From 765bc63b98c0fa873f6eb0cf0612287e5e1b13c1 Mon Sep 17 00:00:00 2001 From: zhangruifang2020 Date: Tue, 24 Aug 2021 20:51:29 +0800 Subject: [PATCH] Fix CVE-2021-38185 --- ...ion-to-add-metadata-in-copy-out-mode.patch | 74 +-- ...38185-Rewrite-dynamic-string-support.patch | 462 ++++++++++++++++++ ...2-CVE-2021-38185-Fix-previous-commit.patch | 36 ++ ...185-Fix-dynamic-string-reallocations.patch | 78 +++ cpio.spec | 18 +- 5 files changed, 628 insertions(+), 40 deletions(-) create mode 100644 backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch create mode 100644 backport-0002-CVE-2021-38185-Fix-previous-commit.patch create mode 100644 backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch diff --git a/add-option-to-add-metadata-in-copy-out-mode.patch b/add-option-to-add-metadata-in-copy-out-mode.patch index fa5b548..b275c01 100644 --- a/add-option-to-add-metadata-in-copy-out-mode.patch +++ b/add-option-to-add-metadata-in-copy-out-mode.patch @@ -45,7 +45,7 @@ index 31a15fa..03d9585 100644 Treat the archive file as local, even if its name contains colons. @item -F [[@var{user}@@]@var{host}:]@var{archive-file} diff --git a/src/copyout.c b/src/copyout.c -index 4b7336b..fdafb37 100644 +index 421d36d..4cd60a3 100644 --- a/src/copyout.c +++ b/src/copyout.c @@ -22,6 +22,7 @@ @@ -151,7 +151,7 @@ index 4b7336b..fdafb37 100644 /* Read a list of file names from the standard input and write a cpio collection on the standard output. The format of the header depends on the compatibility (-c) flag. */ -@@ -603,6 +692,8 @@ process_copy_out () +@@ -604,6 +693,8 @@ process_copy_out (void) int in_file_des; /* Source file descriptor. */ int out_file_des; /* Output file descriptor. */ char *orig_file_name = NULL; @@ -159,8 +159,8 @@ index 4b7336b..fdafb37 100644 + int ret, metadata_fd, metadata = 0, old_metadata, hard_link; /* Initialize the copy out. */ - ds_init (&input_name, 128); -@@ -635,9 +726,37 @@ process_copy_out () + file_hdr.c_magic = 070707; +@@ -635,9 +726,37 @@ process_copy_out (void) prepare_append (out_file_des); } @@ -199,8 +199,8 @@ index 4b7336b..fdafb37 100644 /* Check for blank line. */ if (input_name.ds_string[0] == 0) { -@@ -667,8 +786,15 @@ process_copy_out () - } +@@ -662,8 +781,15 @@ process_copy_out (void) + ds_append (&input_name, '/'); } } - @@ -217,7 +217,7 @@ index 4b7336b..fdafb37 100644 cpio_safer_name_suffix (input_name.ds_string, false, !no_abs_paths_flag, true); cpio_set_c_name (&file_hdr, input_name.ds_string); -@@ -700,6 +826,7 @@ process_copy_out () +@@ -695,6 +821,7 @@ process_copy_out (void) else { add_link_defer (&file_hdr); @@ -225,7 +225,7 @@ index 4b7336b..fdafb37 100644 break; } } -@@ -836,6 +963,8 @@ process_copy_out () +@@ -831,6 +958,8 @@ process_copy_out (void) fprintf (stderr, "%s\n", orig_file_name); if (dot_flag) fputc ('.', stderr); @@ -234,10 +234,10 @@ index 4b7336b..fdafb37 100644 } } -@@ -875,6 +1004,11 @@ process_copy_out () - (unsigned long) blocks), (unsigned long) blocks); +@@ -871,6 +1000,11 @@ process_copy_out (void) } cpio_file_stat_free (&file_hdr); + ds_free (&input_name); + + if (metadata_type != TYPE_NONE) { + close(metadata_fd); @@ -247,10 +247,10 @@ index 4b7336b..fdafb37 100644 diff --git a/src/dstring.c b/src/dstring.c -index e9c063f..1021d21 100644 +index 0f597cc..07e827f 100644 --- a/src/dstring.c +++ b/src/dstring.c -@@ -58,8 +58,8 @@ ds_resize (dynamic_string *string, int size) +@@ -74,8 +74,8 @@ ds_reset (dynamic_string *s, size_t len) Return NULL if end of file is detected. Otherwise, Return a pointer to the null-terminated string in S. */ @@ -259,33 +259,29 @@ index e9c063f..1021d21 100644 +static char * +ds_fgetstr_common (FILE *f, char *input_string, dynamic_string *s, char eos) { - int insize; /* Amount needed for line. */ - int strsize; /* Amount allocated for S. */ -@@ -70,7 +70,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) - strsize = s->ds_length; + int next_ch; + +@@ -83,10 +83,18 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + s->ds_idx = 0; /* Read the input string. */ -- next_ch = getc (f); +- while ((next_ch = getc (f)) != eos && next_ch != EOF) + if (input_string) + next_ch = *input_string++; + else + next_ch = getc (f); - while (next_ch != eos && next_ch != EOF) ++ while (next_ch != eos && next_ch != EOF) { - if (insize >= strsize - 1) -@@ -79,7 +82,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) - strsize = s->ds_length; - } - s->ds_string[insize++] = next_ch; -- next_ch = getc (f); + ds_resize (s, 0); + s->ds_string[s->ds_idx++] = next_ch; + if (input_string) -+ next_ch = *input_string++; ++ next_ch = *input_string++; + else -+ next_ch = getc (f); ++ next_ch = getc (f); } - s->ds_string[insize++] = '\0'; - -@@ -90,6 +96,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + ds_resize (s, 0); + s->ds_string[s->ds_idx] = '\0'; +@@ -121,6 +129,12 @@ ds_concat (dynamic_string *s, char const *str) } char * @@ -298,25 +294,31 @@ index e9c063f..1021d21 100644 ds_fgets (FILE *f, dynamic_string *s) { return ds_fgetstr (f, s, '\n'); -@@ -100,3 +112,9 @@ ds_fgetname (FILE *f, dynamic_string *s) - { +@@ -132,6 +146,12 @@ ds_fgetname (FILE *f, dynamic_string *s) return ds_fgetstr (f, s, '\0'); } -+ + +char * +ds_sgetstr (char *input_string, dynamic_string *s, char eos) +{ + return ds_fgetstr_common (NULL, input_string, s, eos); +} ++ + /* Return true if the dynamic string S ends with character C. */ + int + ds_endswith (dynamic_string *s, int c) diff --git a/src/dstring.h b/src/dstring.h -index b5135fe..f5f95ec 100644 +index f5b04ef..50c877d 100644 --- a/src/dstring.h +++ b/src/dstring.h -@@ -49,3 +49,4 @@ void ds_resize (dynamic_string *string, int size); +@@ -41,6 +41,7 @@ void ds_reset (dynamic_string *s, size_t len); char *ds_fgetname (FILE *f, dynamic_string *s); char *ds_fgets (FILE *f, dynamic_string *s); char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); +char *ds_sgetstr (char *input_string, dynamic_string *s, char eos); + void ds_append (dynamic_string *s, int c); + void ds_concat (dynamic_string *s, char const *str); + diff --git a/src/extern.h b/src/extern.h index 11ac6bf..f295fcf 100644 --- a/src/extern.h @@ -340,10 +342,10 @@ index 11ac6bf..f295fcf 100644 /* copyin.c */ void warn_junk_bytes (long bytes_skipped); diff --git a/src/global.c b/src/global.c -index fb3abe9..0c40be0 100644 +index acf92bc..d45e19b 100644 --- a/src/global.c +++ b/src/global.c -@@ -199,3 +199,5 @@ char *change_directory_option; +@@ -196,3 +196,5 @@ char *change_directory_option; int renumber_inodes_option; int ignore_devno_option; diff --git a/backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch b/backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch new file mode 100644 index 0000000..ae06f18 --- /dev/null +++ b/backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch @@ -0,0 +1,462 @@ +From dd96882877721703e19272fe25034560b794061b Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Sat, 7 Aug 2021 12:52:21 +0300 +Subject: [PATCH 11/13] Rewrite dynamic string support. + +* src/dstring.c (ds_init): Take a single argument. +(ds_free): New function. +(ds_resize): Take a single argument. Use x2nrealloc to expand +the storage. +(ds_reset,ds_append,ds_concat,ds_endswith): New function. +(ds_fgetstr): Rewrite. In particular, this fixes integer overflow. +* src/dstring.h (dynamic_string): Keep both the allocated length +(ds_size) and index of the next free byte in the string (ds_idx). +(ds_init,ds_resize): Change signature. +(ds_len): New macro. +(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. +* src/copyin.c: Use new ds_ functions. +* src/copyout.c: Likewise. +* src/copypass.c: Likewise. +* src/util.c: Likewise. +--- + src/copyin.c | 40 +++++++++++++------------- + src/copyout.c | 16 ++++------- + src/copypass.c | 34 +++++++++++------------ + src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++++++++---------------- + src/dstring.h | 31 ++++++++++----------- + src/util.c | 6 ++-- + 6 files changed, 123 insertions(+), 92 deletions(-) + +diff --git a/src/copyin.c b/src/copyin.c +index bf3b0a8..c7f4b49 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + char *str_res; /* Result for string function. */ + static dynamic_string new_name; /* New file name for rename option. */ + static int initialized_new_name = false; ++ + if (!initialized_new_name) +- { +- ds_init (&new_name, 128); +- initialized_new_name = true; +- } ++ { ++ ds_init (&new_name); ++ initialized_new_name = true; ++ } + + if (rename_flag) + { +@@ -778,39 +779,41 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) + already in `save_patterns' (from the command line) are preserved. */ + + static void +-read_pattern_file () ++read_pattern_file (void) + { +- int max_new_patterns; +- char **new_save_patterns; +- int new_num_patterns; ++ char **new_save_patterns = NULL; ++ size_t max_new_patterns; ++ size_t new_num_patterns; + int i; +- dynamic_string pattern_name; ++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; + FILE *pattern_fp; + + if (num_patterns < 0) + num_patterns = 0; +- max_new_patterns = 1 + num_patterns; +- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); + new_num_patterns = num_patterns; +- ds_init (&pattern_name, 128); ++ max_new_patterns = num_patterns; ++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); + + pattern_fp = fopen (pattern_file_name, "r"); + if (pattern_fp == NULL) ++ { + open_error (pattern_file_name); ++ ds_free (&pattern_name); ++ } + else + { + while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) + { +- if (new_num_patterns >= max_new_patterns) +- { +- max_new_patterns += 1; +- new_save_patterns = (char **) +- xrealloc ((char *) new_save_patterns, +- max_new_patterns * sizeof (char *)); +- } ++ if (new_num_patterns == max_new_patterns) ++ new_save_patterns = x2nrealloc (new_save_patterns, ++ &max_new_patterns, ++ sizeof (new_save_patterns[0])); + new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); + ++new_num_patterns; + } ++ ++ ds_free (&pattern_name); ++ + if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) + close_error (pattern_file_name); + } +@@ -1198,7 +1201,7 @@ swab_array (char *ptr, int count) + in the file system. */ + + void +-process_copy_in () ++process_copy_in (void) + { + char done = false; /* True if trailer reached. */ + FILE *tty_in = NULL; /* Interactive file for rename option. */ +diff --git a/src/copyout.c b/src/copyout.c +index 4b7336b..421d36d 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) + The format of the header depends on the compatibility (-c) flag. */ + + void +-process_copy_out () ++process_copy_out (void) + { +- dynamic_string input_name; /* Name of file read from stdin. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file read from stdin. */ + struct stat file_stat; /* Stat record for file. */ + struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; + /* Output header information. */ +@@ -605,7 +606,6 @@ process_copy_out () + char *orig_file_name = NULL; + + /* Initialize the copy out. */ +- ds_init (&input_name, 128); + file_hdr.c_magic = 070707; + + /* Check whether the output file might be a tape. */ +@@ -657,14 +657,9 @@ process_copy_out () + { + if (file_hdr.c_mode & CP_IFDIR) + { +- int len = strlen (input_name.ds_string); + /* Make sure the name ends with a slash */ +- if (input_name.ds_string[len-1] != '/') +- { +- ds_resize (&input_name, len + 2); +- input_name.ds_string[len] = '/'; +- input_name.ds_string[len+1] = 0; +- } ++ if (!ds_endswith (&input_name, '/')) ++ ds_append (&input_name, '/'); + } + } + +@@ -875,6 +870,7 @@ process_copy_out () + (unsigned long) blocks), (unsigned long) blocks); + } + cpio_file_stat_free (&file_hdr); ++ ds_free (&input_name); + } + + +diff --git a/src/copypass.c b/src/copypass.c +index dc13b5b..62f31c6 100644 +--- a/src/copypass.c ++++ b/src/copypass.c +@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) + If `link_flag', link instead of copying. */ + + void +-process_copy_pass () ++process_copy_pass (void) + { +- dynamic_string input_name; /* Name of file from stdin. */ +- dynamic_string output_name; /* Name of new file. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file from stdin. */ ++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of new file. */ + size_t dirname_len; /* Length of `directory_name'. */ + int res; /* Result of functions. */ + char *slash; /* For moving past slashes in input name. */ +@@ -65,25 +67,18 @@ process_copy_pass () + created files */ + + /* Initialize the copy pass. */ +- ds_init (&input_name, 128); + + dirname_len = strlen (directory_name); + if (change_directory_option && !ISSLASH (directory_name[0])) + { + char *pwd = xgetcwd (); +- +- dirname_len += strlen (pwd) + 1; +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, pwd); +- strcat (output_name.ds_string, "/"); +- strcat (output_name.ds_string, directory_name); ++ ++ ds_concat (&output_name, pwd); ++ ds_append (&output_name, '/'); + } +- else +- { +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, directory_name); +- } +- output_name.ds_string[dirname_len] = '/'; ++ ds_concat (&output_name, directory_name); ++ ds_append (&output_name, '/'); ++ dirname_len = ds_len (&output_name); + output_is_seekable = true; + + change_dir (); +@@ -116,8 +111,8 @@ process_copy_pass () + /* Make the name of the new file. */ + for (slash = input_name.ds_string; *slash == '/'; ++slash) + ; +- ds_resize (&output_name, dirname_len + strlen (slash) + 2); +- strcpy (output_name.ds_string + dirname_len + 1, slash); ++ ds_reset (&output_name, dirname_len); ++ ds_concat (&output_name, slash); + + existing_dir = false; + if (lstat (output_name.ds_string, &out_file_stat) == 0) +@@ -333,6 +328,9 @@ process_copy_pass () + (unsigned long) blocks), + (unsigned long) blocks); + } ++ ++ ds_free (&input_name); ++ ds_free (&output_name); + } + + /* Try and create a hard link from FILE_NAME to another file +diff --git a/src/dstring.c b/src/dstring.c +index e9c063f..358f356 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -20,8 +20,8 @@ + #if defined(HAVE_CONFIG_H) + # include + #endif +- + #include ++#include + #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) + #include + #else +@@ -33,24 +33,41 @@ + /* Initialiaze dynamic string STRING with space for SIZE characters. */ + + void +-ds_init (dynamic_string *string, int size) ++ds_init (dynamic_string *string) ++{ ++ memset (string, 0, sizeof *string); ++} ++ ++/* Free the dynamic string storage. */ ++ ++void ++ds_free (dynamic_string *string) + { +- string->ds_length = size; +- string->ds_string = (char *) xmalloc (size); ++ free (string->ds_string); + } + +-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ ++/* Expand dynamic string STRING, if necessary. */ + + void +-ds_resize (dynamic_string *string, int size) ++ds_resize (dynamic_string *string) + { +- if (size > string->ds_length) ++ if (string->ds_idx == string->ds_size) + { +- string->ds_length = size; +- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); ++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, ++ 1); + } + } + ++/* Reset the index of the dynamic string S to LEN. */ ++ ++void ++ds_reset (dynamic_string *s, size_t len) ++{ ++ while (len > s->ds_size) ++ ds_resize (s); ++ s->ds_idx = len; ++} ++ + /* Dynamic string S gets a string terminated by the EOS character + (which is removed) from file F. S will increase + in size during the function if the string from F is longer than +@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size) + char * + ds_fgetstr (FILE *f, dynamic_string *s, char eos) + { +- int insize; /* Amount needed for line. */ +- int strsize; /* Amount allocated for S. */ + int next_ch; + + /* Initialize. */ +- insize = 0; +- strsize = s->ds_length; ++ s->ds_idx = 0; + + /* Read the input string. */ +- next_ch = getc (f); +- while (next_ch != eos && next_ch != EOF) ++ while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- if (insize >= strsize - 1) +- { +- ds_resize (s, strsize * 2 + 2); +- strsize = s->ds_length; +- } +- s->ds_string[insize++] = next_ch; +- next_ch = getc (f); ++ ds_resize (s); ++ s->ds_string[s->ds_idx++] = next_ch; + } +- s->ds_string[insize++] = '\0'; ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = '\0'; + +- if (insize == 1 && next_ch == EOF) ++ if (s->ds_idx == 0 && next_ch == EOF) + return NULL; + else + return s->ds_string; + } + ++void ++ds_append (dynamic_string *s, int c) ++{ ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = c; ++ if (c) ++ { ++ s->ds_idx++; ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = 0; ++ } ++} ++ ++void ++ds_concat (dynamic_string *s, char const *str) ++{ ++ size_t len = strlen (str); ++ while (len + 1 > s->ds_size) ++ ds_resize (s); ++ memcpy (s->ds_string + s->ds_idx, str, len); ++ s->ds_idx += len; ++ s->ds_string[s->ds_idx] = 0; ++} ++ + char * + ds_fgets (FILE *f, dynamic_string *s) + { +@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s) + { + return ds_fgetstr (f, s, '\0'); + } ++ ++/* Return true if the dynamic string S ends with character C. */ ++int ++ds_endswith (dynamic_string *s, int c) ++{ ++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); ++} +diff --git a/src/dstring.h b/src/dstring.h +index b5135fe..f5b04ef 100644 +--- a/src/dstring.h ++++ b/src/dstring.h +@@ -17,10 +17,6 @@ + Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA. */ + +-#ifndef NULL +-#define NULL 0 +-#endif +- + /* A dynamic string consists of record that records the size of an + allocated string and the pointer to that string. The actual string + is a normal zero byte terminated string that can be used with the +@@ -30,22 +26,25 @@ + + typedef struct + { +- int ds_length; /* Actual amount of storage allocated. */ +- char *ds_string; /* String. */ ++ size_t ds_size; /* Actual amount of storage allocated. */ ++ size_t ds_idx; /* Index of the next free byte in the string. */ ++ char *ds_string; /* String storage. */ + } dynamic_string; + ++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } + +-/* Macros that look similar to the original string functions. +- WARNING: These macros work only on pointers to dynamic string records. +- If used with a real record, an "&" must be used to get the pointer. */ +-#define ds_strlen(s) strlen ((s)->ds_string) +-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) +-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) +-#define ds_index(s, c) index ((s)->ds_string, c) +-#define ds_rindex(s, c) rindex ((s)->ds_string, c) ++void ds_init (dynamic_string *string); ++void ds_free (dynamic_string *string); ++void ds_reset (dynamic_string *s, size_t len); + +-void ds_init (dynamic_string *string, int size); +-void ds_resize (dynamic_string *string, int size); ++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ + char *ds_fgetname (FILE *f, dynamic_string *s); + char *ds_fgets (FILE *f, dynamic_string *s); + char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); ++void ds_append (dynamic_string *s, int c); ++void ds_concat (dynamic_string *s, char const *str); ++ ++#define ds_len(s) ((s)->ds_idx) ++ ++int ds_endswith (dynamic_string *s, int c); ++ +diff --git a/src/util.c b/src/util.c +index 4421b20..6d6bbaa 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -846,11 +846,9 @@ get_next_reel (int tape_des) + FILE *tty_out; /* File for interacting with user. */ + int old_tape_des; + char *next_archive_name; +- dynamic_string new_name; ++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; + char *str_res; + +- ds_init (&new_name, 128); +- + /* Open files for interactive communication. */ + tty_in = fopen (TTY_NAME, "r"); + if (tty_in == NULL) +@@ -925,7 +923,7 @@ get_next_reel (int tape_des) + error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), + old_tape_des, tape_des); + +- free (new_name.ds_string); ++ ds_free (&new_name); + fclose (tty_in); + fclose (tty_out); + } +-- +1.8.3.1 + diff --git a/backport-0002-CVE-2021-38185-Fix-previous-commit.patch b/backport-0002-CVE-2021-38185-Fix-previous-commit.patch new file mode 100644 index 0000000..f310a11 --- /dev/null +++ b/backport-0002-CVE-2021-38185-Fix-previous-commit.patch @@ -0,0 +1,36 @@ +From dfc801c44a93bed7b3951905b188823d6a0432c8 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Wed, 11 Aug 2021 18:10:38 +0300 +Subject: [PATCH 12/13] Fix previous commit + +* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a +loop. +--- + src/dstring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/dstring.c