diff options
Diffstat (limited to 'meta-oem-extra-libs/recipes-core/libtar/files')
8 files changed, 840 insertions, 0 deletions
diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch b/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch new file mode 100644 index 00000000..477d130f --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch @@ -0,0 +1,113 @@ +Author: Raphael Geissert <geissert@debian.org> +Bug-Debian: https://bugs.debian.org/731860 +Description: Avoid directory traversal when extracting archives + by skipping over leading slashes and any prefix containing ".." components. +Forwarded: yes + +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -22,13 +22,42 @@ + # include <string.h> + #endif + ++char * ++safer_name_suffix (char const *file_name) ++{ ++ char const *p, *t; ++ p = t = file_name; ++ while (*p == '/') t = ++p; ++ while (*p) ++ { ++ while (p[0] == '.' && p[0] == p[1] && p[2] == '/') ++ { ++ p += 3; ++ t = p; ++ } ++ /* advance pointer past the next slash */ ++ while (*p && (p++)[0] != '/'); ++ } ++ ++ if (!*t) ++ { ++ t = "."; ++ } ++ ++ if (t != file_name) ++ { ++ /* TODO: warn somehow that the path was modified */ ++ } ++ return (char*)t; ++} ++ + + /* determine full path name */ + char * + th_get_pathname(TAR *t) + { + if (t->th_buf.gnu_longname) +- return t->th_buf.gnu_longname; ++ return safer_name_suffix(t->th_buf.gnu_longname); + + /* allocate the th_pathname buffer if not already */ + if (t->th_pathname == NULL) +@@ -51,7 +80,7 @@ th_get_pathname(TAR *t) + } + + /* will be deallocated in tar_close() */ +- return t->th_pathname; ++ return safer_name_suffix(t->th_pathname); + } + + +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real + if (mkdirhier(dirname(filename)) == -1) + return -1; + libtar_hashptr_reset(&hp); +- if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), ++ if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)), + (libtar_matchfunc_t)libtar_str_match) != 0) + { + lnp = (char *)libtar_hashptr_data(&hp); + linktgt = &lnp[strlen(lnp) + 1]; + } + else +- linktgt = th_get_linkname(t); ++ linktgt = safer_name_suffix(th_get_linkname(t)); + + #ifdef DEBUG + printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); +@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna + + #ifdef DEBUG + printf(" ==> extracting: %s (symlink to %s)\n", +- filename, th_get_linkname(t)); ++ filename, safer_name_suffix(th_get_linkname(t))); + #endif +- if (symlink(th_get_linkname(t), filename) == -1) ++ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) + { + #ifdef DEBUG + perror("symlink()"); +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -21,3 +21,4 @@ + #define TLS_THREAD + #endif + ++char* safer_name_suffix(char const*); +--- a/lib/output.c ++++ b/lib/output.c +@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t) + else + printf(" link to "); + if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL) +- printf("%s", t->th_buf.gnu_longlink); ++ printf("%s", safer_name_suffix(t->th_buf.gnu_longlink)); + else +- printf("%.100s", t->th_buf.linkname); ++ printf("%.100s", safer_name_suffix(t->th_buf.linkname)); + } + + putchar('\n'); diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/no_maxpathlen.patch b/meta-oem-extra-libs/recipes-core/libtar/files/no_maxpathlen.patch new file mode 100644 index 00000000..104dc4cd --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/no_maxpathlen.patch @@ -0,0 +1,491 @@ +Author: Svante Signell <svante.signell@telia.com> +Author: Petter Reinholdtsen <pere@hungry.com> +Author: Magnus Holmgren <magnus@debian.org> +Bug-Debian: http://bugs.debian.org/657116 +Description: Fix FTBFS on Hurd by dynamically allocating path names. + Depends on no_static_buffers.patch, which introduced the th_pathname field. + +--- a/compat/basename.c ++++ b/compat/basename.c +@@ -34,13 +34,25 @@ static char rcsid[] = "$OpenBSD: basenam + #include <errno.h> + #include <string.h> + #include <sys/param.h> ++#include <stdlib.h> + + char * + openbsd_basename(path) + const char *path; + { +- static char bname[MAXPATHLEN]; ++ static char *bname = NULL; ++ static size_t allocated = 0; + register const char *endp, *startp; ++ int len = 0; ++ ++ if (!allocated) { ++ allocated = 64; ++ bname = malloc(allocated); ++ if (!bname) { ++ allocated = 0; ++ return NULL; ++ } ++ } + + /* Empty or NULL string gets treated as "." */ + if (path == NULL || *path == '\0') { +@@ -64,11 +76,19 @@ openbsd_basename(path) + while (startp > path && *(startp - 1) != '/') + startp--; + +- if (endp - startp + 1 > sizeof(bname)) { +- errno = ENAMETOOLONG; +- return(NULL); ++ len = endp - startp + 1; ++ ++ if (len + 1 > allocated) { ++ size_t new_allocated = 2*(len+1); ++ void *new_bname = malloc(new_allocated); ++ if (!new_bname) ++ return NULL; ++ allocated = new_allocated; ++ free(bname); ++ bname = new_bname; + } +- (void)strncpy(bname, startp, endp - startp + 1); +- bname[endp - startp + 1] = '\0'; ++ ++ (void)strncpy(bname, startp, len); ++ bname[len] = '\0'; + return(bname); + } +--- a/compat/dirname.c ++++ b/compat/dirname.c +@@ -34,13 +34,25 @@ static char rcsid[] = "$OpenBSD: dirname + #include <errno.h> + #include <string.h> + #include <sys/param.h> ++#include <stdlib.h> + + char * + openbsd_dirname(path) + const char *path; + { +- static char bname[MAXPATHLEN]; ++ static char *bname = NULL; ++ static size_t allocated = 0; + register const char *endp; ++ int len; ++ ++ if (!allocated) { ++ allocated = 64; ++ bname = malloc(allocated); ++ if (!bname) { ++ allocated = 0; ++ return NULL; ++ } ++ } + + /* Empty or NULL string gets treated as "." */ + if (path == NULL || *path == '\0') { +@@ -67,11 +79,19 @@ openbsd_dirname(path) + } while (endp > path && *endp == '/'); + } + +- if (endp - path + 1 > sizeof(bname)) { +- errno = ENAMETOOLONG; +- return(NULL); ++ len = endp - path + 1; ++ ++ if (len + 1 > allocated) { ++ size_t new_allocated = 2*(len+1); ++ void *new_bname = malloc(new_allocated); ++ if (!new_bname) ++ return NULL; ++ allocated = new_allocated; ++ free(bname); ++ bname = new_bname; + } +- (void)strncpy(bname, path, endp - path + 1); +- bname[endp - path + 1] = '\0'; ++ ++ (void)strncpy(bname, path, len); ++ bname[len] = '\0'; + return(bname); + } +--- a/lib/append.c ++++ b/lib/append.c +@@ -38,7 +38,7 @@ typedef struct tar_dev tar_dev_t; + struct tar_ino + { + ino_t ti_ino; +- char ti_name[MAXPATHLEN]; ++ char ti_name[]; + }; + typedef struct tar_ino tar_ino_t; + +@@ -61,7 +61,7 @@ tar_append_file(TAR *t, const char *real + libtar_hashptr_t hp; + tar_dev_t *td = NULL; + tar_ino_t *ti = NULL; +- char path[MAXPATHLEN]; ++ char *path = NULL; + + #ifdef DEBUG + printf("==> tar_append_file(TAR=0x%lx (\"%s\"), realname=\"%s\", " +@@ -126,34 +126,39 @@ tar_append_file(TAR *t, const char *real + } + else + { ++ const char *name; + #ifdef DEBUG + printf("+++ adding entry: device (0x%lx,0x%lx), inode %ld " + "(\"%s\")...