From fb9046ff9238e201f4f6f1c63ee46db49e5ad496 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:13:28 +0000 Subject: [PATCH] import libtar-1.2.20-17.el8 --- .gitignore | 1 + .libtar.metadata | 1 + SOURCES/libtar-1.2.11-bz729009.patch | 25 ++ SOURCES/libtar-1.2.11-mem-deref.patch | 24 ++ SOURCES/libtar-1.2.11-missing-protos.patch | 34 +++ ...1.2.20-CVE-2021-33643-CVE-2021-33644.patch | 40 +++ ...1.2.20-CVE-2021-33645-CVE-2021-33646.patch | 30 +++ .../libtar-1.2.20-fix-resource-leaks.patch | 241 ++++++++++++++++++ SOURCES/libtar-1.2.20-no-static-buffer.patch | 148 +++++++++++ SOURCES/libtar-1.2.20-static-analysis.patch | 90 +++++++ SPECS/libtar.spec | 220 ++++++++++++++++ 11 files changed, 854 insertions(+) create mode 100644 .gitignore create mode 100644 .libtar.metadata create mode 100644 SOURCES/libtar-1.2.11-bz729009.patch create mode 100644 SOURCES/libtar-1.2.11-mem-deref.patch create mode 100644 SOURCES/libtar-1.2.11-missing-protos.patch create mode 100644 SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch create mode 100644 SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch create mode 100644 SOURCES/libtar-1.2.20-fix-resource-leaks.patch create mode 100644 SOURCES/libtar-1.2.20-no-static-buffer.patch create mode 100644 SOURCES/libtar-1.2.20-static-analysis.patch create mode 100644 SPECS/libtar.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e3106cb --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libtar-v1.2.20.tar.gz diff --git a/.libtar.metadata b/.libtar.metadata new file mode 100644 index 0000000..4f012b3 --- /dev/null +++ b/.libtar.metadata @@ -0,0 +1 @@ +f0c0f3b436c56e34d9f60abc27a3ca28307b3525 SOURCES/libtar-v1.2.20.tar.gz diff --git a/SOURCES/libtar-1.2.11-bz729009.patch b/SOURCES/libtar-1.2.11-bz729009.patch new file mode 100644 index 0000000..2adfce3 --- /dev/null +++ b/SOURCES/libtar-1.2.11-bz729009.patch @@ -0,0 +1,25 @@ +From 1f2ec801cf4ac954f84c81e7587ce11998f78911 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Aug 2011 12:02:26 +0200 +Subject: [PATCH] libtar - rhbz #729009 + +--- + libtar/Makefile.in | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/libtar/Makefile.in b/libtar/Makefile.in +index 4e7bca4..94bd198 100644 +--- a/libtar/Makefile.in ++++ b/libtar/Makefile.in +@@ -20,7 +20,7 @@ SHELL = @SHELL@ + + ### Installation programs and flags + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL_PROGRAM@ -s ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_DATA = @INSTALL_DATA@ + LN_S = @LN_S@ + MKDIR = @MKDIR@ +-- +1.7.4.4 + diff --git a/SOURCES/libtar-1.2.11-mem-deref.patch b/SOURCES/libtar-1.2.11-mem-deref.patch new file mode 100644 index 0000000..8a618a0 --- /dev/null +++ b/SOURCES/libtar-1.2.11-mem-deref.patch @@ -0,0 +1,24 @@ +--- libtar-1.2.11/lib/libtar.h.deref 2009-12-30 16:37:03.790121122 +0100 ++++ libtar-1.2.11/lib/libtar.h 2009-12-30 16:37:35.521246633 +0100 +@@ -172,6 +172,7 @@ int th_write(TAR *t); + #define TH_ISDIR(t) ((t)->th_buf.typeflag == DIRTYPE \ + || S_ISDIR((mode_t)oct_to_int((t)->th_buf.mode)) \ + || ((t)->th_buf.typeflag == AREGTYPE \ ++ && strlen((t)->th_buf.name) \ + && ((t)->th_buf.name[strlen((t)->th_buf.name) - 1] == '/'))) + #define TH_ISFIFO(t) ((t)->th_buf.typeflag == FIFOTYPE \ + || S_ISFIFO((mode_t)oct_to_int((t)->th_buf.mode))) +--- libtar-1.2.11/lib/util.c.deref 2003-01-07 02:41:00.000000000 +0100 ++++ libtar-1.2.11/lib/util.c 2009-12-30 17:35:51.860121660 +0100 +@@ -148,9 +148,7 @@ oct_to_int(char *oct) + { + int i; + +- sscanf(oct, "%o", &i); +- +- return i; ++ return sscanf(oct, "%o", &i) == 1 ? i : 0; + } + + + diff --git a/SOURCES/libtar-1.2.11-missing-protos.patch b/SOURCES/libtar-1.2.11-missing-protos.patch new file mode 100644 index 0000000..8a65c2a --- /dev/null +++ b/SOURCES/libtar-1.2.11-missing-protos.patch @@ -0,0 +1,34 @@ +diff -up libtar-1.2.11/lib/append.c.foo libtar-1.2.11/lib/append.c +--- libtar-1.2.11/lib/append.c.foo 2003-01-07 02:40:59.000000000 +0100 ++++ libtar-1.2.11/lib/append.c 2008-04-03 15:08:07.000000000 +0200 +@@ -13,6 +13,8 @@ + #include + + #include ++#include ++#include + #include + #include + #include +diff -up