b/src/dstring.c +index 692d3e7..b7e0bb5 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -64,7 +64,7 @@ void + ds_reset (dynamic_string *s, size_t len) + { + while (len > s->ds_size) +- ds_resize (s); ++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); + s->ds_idx = len; + } + +@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str) + { + size_t len = strlen (str); + while (len + 1 > s->ds_size) +- ds_resize (s); ++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); + memcpy (s->ds_string + s->ds_idx, str, len); + s->ds_idx += len; + s->ds_string[s->ds_idx] = 0; +-- +1.8.3.1 + diff --git a/backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch b/backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch new file mode 100644 index 0000000..b7ee7cd --- /dev/null +++ b/backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch @@ -0,0 +1,78 @@ +From 236684f6deb3178043fe72a8e2faca538fa2aae1 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Wed, 18 Aug 2021 09:41:39 +0300 +Subject: [PATCH 13/13] Fix dynamic string reallocations + +* src/dstring.c (ds_resize): Take additional argument: number of +bytes to leave available after ds_idx. All uses changed. +--- + src/dstring.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/dstring.c b/src/dstring.c +index b7e0bb5..fd4e030 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -49,9 +49,9 @@ ds_free (dynamic_string *string) + /* Expand dynamic string STRING, if necessary. */ + + void +-ds_resize (dynamic_string *string) ++ds_resize (dynamic_string *string, size_t len) + { +- if (string->ds_idx == string->ds_size) ++ while (len + string->ds_idx >= string->ds_size) + { + string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, + 1); +@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string) + void + ds_reset (dynamic_string *s, size_t len) + { +- while (len > s->ds_size) +- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); ++ ds_resize (s, len); + s->ds_idx = len; + } + +@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + /* Read the input string. */ + while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx++] = next_ch; + } +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = '\0'; + + if (s->ds_idx == 0 && next_ch == EOF) +@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + void + ds_append (dynamic_string *s, int c) + { +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = c; + if (c) + { + s->ds_idx++; +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = 0; + } + } +@@ -115,8 +114,7 @@ void + ds_concat (dynamic_string *s, char const *str) + { + size_t len = strlen (str); +- while (len + 1 > s->ds_size) +- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); ++ ds_resize (s, len); + memcpy (s->ds_string + s->ds_idx, str, len); + s->ds_idx += len; + s->ds_string[s->ds_idx] = 0; +-- +1.8.3.1 + diff --git a/cpio.spec b/cpio.spec index 797b5b9..a9a1d82 100644 --- a/cpio.spec +++ b/cpio.spec @@ -1,6 +1,6 @@ Name: cpio Version: 2.13 -Release: 3 +Release: 4 Summary: A GNU archiving program License: GPLv3+ @@ -14,9 +14,13 @@ Patch3: cpio-2.9.90-defaultremoteshell.patch Patch4: cpio-2.10-patternnamesigsegv.patch Patch5: cpio-2.10-longnames-split.patch Patch6: cpio-2.11-crc-fips-nit.patch -Patch7: add-option-to-add-metadata-in-copy-out-mode.patch -Patch8: Fix-use-after-free-and-return-appropriate-error.patch -Patch9: revert-CVE-2015-1197.patch +Patch7: revert-CVE-2015-1197.patch +Patch8: backport-0001-CVE-2021-38185-Rewrite-dynamic-string-support.patch +Patch9: backport-0002-CVE-2021-38185-Fix-previous-commit.patch +Patch10: backport-0003-CVE-2021-38185-Fix-dynamic-string-reallocations.patch + +Patch9000: add-option-to-add-metadata-in-copy-out-mode.patch +Patch9001: Fix-use-after-free-and-return-appropriate-error.patch Provides: bundled(gnulib) Provides: /bin/cpio @@ -59,6 +63,12 @@ make check %{_datadir}/man/man1/%{name}.1.gz %changelog +* Tue Aug 24 2021 yangzhuangzhuang - 2.13-4 +- Type:CVE +- ID:CVE-2021-38185 +- SUG:NA +- DESC:Fix CVE-2021-38185 + * Fri Jun 4 2021 fuanan - 2.13-3 - Type:bugfix - ID:NA -- Gitee