aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS8
-rw-r--r--configure.ac5
-rw-r--r--src/copyin.c22
-rw-r--r--tests/CVE-2019-14866.at35
-rw-r--r--tests/Makefile.am6
-rw-r--r--tests/testsuite.at1
6 files changed, 61 insertions, 16 deletions
diff --git a/NEWS b/NEWS
index 4706366..714657c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,16 @@
-GNU cpio NEWS -- history of user-visible changes. 2015-09-12
+GNU cpio NEWS -- history of user-visible changes. 2019-11-06
Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software
Foundation, Inc.
See the end of file for copying conditions.
Please send cpio bug reports to <bug-cpio@gnu.org>.
+Version 2.13 - Sergey Poznyakoff, 2019-11-06
+
+* Fix CVE-2015-1197
+* Fix CVE-2016-2037
+* Fix CVE-2019-14866
+
Version 2.12 - Sergey Poznyakoff, 2015-09-12
* Improved documentation.
diff --git a/configure.ac b/configure.ac
index 561ecdd..2132256 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,6 @@
dnl Process this file with autoconf to produce a configure script.
dnl This file is part of GNU cpio
-dnl Copyright (C) 2003-2007, 2009-2010, 2014-2015, 2017 Free Software
-dnl Foundation, Inc.
+dnl Copyright (C) 2003-2019 Free Software Foundation, Inc.
dnl
dnl This program is free software; you can redistribute it and/or modify
dnl it under the terms of the GNU General Public License as published by
@@ -16,7 +15,7 @@ dnl
dnl You should have received a copy of the GNU General Public License
dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
-AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],,
+AC_INIT([GNU cpio], [2.13], [bug-cpio@gnu.org],,
[http://www.gnu.org/software/cpio])
AC_CONFIG_SRCDIR(src/cpio.h)
AC_CONFIG_AUX_DIR([build-aux])
diff --git a/src/copyin.c b/src/copyin.c
index fd20426..b29f348 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -889,30 +889,34 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
if (archive_format == arf_unknown)
{
- char tmpbuf[512];
+ union
+ {
+ char s[512];
+ unsigned short us;
+ } tmpbuf;
int check_tar;
int peeked_bytes;
while (archive_format == arf_unknown)
{
- peeked_bytes = tape_buffered_peek (tmpbuf, in_des, 512);
+ peeked_bytes = tape_buffered_peek (tmpbuf.s, in_des, 512);
if (peeked_bytes < 6)
error (PAXEXIT_FAILURE, 0, _("premature end of archive"));
- if (!strncmp (tmpbuf, "070701", 6))
+ if (!strncmp (tmpbuf.s, "070701", 6))
archive_format = arf_newascii;
- else if (!strncmp (tmpbuf, "070707", 6))
+ else if (!strncmp (tmpbuf.s, "070707", 6))
archive_format = arf_oldascii;
- else if (!strncmp (tmpbuf, "070702", 6))
+ else if (!strncmp (tmpbuf.s, "070702", 6))
{
archive_format = arf_crcascii;
crc_i_flag = true;
}
- else if ((*((unsigned short *) tmpbuf) == 070707) ||
- (*((unsigned short *) tmpbuf) == swab_short ((unsigned short) 070707)))
+ else if (tmpbuf.us == 070707
+ || tmpbuf.us == swab_short ((unsigned short) 070707))
archive_format = arf_binary;
else if (peeked_bytes >= 512
- && (check_tar = is_tar_header (tmpbuf)))
+ && (check_tar = is_tar_header (tmpbuf.s)))
{
if (check_tar == 2)
archive_format = arf_ustar;
@@ -921,7 +925,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
}
else
{
- tape_buffered_read ((char *) tmpbuf, in_des, 1L);
+ tape_buffered_read (tmpbuf.s, in_des, 1L);
++bytes_skipped;
}
}
diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at
new file mode 100644
index 0000000..e877b39
--- /dev/null
+++ b/tests/CVE-2019-14866.at
@@ -0,0 +1,35 @@
+# Process this file with autom4te to create testsuite. -*- Autotest -*-
+# Copyright (C) 2009-2019 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AT_SETUP([CVE-2019-14866 (tar header size overflow)])
+AT_CHECK([
+# Use -s (seek) instead of -l (size) to speed up file creation.
+# This can fail if the device lacks sufficient space. Skip the test, then.
+if genfile -s 16G -f file; then
+ echo file | cpio -H tar -o > a.tar
+ s=$?
+ rm -f file
+ exit $?
+else
+ AT_SKIP_TEST
+fi
+],
+[0],
+[],
+[cpio: file: value size 17179869184 out of allowed range 0..8589934591
+2 blocks
+])
+AT_CLEANUP
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 5b8e9ed..65bf470 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,7 +1,6 @@
# Makefile for GNU cpio regression tests.
-# Copyright (C) 2004, 2007-2010, 2014-2015, 2017 Free Software
-# Foundation, Inc.
+# Copyright (C) 2004-2019 Free Software Foundation, Inc.
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
@@ -57,7 +56,8 @@ TESTSUITE_AT = \
symlink-to-stdout.at\
version.at\
big-block-size.at\
- CVE-2015-1197.at
+ CVE-2015-1197.at\
+ CVE-2019-14866.at
TESTSUITE = $(srcdir)/testsuite
diff --git a/tests/testsuite.at b/tests/testsuite.at
index 10cb8b9..aa56bb9 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -45,3 +45,4 @@ m4_include([setstat05.at])
m4_include([big-block-size.at])
m4_include([CVE-2015-1197.at])
+m4_include([CVE-2019-14866.at])

Return to:

Send suggestions and report system problems to the System administrator.