Google Git
Sign in
cos / third_party / overlays / portage-stable / 784c812f44df93c5c7ddd63f2dcb447c4151ae96^! / .
commit784c812f44df93c5c7ddd63f2dcb447c4151ae96[log] [tgz]
authorNobel Barakat <nobelbarakat@google.com>Mon Feb 27 10:58:13 2023 -0800
committerNobel Barakat <nobelbarakat@google.com>Tue Feb 28 00:42:50 2023 +0000
treec422cfddf91c4e3d4733b7f0a443bc1c560dede7
parent323b8bbad8eaaa0c2aa8e7716c4a18fe991076e8 [diff]
app-arch/tar: fixing cve-2022-48303

This patch fixes an out of band read in tar which resolves
CVE-2022-48303.

BUG=b/269587296
TEST=presubmit
RELEASE_NOTE="Fixed CVE-2022-48303 in app-arch/tar"

cos-patch: security-high
Change-Id: I9e951e2472bfc9c55fcb6cc0c8b596b7a983c87f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/43908
Reviewed-by: Meena Shanmugam <meenashanmugam@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

diff --git a/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch b/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch
new file mode 100644
index 0000000..5a4122a
--- /dev/null
+++ b/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch

@@ -0,0 +1,30 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: [PATCH] Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..86bcfdd1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+2.39.2.637.g21b0678d19-goog
+

diff --git a/app-arch/tar/tar-1.34.ebuild b/app-arch/tar/tar-1.34-r1.ebuild
similarity index 96%
rename from app-arch/tar/tar-1.34.ebuild
rename to app-arch/tar/tar-1.34-r1.ebuild
index 5198981..bd6ac09 100644
--- a/app-arch/tar/tar-1.34.ebuild
+++ b/app-arch/tar/tar-1.34-r1.ebuild

@@ -27,6 +27,10 @@
 	nls? ( sys-devel/gettext )
 "
 
+PATCHES=(
+	"${FILESDIR}"/${P}-fix-cve-2022-48303.patch
+)
+
 src_prepare() {
 	default