package/cpio/0001-fix-CVE-2016-2037.patch

   1 From: Pavel Raiskup
   2 Subject: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write
   3 Date: Tue, 26 Jan 2016 23:17:54 +0100
   4
   5 Other calls to cpio_safer_name_suffix seem to be safe.
   6
   7 * src/copyin.c (process_copy_in):  Make sure that file_hdr.c_name
   8 has at least two bytes allocated.
   9 * src/util.c (cpio_safer_name_suffix): Document that use of this
  10 function requires to be careful.
  11
  12 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
  13 ---
  14 Patch status: fetched/submitted
  15 URL: https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
  16
  17  src/copyin.c | 2 ++
  18  src/util.c   | 5 ++++-
  19  2 files changed, 6 insertions(+), 1 deletion(-)
  20
  21 diff --git a/src/copyin.c b/src/copyin.c
  22 index cde911e..032d35f 100644
  23 --- a/src/copyin.c
  24 +++ b/src/copyin.c
  25 @@ -1385,6 +1385,8 @@ process_copy_in ()
  26           break;
  27         }
  28
  29 +      if (file_hdr.c_namesize <= 1)
  30 +        file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
  31        cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
  32                               false);
  33
  34 diff --git a/src/util.c b/src/util.c
  35 index 6ff6032..2763ac1 100644
  36 --- a/src/util.c
  37 +++ b/src/util.c
  38 @@ -1411,7 +1411,10 @@ set_file_times (int fd,
  39  }
  40
  41  /* Do we have to ignore absolute paths, and if so, does the filename
  42 -   have an absolute path?  */
  43 +   have an absolute path?
  44 +   Before calling this function make sure that the allocated NAME buffer has
  45 +   capacity at least 2 bytes to allow us to store the "." string inside.  */
  46 +
  47  void
  48  cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
  49                         bool strip_leading_dots)
  50 --
  51 2.5.0