\n", major(s.st_dev), minor(s.st_dev), + s.st_ino, realname); + #endif +- ti = (tar_ino_t *)calloc(1, sizeof(tar_ino_t)); ++ name = savename ? savename : realname; ++ ti = (tar_ino_t *)calloc(1, sizeof(tar_ino_t) + strlen(name) + 1); + if (ti == NULL) + return -1; + ti->ti_ino = s.st_ino; +- snprintf(ti->ti_name, sizeof(ti->ti_name), "%s", +- savename ? savename : realname); ++ snprintf(ti->ti_name, strlen(name) + 1, "%s", name); + libtar_hash_add(td->td_h, ti); + } + + /* check if it's a symlink */ + if (TH_ISSYM(t)) + { +- i = readlink(realname, path, sizeof(path)); ++ if ((path = malloc(s.st_size + 1)) == NULL) ++ return -1; ++ i = readlink(realname, path, s.st_size); + if (i == -1) ++ { ++ free(path); + return -1; +- if (i >= MAXPATHLEN) +- i = MAXPATHLEN - 1; ++ } + path[i] = '\0'; + #ifdef DEBUG + printf(" tar_append_file(): encoding symlink \"%s\" -> " + "\"%s\"...\n", realname, path); + #endif + th_set_link(t, path); ++ free(path); + } + + /* print file info */ +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -33,7 +33,8 @@ th_get_pathname(TAR *t) + /* allocate the th_pathname buffer if not already */ + if (t->th_pathname == NULL) + { +- t->th_pathname = malloc(MAXPATHLEN * sizeof(char)); ++ /* Allocate the maximum length of prefix + '/' + name + '\0' */ ++ t->th_pathname = malloc(155 + 1 + 100 + 1); + if (t->th_pathname == NULL) + /* out of memory */ + return NULL; +@@ -41,11 +42,11 @@ th_get_pathname(TAR *t) + + if (t->th_buf.prefix[0] == '\0') + { +- snprintf(t->th_pathname, MAXPATHLEN, "%.100s", t->th_buf.name); ++ sprintf(t->th_pathname, "%.100s", t->th_buf.name); + } + else + { +- snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", ++ sprintf(t->th_pathname, "%.155s/%.100s", + t->th_buf.prefix, t->th_buf.name); + } + +--- a/lib/util.c ++++ b/lib/util.c +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <sys/param.h> + #include <errno.h> ++#include <stdlib.h> + + #ifdef STDC_HEADERS + # include <string.h> +@@ -25,13 +26,15 @@ + int + path_hashfunc(char *key, int numbuckets) + { +- char buf[MAXPATHLEN]; ++ char *buf; + char *p; ++ int i; + +- strcpy(buf, key); ++ buf = strdup(key); + p = basename(buf); +- +- return (((unsigned int)p[0]) % numbuckets); ++ i = ((unsigned int)p[0]) % numbuckets; ++ free(buf); ++ return (i); + } + + +@@ -77,15 +80,26 @@ ino_hash(ino_t *inode) + int + mkdirhier(char *path) + { +- char src[MAXPATHLEN], dst[MAXPATHLEN] = ""; +- char *dirp, *nextp = src; +- int retval = 1; ++ char *src, *dst = NULL; ++ char *dirp, *nextp = NULL; ++ int retval = 1, len; ++ ++ len = strlen(path); ++ if ((src = strdup(path)) == NULL) ++ { ++ errno = ENOMEM; ++ return -1; ++ } ++ nextp = src; + +- if (strlcpy(src, path, sizeof(src)) > sizeof(src)) ++ /* Make room for // with absolute paths */ ++ if ((dst = malloc(len + 2)) == NULL) + { +- errno = ENAMETOOLONG; ++ free(src); ++ errno = ENOMEM; + return -1; + } ++ dst[0] = '\0'; + + if (path[0] == '/') + strcpy(dst, "/"); +@@ -102,12 +116,18 @@ mkdirhier(char *path) + if (mkdir(dst, 0777) == -1) + { + if (errno != EEXIST) ++ { ++ free(src); ++ free(dst); + return -1; ++ } + } + else + retval = 0; + } + ++ free(src); ++ free(dst); + return