libtar-1.2.11/lib/output.c~ libtar-1.2.11/lib/output.c +--- libtar-1.2.11/lib/output.c~ 2008-04-03 15:11:07.000000000 +0200 ++++ libtar-1.2.11/lib/output.c 2008-04-03 15:11:07.000000000 +0200 +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include +diff -up libtar-1.2.11/lib/wrapper.c~ libtar-1.2.11/lib/wrapper.c +--- libtar-1.2.11/lib/wrapper.c~ 2008-04-03 15:11:28.000000000 +0200 ++++ libtar-1.2.11/lib/wrapper.c 2008-04-03 15:11:28.000000000 +0200 +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include diff --git a/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch b/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000..f6692c3 --- /dev/null +++ b/SOURCES/libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,40 @@ +From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001 +From: shixuantong <1726671442@qq.com> +Date: Wed, 6 Apr 2022 17:40:57 +0800 +Subject: [PATCH 1/2] Ensure that sz is greater than 0. + +--- + lib/block.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/block.c b/lib/block.c +index 092bc28..f12c4bc 100644 +--- a/lib/block.c ++++ b/lib/block.c +@@ -118,6 +118,11 @@ th_read(TAR *t) + if (TH_ISLONGLINK(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +@@ -168,6 +173,11 @@ th_read(TAR *t) + if (TH_ISLONGNAME(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +-- +2.37.1 + diff --git a/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch b/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000..c625d61 --- /dev/null +++ b/SOURCES/libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,30 @@ +From 78e95da690556874baac96dd1d655e577c6d8e95 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 4 Oct 2022 10:39:35 +0200 +Subject: [PATCH] free memory allocated by gnu_long* fields + +--- + lib/handle.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 28a7dc2..18bd8dc 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,8 +122,11 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); +- if (t->th_pathname != NULL) +- free(t->th_pathname); ++ ++ free(t->th_pathname); ++ free(t->th_buf.gnu_longname); ++ free(t->th_buf.gnu_longlink); ++ + free(t); + + return i; +-- +2.38.1 + diff --git a/SOURCES/libtar-1.2.20-fix-resource-leaks.patch b/SOURCES/libtar-1.2.20-fix-resource-leaks.patch new file mode 100644 index 0000000..bdca92e --- /dev/null +++ b/SOURCES/libtar-1.2.20-fix-resource-leaks.patch @@ -0,0 +1,241 @@ +From abd0274e6b2f708e9eaa29414b07b3f542cec694 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 15 Oct 2013 19:48:41 -0400 +Subject: [PATCH 1/3] fix file descriptor leaks reported by cppcheck + +Bug: https://bugzilla.redhat.com/785760 +--- + lib/append.c | 14 +++++++++----- + lib/extract.c | 4 ++++ + libtar/libtar.c | 3 +++ + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/lib/append.c b/lib/append.c +index e8bd89d..ff58532 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -216,6 +216,7 @@ tar_append_regfile(TAR *t, const char *realname) + int filefd; + int i, j; + size_t size; ++ int rv = -1; + + filefd = open(realname, O_RDONLY); + if (filefd == -1) +@@ -234,25 +235,28 @@ tar_append_regfile(TAR *t, const char *realname) + { + if (j != -1) + errno = EINVAL; +- return -1; ++ goto fail; + } + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + + if (i > 0) + { + j = read(filefd, &block, i); + if (j == -1) +- return -1; ++ goto fail; + memset(&(block[i]), 0, T_BLOCKSIZE - i); + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + ++ /* success! */ ++ rv = 0; ++fail: + close(filefd); + +- return 0; ++ return rv; + } + + +diff --git a/lib/extract.c b/lib/extract.c +index 36357e7..9fc6ad5 100644 +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -228,13 +228,17 @@ tar_extract_regfile(TAR *t, char *realname) + { + if (k != -1) + errno = EINVAL; ++ close(fdout); + return -1; + } + + /* write block to output file */ + if (write(fdout, buf, + ((i > T_BLOCKSIZE) ? T_BLOCKSIZE : i)) == -1) ++ { ++ close(fdout); + return -1; ++ } + } + + /* close output file */ +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 9fa92b2..bb5644c 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -83,7 +83,10 @@ gzopen_frontend(char *pathname, int oflags, int mode) + return -1; + + if ((oflags & O_CREAT) && fchmod(fd, mode)) ++ { ++ close(fd); + return -1; ++ } + + gzf = gzdopen(fd, gzoflags); + if (!gzf) +-- +1.7.1 + + +From 36629a41208375f5105427e98078127551692028 Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Tue, 15 Oct 2013 20:02:58 -0400 +Subject: [PATCH 2/3] fix memleak on tar_open() failure + +--- + lib/handle.