aboutsummaryrefslogtreecommitdiff
path: root/doc/cpio.1
diff options
context:
space:
mode:
authorPavel Raiskup <praiskup@redhat.com>2016-01-26 23:17:54 +0100
committerSergey Poznyakoff <gray@gnu.org.ua>2017-04-14 11:32:08 +0300
commitd36ec5f4e93130efb24fb9678aafd88e8070095b (patch)
treee94d286972c84e2612e94a4a98c8357aadf08583 /doc/cpio.1
parent15aaf62b93dcb8071e8f8deecfd6171b6afa1d48 (diff)
downloadcpio-d36ec5f4e93130efb24fb9678aafd88e8070095b.tar.gz
cpio-d36ec5f4e93130efb24fb9678aafd88e8070095b.tar.bz2
CVE-2016-2037 - 1 byte out-of-bounds write
Ensure that cpio_safer_name_suffix always works with dynamically allocated buffer, and that it has size of at least 32 bytes. Then, any call to cpio_safer_name_suffix is safe (it requires at least 2 bytes in the buffer). Also ensure that c_namesize is always correctly initialized (by cpio_set_c_name) to avoid undefined behavior when reading file_hdr.c_namesize (previously happened for tar archives). References: http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html * src/copyin.c (query_rename): Drop the hack, as we now work with dynamically allocated buffer. Use cpio_set_c_name. (create_defered_links_to_skipped): Use cpio_set_c_name rather than manual assignment. (read_name_from_file): New function to avoid C&P. (read_in_old_ascii, read_in_new_ascii, read_in_binary): Use read_name_from_file. (process_copy_in): Initialize file_hdr.c_namesize. * src/copyout.c (process_copy_out): Use cpio_set_c_name. * src/cpiohdr.h (cpio_set_c_name): New prototype. * src/tar.c (read_in_tar_header): Use cpio_set_c_name. * src/util.c (cpio_set_c_name): New function to set file_hdr->c_name and c_namesize from arbitrary string. (cpio_safer_name_suffix): Some docs fixes. * tests/inout.at: Also test copy-in, and try various formats.
Diffstat (limited to 'doc/cpio.1')
0 files changed, 0 insertions, 0 deletions

Return to:

Send suggestions and report system problems to the System administrator.