retval; + } + +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -16,6 +16,7 @@ + #include <sys/param.h> + #include <dirent.h> + #include <errno.h> ++#include <stdlib.h> + + #ifdef STDC_HEADERS + # include <string.h> +@@ -26,8 +27,8 @@ int + tar_extract_glob(TAR *t, char *globname, char *prefix) + { + char *filename; +- char buf[MAXPATHLEN]; +- int i; ++ char *buf = NULL; ++ int i, len; + + while ((i = th_read(t)) == 0) + { +@@ -41,11 +42,25 @@ tar_extract_glob(TAR *t, char *globname, + if (t->options & TAR_VERBOSE) + th_print_long_ls(t); + if (prefix != NULL) +- snprintf(buf, sizeof(buf), "%s/%s", prefix, filename); ++ { ++ len = strlen(prefix) + 1 + strlen(filename); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ sprintf(buf, "%s/%s", prefix, filename); ++ } + else +- strlcpy(buf, filename, sizeof(buf)); ++ { ++ len = strlen(filename); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ strcpy(buf, filename); ++ } + if (tar_extract_file(t, buf) != 0) ++ { ++ free(buf); + return -1; ++ } ++ free(buf); + } + + return (i == 1 ? 0 : -1); +@@ -56,8 +71,9 @@ int + tar_extract_all(TAR *t, char *prefix) + { + char *filename; +- char buf[MAXPATHLEN]; +- int i; ++ char *buf = NULL; ++ size_t bufsize = 0; ++ int i, len; + + #ifdef DEBUG + printf("==> tar_extract_all(TAR *t, \"%s\")\n", +@@ -73,15 +89,29 @@ tar_extract_all(TAR *t, char *prefix) + if (t->options & TAR_VERBOSE) + th_print_long_ls(t); + if (prefix != NULL) +- snprintf(buf, sizeof(buf), "%s/%s", prefix, filename); ++ { ++ len = strlen(prefix) + 1 + strlen(filename); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ sprintf(buf, "%s/%s", prefix, filename); ++ } + else +- strlcpy(buf, filename, sizeof(buf)); ++ { ++ len = strlen(filename); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ strcpy(buf, filename); ++ } + #ifdef DEBUG + printf(" tar_extract_all(): calling tar_extract_file(t, " + "\"%s\")\n", buf); + #endif + if (tar_extract_file(t, buf) != 0) ++ { ++ free(buf); + return -1; ++ } ++ free(buf); + } + + return (i == 1 ? 0 : -1); +@@ -91,11 +121,14 @@ tar_extract_all(TAR *t, char *prefix) + int + tar_append_tree(TAR *t, char *realdir, char *savedir) + { +- char realpath[MAXPATHLEN]; +- char savepath[MAXPATHLEN]; ++ char *realpath = NULL; ++ size_t realpathsize = 0; ++ char *savepath = NULL; ++ size_t savepathsize = 0; + struct dirent *dent; + DIR *dp; + struct stat s; ++ int len; + + #ifdef DEBUG + printf("==> tar_append_tree(0x%lx, \"%s\", \"%s\")\n", +@@ -122,11 +155,21 @@ tar_append_tree(TAR *t, char *realdir, c + strcmp(dent->d_name, "..") == 0) + continue; + +- snprintf(realpath, MAXPATHLEN, "%s/%s", realdir, ++ len = strlen(realdir) + 1 + strlen(dent->d_name); ++ if ((realpath = malloc(len + 1)) == NULL) ++ return -1; ++ snprintf(realpath, len + 1, "%s/%s", realdir, + dent->d_name); + if (savedir) +- snprintf(savepath, MAXPATHLEN, "%s/%s", savedir, ++ { ++ len = strlen(savedir) + 1 + strlen(dent->d_name); ++ if ((savepath = malloc(len + 1)) == NULL) { ++ free(realpath); ++ return -1; ++ } ++ snprintf(savepath, len + 1, "%s/%s", savedir, + dent->d_name); ++ } + + if (lstat(realpath, &s) != 0) + return -1; +@@ -135,13 +178,23 @@ tar_append_tree(TAR *t, char *realdir, c + { + if (tar_append_tree(t, realpath, + (savedir ? savepath : NULL)) != 0) ++ { ++ free(realpath); ++ free(savepath); + return -1; ++ } + continue; + } + + if (tar_append_file(t, realpath, + (savedir ? savepath : NULL)) != 0) ++ { ++ free(realpath); ++ free(savepath); + return -1; ++ } ++ free(realpath); ++ free(savepath); + } + + closedir(dp); +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -111,8 +111,9 @@ create(char *tarfile, char *rootdir, lib + { + TAR *t; + char *pathname; +- char buf[MAXPATHLEN]; ++ char *buf = NULL; + libtar_listptr_t lp; ++ int len; + + if (tar_open(&t, tarfile, + #ifdef HAVE_LIBZ +@@ -133,17 +134,29 @@ create(char *tarfile, char *rootdir, lib + { + pathname = (char *)libtar_listptr_data(&lp); + if (pathname[0] != '/' && rootdir != NULL) +- snprintf(buf, sizeof(buf), "%s/%s", rootdir, pathname); ++ { ++ len = strlen(rootdir) + 1 + strlen(pathname); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ snprintf(buf, len + 1, "%s/%s", rootdir, pathname); ++ } + else +- strlcpy(buf, pathname, sizeof(buf)); ++ { ++ len = strlen(pathname); ++ if ((buf = malloc(len + 1)) == NULL) ++ return -1; ++ strlcpy(buf, pathname, len + 1); ++ } + if (tar_append_tree(t, buf, pathname) != 0) + { + fprintf(stderr, + "tar_append_tree(\"%s\", \"%s\"): %s\n", buf, + pathname, strerror(errno)); + tar_close(t); ++ free(buf); + return -1; + } ++ free(buf); + } + + if (tar_append_eof(t) != 0) diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/no_static_buffers.patch b/meta-oem-extra-libs/recipes-core/libtar/files/no_static_buffers.patch new file mode 100644 index 00000000..548d7518 --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/no_static_buffers.patch @@ -0,0 +1,82 @@ +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 23 Oct 2013 13:04:22 +0000 (+0200) +Origin: http://repo.or.cz/w/libtar.git/commitdiff/ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 +Subject: decode: avoid using a static buffer in th_get_pathname() + +decode: avoid using a static buffer in th_get_pathname() + +A solution suggested by Chris Frey: +https://lists.feep.net:8080/pipermail/libtar/2013-October/000377.html + +Note this can break programs that expect sizeof(TAR) to be fixed. + +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -13,6 +13,7 @@ + #include <internal.h> + + #include <stdio.h> ++#include <stdlib.h> + #include <sys/param.h> + #include <pwd.h> + #include <grp.h> +@@ -26,20 +27,30 @@ + char * + th_get_pathname(TAR *t) + { +- static TLS_THREAD char filename[MAXPATHLEN]; +- + if (t->th_buf.gnu_longname) + return t->th_buf.gnu_longname; + +- if (t->th_buf.prefix[0] != '\0') ++ /* allocate the th_pathname buffer if not already */ ++ if (t->th_pathname == NULL) ++ { ++ t->th_pathname = malloc(MAXPATHLEN * sizeof(char)); ++ if (t->th_pathname == NULL) ++ /* out of memory */ ++ return NULL; ++ } ++ ++ if (t->th_buf.prefix[0] == '\0') ++ { ++ snprintf(t->th_pathname, MAXPATHLEN, "%.100s", t->th_buf.name); ++ } ++ else + { +- snprintf(filename, sizeof(filename), "%.155s/%.100s", ++ snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", + t->th_buf.prefix, t->th_buf.name); +- return filename; + } + +- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); +- return filename; ++ /* will be deallocated in tar_close() */ ++ return t->th_pathname; + } + + +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -121,6 +121,7 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); ++ free(t->th_pathname); + free(t); + + return