From cd892d109a583e3a29e1da66b8374c29605bfdc8 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Wed, 6 Nov 2019 09:56:30 +0200 Subject: Version 2.13 * NEWS: Describe new version. * configure.ac: version 2.13 * src/copyin.c: Fix strict aliasing violation. * tests/CVE-2019-14866.at: New file. * tests/Makefile.am: Add new test. * tests/testsuite.at: Add new test, --- NEWS | 8 +++++++- configure.ac | 5 ++--- src/copyin.c | 22 +++++++++++++--------- tests/CVE-2019-14866.at | 35 +++++++++++++++++++++++++++++++++++ tests/Makefile.am | 6 +++--- tests/testsuite.at | 1 + 6 files changed, 61 insertions(+), 16 deletions(-) create mode 100644 tests/CVE-2019-14866.at diff --git a/NEWS b/NEWS index 4706366..714657c 100644 --- a/NEWS +++ b/NEWS @@ -1,10 +1,16 @@ -GNU cpio NEWS -- history of user-visible changes. 2015-09-12 +GNU cpio NEWS -- history of user-visible changes. 2019-11-06 Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software Foundation, Inc. See the end of file for copying conditions. Please send cpio bug reports to . +Version 2.13 - Sergey Poznyakoff, 2019-11-06 + +* Fix CVE-2015-1197 +* Fix CVE-2016-2037 +* Fix CVE-2019-14866 + Version 2.12 - Sergey Poznyakoff, 2015-09-12 * Improved documentation. diff --git a/configure.ac b/configure.ac index 561ecdd..2132256 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,6 @@ dnl Process this file with autoconf to produce a configure script. dnl This file is part of GNU cpio -dnl Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software -dnl Foundation, Inc. +dnl Copyright (C) 2003-2019 Free Software Foundation, Inc. dnl dnl This program is free software; you can redistribute it and/or modify dnl it under the terms of the GNU General Public License as published by @@ -16,7 +15,7 @@ dnl dnl You should have received a copy of the GNU General Public License dnl along with this program. If not, see . -AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],, +AC_INIT([GNU cpio], [2.13], [bug-cpio@gnu.org],, [http://www.gnu.org/software/cpio]) AC_CONFIG_SRCDIR(src/cpio.h) AC_CONFIG_AUX_DIR([build-aux]) diff --git a/src/copyin.c b/src/copyin.c index fd20426..b29f348 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -889,30 +889,34 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) if (archive_format == arf_unknown) { - char tmpbuf[512]; + union + { + char s[512]; + unsigned short us; + } tmpbuf; int check_tar; int peeked_bytes; while (archive_format == arf_unknown) { - peeked_bytes = tape_buffered_peek (tmpbuf, in_des, 512); + peeked_bytes = tape_buffered_peek (tmpbuf.s, in_des, 512); if (peeked_bytes < 6) error (PAXEXIT_FAILURE, 0, _("premature end of archive")); - if (!strncmp (tmpbuf, "070701", 6)) + if (!strncmp (tmpbuf.s, "070701", 6)) archive_format = arf_newascii; - else if (!strncmp (tmpbuf, "070707", 6)) + else if (!strncmp (tmpbuf.s, "070707", 6)) archive_format = arf_oldascii; - else if (!strncmp (tmpbuf, "070702", 6)) + else if (!strncmp (tmpbuf.s, "070702", 6)) { archive_format = arf_crcascii; crc_i_flag = true; } - else if ((*((unsigned short *) tmpbuf) == 070707) || - (*((unsigned short *) tmpbuf) == swab_short ((unsigned short) 070707))) + else if (tmpbuf.us == 070707 + || tmpbuf.us == swab_short ((unsigned short) 070707)) archive_format = arf_binary; else if (peeked_bytes >= 512 - && (check_tar = is_tar_header (tmpbuf))) + && (check_tar = is_tar_header (tmpbuf.s))) { if (check_tar == 2) archive_format = arf_ustar; @@ -921,7 +925,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) } else { - tape_buffered_read ((char *) tmpbuf, in_des, 1L); + tape_buffered_read (tmpbuf.s, in_des, 1L); ++bytes_skipped; } } diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at new file mode 100644 index 0000000..e877b39 --- /dev/null +++ b/tests/CVE-2019-14866.at @@ -0,0 +1,35 @@ +# Process this file with autom4te to create testsuite. -*- Autotest -*- +# Copyright (C) 2009-2019 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +AT_SETUP([CVE-2019-14866 (tar header size overflow)]) +AT_CHECK([ +# Use -s (seek) instead of -l (size) to speed up file creation. +# This can fail if the device lacks sufficient space. Skip the test, then. +if genfile -s 16G -f file; then + echo file | cpio -H tar -o > a.tar + s=$? + rm -f file + exit $? +else + AT_SKIP_TEST +fi +], +[0], +[], +[cpio: file: value size 17179869184 out of allowed range 0..8589934591 +2 blocks +]) +AT_CLEANUP diff --git a/tests/Makefile.am b/tests/Makefile.am index 5b8e9ed..65bf470 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -1,7 +1,6 @@ # Makefile for GNU cpio regression tests. -# Copyright (C) 2004, 2007-2010, 2014-2015, 2017 Free Software -# Foundation, Inc. +# Copyright (C) 2004-2019 Free Software Foundation, Inc. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -57,7 +56,8 @@ TESTSUITE_AT = \ symlink-to-stdout.at\ version.at\ big-block-size.at\ - CVE-2015-1197.at + CVE-2015-1197.at\ + CVE-2019-14866.at TESTSUITE = $(srcdir)/testsuite diff --git a/tests/testsuite.at b/tests/testsuite.at index 10cb8b9..aa56bb9 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -45,3 +45,4 @@ m4_include([setstat05.at]) m4_include([big-block-size.at]) m4_include([CVE-2015-1197.at]) +m4_include([CVE-2019-14866.at]) -- cgit v1.2.1