf.s, in_des, 512);
 	  if (peeked_bytes < 6)
@@ -901,7 +905,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 
-	  if (!strncmp (tmpbuf, "070701", 6))
+	  if (!strncmp (tmpbuf.s, "070701", 6))
 	    archive_format = arf_newascii;
-	  else if (!strncmp (tmpbuf, "070707", 6))
+	  else if (!strncmp (tmpbuf.s, "070707", 6))
 	    archive_format = arf_oldascii;
-	  else if (!strncmp (tmpbuf, "070702", 6))
+	  else if (!strncmp (tmpbuf.s, "070702", 6))
 	    {
@@ -910,7 +914,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 	    }
-	  else if ((*((unsigned short *) tmpbuf) == 070707) ||
-		   (*((unsigned short *) tmpbuf) == swab_short ((unsigned short) 070707)))
+	  else if (tmpbuf.us == 070707
+		   || tmpbuf.us == swab_short ((unsigned short) 070707))
 	    archive_format = arf_binary;
 	  else if (peeked_bytes >= 512
-		   && (check_tar = is_tar_header (tmpbuf)))
+		   && (check_tar = is_tar_header (tmpbuf.s)))
 	    {
@@ -923,3 +927,3 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
 	    {
-	      tape_buffered_read ((char *) tmpbuf, in_des, 1L);
+	      tape_buffered_read (tmpbuf.s, in_des, 1L);
 	      ++bytes_skipped;
diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at
new file mode 100644
index 0000000..e877b39
--- /dev/null
+++ b/tests/CVE-2019-14866.at
@@ -0,0 +1,35 @@
+# Process this file with autom4te to create testsuite.  -*- Autotest -*-
+# Copyright (C) 2009-2019 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+AT_SETUP([CVE-2019-14866 (tar header size overflow)])
+AT_CHECK([
+# Use -s (seek) instead of -l (size) to speed up file creation.
+# This can fail if the device lacks sufficient space.  Skip the test, then.
+if genfile -s 16G -f file; then
+  echo file | cpio -H tar -o > a.tar
+  s=$?
+  rm -f file
+  exit $?
+else
+  AT_SKIP_TEST
+fi  
+],
+[0],
+[],
+[cpio: file: value size 17179869184 out of allowed range 0..8589934591
+2 blocks
+])
+AT_CLEANUP
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 5b8e9ed..65bf470 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -2,4 +2,3 @@
 
-# Copyright (C) 2004, 2007-2010, 2014-2015, 2017 Free Software
-# Foundation, Inc.
+# Copyright (C) 2004-2019 Free Software Foundation, Inc.
 
@@ -59,3 +58,4 @@ TESTSUITE_AT = \
  big-block-size.at\
- CVE-2015-1197.at
+ CVE-2015-1197.at\
+ CVE-2019-14866.at
 
diff --git a/tests/testsuite.at b/tests/testsuite.at
index 10cb8b9..aa56bb9 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -47 +47,2 @@ m4_include([big-block-size.at])
 m4_include([CVE-2015-1197.at])
+m4_include([CVE-2019-14866.at])