i; +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -85,6 +85,9 @@ typedef struct + int options; + struct tar_header th_buf; + libtar_hash_t *h; ++ ++ /* introduced in libtar 1.2.21 */ ++ char *th_pathname; + } + TAR; + diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/no_strip.patch b/meta-oem-extra-libs/recipes-core/libtar/files/no_strip.patch new file mode 100644 index 00000000..a3187285 --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/no_strip.patch @@ -0,0 +1,24 @@ +Description: make install must not strip binaries + +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -20,7 +20,7 @@ SHELL = @SHELL@ + + ### Installation programs and flags + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL_PROGRAM@ -s ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_DATA = @INSTALL_DATA@ + LN_S = @LN_S@ + MKDIR = @MKDIR@ +--- a/libtar/Makefile.in ++++ b/libtar/Makefile.in +@@ -20,7 +20,7 @@ SHELL = @SHELL@ + + ### Installation programs and flags + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL_PROGRAM@ -s ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_DATA = @INSTALL_DATA@ + LN_S = @LN_S@ + MKDIR = @MKDIR@ diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/oldgnu_prefix.patch b/meta-oem-extra-libs/recipes-core/libtar/files/oldgnu_prefix.patch new file mode 100644 index 00000000..99ab509e --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/oldgnu_prefix.patch @@ -0,0 +1,21 @@ +Description: Detect old-style GNU headers correctly +Author: Steinar H. Gunderson <sesse@debian.org> + +--- libtar-1.2.20.orig/lib/decode.c ++++ libtar-1.2.20/lib/decode.c +@@ -69,7 +69,14 @@ th_get_pathname(TAR *t) + return NULL; + } + +- if (t->th_buf.prefix[0] == '\0') ++ /* ++ * Old GNU headers (also used by newer GNU tar when doing incremental ++ * dumps) use the POSIX prefix field for many other things, such as ++ * mtime and ctime. New-style GNU headers don't, but also don't use the ++ * POSIX prefix field. Thus, only honor the prefix field if the archive ++ * is actually a POSIX archive. This is the same logic as GNU tar uses. ++ */ ++ if (strncmp(t->th_buf.magic, TMAGIC, TMAGLEN - 1) != 0 || t->th_buf.prefix[0] == '\0') + { + sprintf(t->th_pathname, "%.100s", t->th_buf.name); + } diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/series b/meta-oem-extra-libs/recipes-core/libtar/files/series new file mode 100644 index 00000000..617ca258 --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/series @@ -0,0 +1,7 @@ +no_static_buffers.patch +no_maxpathlen.patch +CVE-2013-4420.patch +th_get_size-unsigned-int.patch +oldgnu_prefix.patch +testsuite.patch +no_strip.patch diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/testsuite.patch b/meta-oem-extra-libs/recipes-core/libtar/files/testsuite.patch new file mode 100644 index 00000000..e8be9321 --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/testsuite.patch @@ -0,0 +1,50 @@ +--- a/Makefile.am ++++ b/Makefile.am +@@ -10,5 +10,5 @@ ACLOCAL_AMFLAGS = -I autoconf + + #@SET_MAKE@ + +-SUBDIRS = lib libtar doc ++SUBDIRS = lib libtar doc testsuite + +--- a/doc/Makefile.in ++++ b/doc/Makefile.in +@@ -151,3 +151,4 @@ install: all + echo ".so man3/@LISTHASH_PREFIX@_list_new.3" > ${DESTDIR}${mandir}/man3/$${i}.3; \ + done + ++check: +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -104,3 +104,4 @@ install: ${ALL} + ${INSTALL_DATA} ${srcdir}/libtar.h ${DESTDIR}${includedir} + ${INSTALL_DATA} ../listhash/libtar_listhash.h ${DESTDIR}${includedir} + ++check: +--- a/libtar/Makefile.in ++++ b/libtar/Makefile.in +@@ -76,3 +76,4 @@ install: ${ALL} + ${MKDIR} ${DESTDIR}${bindir} + $(LIBTOOL) --mode=install ${INSTALL_PROGRAM} libtar ${DESTDIR}${bindir} + ++check: +--- /dev/null ++++ b/testsuite/Makefile.in +@@ -0,0 +1,7 @@ ++all: ++ ++check: ../libtar/libtar ++ ../libtar/libtar -C ../doc -c test.tar . ++ ../libtar/libtar -t test.tar ++ $(RM) test.tar ++install: +--- a/configure.ac ++++ b/configure.ac +@@ -120,6 +120,6 @@ fi + + + dnl ### Create output files. ####################################### +-AC_CONFIG_FILES([Makefile lib/Makefile libtar/Makefile doc/Makefile]) ++AC_CONFIG_FILES([Makefile lib/Makefile libtar/Makefile doc/Makefile testsuite/Makefile]) + AC_OUTPUT + diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/th_get_size-unsigned-int.patch b/meta-oem-extra-libs/recipes-core/libtar/files/th_get_size-unsigned-int.patch new file mode 100644 index 00000000..e12ca914 --- /dev/null +++ b/meta-oem-extra-libs/recipes-core/libtar/files/th_get_size-unsigned-int.patch @@ -0,0 +1,52 @@ +Origin: http://repo.or.cz/w/libtar.git/commitdiff/e4c1f2974258d6a325622cfd712873d49b5e7a73 +From: Chris Frey <cdfrey@foursquare.net> +Date: Thu, 24 Oct 2013 18:52:44 -0400 +Subject: [PATCH] Change th_get_size() macro to return unsigned int + +On systems where size_t is larger than an int (and larger than +unsigned int), then in various places in the library, where +stuff like this happens: + + size_t sz = th_get_size(t); + +then the int value returned from th_get_size() is sign extended to +some unwieldy amount. + +On 64bit systems, this can yield extremely large values. + +By fixing this problem in the header, and only for th_get_size(), +we avoid breaking the API of the function call oct_to_int() +(which arguably should return an unsigned int, since the sscanf() +it uses expects to yield an unsigned int). We also fix the library, +which uses th_get_size() internally to assign sizes to size_t. + +The drawback is that not all client code that uses th_get_size() +will be fixed, until they recompile, but they will automatically +take advantage of the bugs fixed *inside* the library. + +The remaining th_get_*() functions operate on modes and CRC values +and the like, and should be fine, remaining as ints. + +Thanks very much to Magnus Holmgren for catching this behaviour. +https://lists.feep.net:8080/pipermail/libtar/2013-October/000365.html +--- + lib/libtar.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/libtar.h b/lib/libtar.h +index 2fefee0..13bb82d 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -185,7 +185,11 @@ int th_write(TAR *t); + + /* decode tar header info */ + #define th_get_crc(t) oct_to_int((t)->th_buf.chksum) +-#define th_get_size(t) oct_to_int((t)->th_buf.size) ++/* We cast from int (what oct_to_int() returns) to ++ unsigned int, to avoid unwieldy sign extensions ++ from occurring on systems where size_t is bigger than int, ++ since th_get_size() is often stored into a size_t. */ ++#define th_get_size(t) ((unsigned int)oct_to_int((t)->th_buf.size)) + #define th_get_mtime(t) oct_to_int((t)->th_buf.mtime) + #define th_get_devmajor(t) oct_to_int((t)->th_buf.devmajor) + #define th_get_devminor(t) oct_to_int((t)->th_buf.devminor) |