diff options
author | Pavel Raiskup <praiskup@redhat.com> | 2016-01-26 23:17:54 +0100 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2017-04-14 11:32:08 +0300 |
commit | d36ec5f4e93130efb24fb9678aafd88e8070095b (patch) | |
tree | e94d286972c84e2612e94a4a98c8357aadf08583 /doc/cpio.1 | |
parent | 15aaf62b93dcb8071e8f8deecfd6171b6afa1d48 (diff) | |
download | cpio-d36ec5f4e93130efb24fb9678aafd88e8070095b.tar.gz cpio-d36ec5f4e93130efb24fb9678aafd88e8070095b.tar.bz2 |
CVE-2016-2037 - 1 byte out-of-bounds write
Ensure that cpio_safer_name_suffix always works with dynamically
allocated buffer, and that it has size of at least 32 bytes.
Then, any call to cpio_safer_name_suffix is safe (it requires at
least 2 bytes in the buffer).
Also ensure that c_namesize is always correctly initialized (by
cpio_set_c_name) to avoid undefined behavior when reading
file_hdr.c_namesize (previously happened for tar archives).
References:
http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
* src/copyin.c (query_rename): Drop the hack, as we now work with
dynamically allocated buffer. Use cpio_set_c_name.
(create_defered_links_to_skipped): Use cpio_set_c_name rather than
manual assignment.
(read_name_from_file): New function to avoid C&P.
(read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
read_name_from_file.
(process_copy_in): Initialize file_hdr.c_namesize.
* src/copyout.c (process_copy_out): Use cpio_set_c_name.
* src/cpiohdr.h (cpio_set_c_name): New prototype.
* src/tar.c (read_in_tar_header): Use cpio_set_c_name.
* src/util.c (cpio_set_c_name): New function to set
file_hdr->c_name and c_namesize from arbitrary string.
(cpio_safer_name_suffix): Some docs fixes.
* tests/inout.at: Also test copy-in, and try various formats.
Diffstat (limited to 'doc/cpio.1')
0 files changed, 0 insertions, 0 deletions