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 33a262c..002d23c 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -82,6 +82,7 @@ tar_open(TAR **t, const char *pathname, tartype_t *type, + (*t)->fd = (*((*t)->type->openfunc))(pathname, oflags, mode); + if ((*t)->fd == -1) + { ++ libtar_hash_free((*t)->h, NULL); + free(*t); + return -1; + } +-- +1.7.1 + + +From f3c711cf3054ff366a1a3500cdc8c64ecc2d2da6 Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Tue, 15 Oct 2013 20:05:04 -0400 +Subject: [PATCH 3/3] fix memleaks in libtar sample program + +--- + libtar/libtar.c | 29 ++++++++++++++++++----------- + 1 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index bb5644c..23f8741 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -253,6 +253,7 @@ extract(char *tarfile, char *rootdir) + if (tar_extract_all(t, rootdir) != 0) + { + fprintf(stderr, "tar_extract_all(): %s\n", strerror(errno)); ++ tar_close(t); + return -1; + } + +@@ -270,12 +271,13 @@ extract(char *tarfile, char *rootdir) + + + void +-usage() ++usage(void *rootdir) + { + printf("Usage: %s [-C rootdir] [-g] [-z] -x|-t filename.tar\n", + progname); + printf(" %s [-C rootdir] [-g] [-z] -c filename.tar ...\n", + progname); ++ free(rootdir); + exit(-1); + } + +@@ -292,6 +294,7 @@ main(int argc, char *argv[]) + int c; + int mode = 0; + libtar_list_t *l; ++ int return_code = -2; + + progname = basename(argv[0]); + +@@ -313,17 +316,17 @@ main(int argc, char *argv[]) + break; + case 'c': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_CREATE; + break; + case 'x': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_EXTRACT; + break; + case 't': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_LIST; + break; + #ifdef HAVE_LIBZ +@@ -332,7 +335,7 @@ main(int argc, char *argv[]) + break; + #endif /* HAVE_LIBZ */ + default: +- usage(); ++ usage(rootdir); + } + + if (!mode || ((argc - optind) < (mode == MODE_CREATE ? 2 : 1))) +@@ -341,7 +344,7 @@ main(int argc, char *argv[]) + printf("argc - optind == %d\tmode == %d\n", argc - optind, + mode); + #endif +- usage(); ++ usage(rootdir); + } + + #ifdef DEBUG +@@ -351,21 +354,25 @@ main(int argc, char *argv[]) + switch (mode) + { + case MODE_EXTRACT: +- return extract(argv[optind], rootdir); ++ return_code = extract(argv[optind], rootdir); ++ break; + case MODE_CREATE: + tarfile = argv[optind]; + l = libtar_list_new(LIST_QUEUE, NULL); + for (c = optind + 1; c < argc; c++) + libtar_list_add(l, argv[c]); +- return create(tarfile, rootdir, l); ++ return_code = create(tarfile, rootdir, l); ++ libtar_list_free(l, NULL); ++ break; + case MODE_LIST: +- return list(argv[optind]); ++ return_code = list(argv[optind]); ++ break; + default: + break; + } + +- /* NOTREACHED */ +- return -2; ++ free(rootdir); ++ return return_code; + } + + +-- +1.7.1 + diff --git a/SOURCES/libtar-1.2.20-no-static-buffer.patch b/SOURCES/libtar-1.2.20-no-static-buffer.patch new file mode 100644 index 0000000..a30baca --- /dev/null +++ b/SOURCES/libtar-1.2.20-no-static-buffer.patch @@ -0,0 +1,148 @@ +From ba16223652cfaa656d9c0c2d7bc7ab39dbd12467 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 23 Oct 2013 15:04:22 +0200 +Subject: [PATCH 1/3] decode: avoid using a static buffer in th_get_pathname() + +A solution suggested by Chris Frey: +https://lists.feep.net:8080/pipermail/libtar/2013-October/000377.html + +Note this can break programs that expect sizeof(TAR) to be fixed. + +[upstream commit ec613af2e9371d7a3e1f7c7a6822164a4255b4d1] +--- + lib/decode.c | 24 +++++++++++++++++------- + lib/handle.c | 1 + + lib/libtar.h | 3 +++ + 3 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/lib/decode.c b/lib/decode.c +index c16ea2d..edb2185 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -26,20 +26,30 @@ + char * + th_get_pathname(TAR *t) + { +- static TLS_THREAD char filename[MAXPATHLEN]; +- + if (t->th_buf.gnu_longname) + return t->th_buf.gnu_longname; + +- if (t->th_buf.prefix[0] != '\0') ++ /* allocate the th_pathname buffer if not already */ ++ if (t->th_pathname == NULL) ++ { ++ t->th_pathname = malloc(MAXPATHLEN * sizeof(char)); ++ if (t->th_pathname == NULL) ++ /* out of memory */ ++ return NULL; ++ } ++ ++ if (t->th_buf.prefix[0] == '\0') ++ { ++ snprintf(t->th_pathname, MAXPATHLEN, "%.100s", t->th_buf.name); ++ } ++ else + { +- snprintf(filename, sizeof(filename), "%.155s/%.100s", ++ snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", + t->th_buf.prefix, t->th_buf.name); +- return filename; + } + +- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); +- return filename; ++ /* will be deallocated in tar_close() */ ++ return t->th_pathname; + } + + +diff --git a/lib/handle.c b/lib/handle.c +index 002d23c..a19c046 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,6 +122,7 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); ++ free(t->th_pathname); + free(t); + + return i; +diff --git a/lib/libtar.h b/lib/libtar.h +index 7fc4d03..08a8e0f 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -85,6 +85,9 @@ typedef struct + int options; + struct tar_header th_buf; + libtar_hash_t *h; ++ ++ /* introduced in libtar 1.2.21 */ ++ char *th_pathname; + } + TAR; + +-- +1.7.1 + + +From 8ef92e48bba35d60208cc09be2bab74f69273d15 Mon Sep 17 00:00:00 2001 +From: Chris Frey +Date: Thu, 24 Oct 2013 17:55:12 -0400 +Subject: [PATCH 2/3] Check for NULL before freeing th_pathname + +Thanks to Harald Koch for pointing out that AIX 4 and 5 still need this. + +[upstream commit 495d0c0eabc5648186e7d58ad54b508d14af38f4] + +Signed-off-by: Kamil Dudka +--- + lib/handle.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index a19c046..28a7dc2 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,7 +122,8 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); +- free(t->th_pathname); ++ if (t->th_pathname != NULL) ++ free(t->th_pathname); + free(t); + + return i; +-- +1.7.1 + + +From 71101392dbab09718d38fabd151bb3cf22fc8b80 Mon Sep 17 00:00:00 2001 +From: Chris Frey +Date: Thu, 24 Oct 2013 17:58:47 -0400 +Subject: [PATCH 3/3] Added stdlib.h for malloc() in lib/decode.c + +[upstream commit 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6] + +Signed-off-by: Kamil Dudka +--- + lib/decode.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/lib/decode.c b/lib/decode.c +index edb2185..35312be 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include +-- +1.7.1 + diff --git a/SOURCES/libtar-1.2.20-static-analysis.patch b/SOURCES/libtar-1.2.20-static-analysis.patch new file mode 100644 index 0000000..564fe12 --- /dev/null +++ b/SOURCES/libtar-1.2.20-static-analysis.patch @@ -0,0 +1,90 @@ +From a4e32c3d29e93866c180b5837f8aee3989dac3e9 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 6 Nov 2018 17:24:05 +0100 +Subject: [PATCH] libtar: fix programming mistakes detected by static analysis + +--- + lib/append.c | 7 +++++++ + lib/wrapper.c | 11 +++++++---- + libtar/libtar.c | 1 + + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/append.c b/lib/append.c +index ff58532..6386a50 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -110,9 +110,16 @@ tar_append_file(TAR *t, const char *realname, const char *savename) + td->td_dev = s.st_dev; + td->td_h = libtar_hash_new(256, (libtar_hashfunc_t)ino_hash); + if (td->td_h == NULL) ++ { ++ free(td); + return -1; ++ } + if (libtar_hash_add(t->h, td) == -1) ++ { ++ libtar_hash_free(td->td_h, free); ++ free(td); + return -1; ++ } + } + libtar_hashptr_reset(&hp); + if (libtar_hash_getkey(td->td_h, &hp, &(s.st_ino), +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 44cc435..2d3f5b9 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -97,6 +97,7 @@ tar_append_tree(TAR *t, char *realdir, char *savedir) + struct dirent *dent; + DIR *dp; + struct stat s; ++ int ret = -1; + + #ifdef DEBUG + printf("==> tar_append_tree(0x%lx, \"%s\", \"%s\")\n", +@@ -130,24 +131,26 @@ tar_append_tree(TAR *t, char *realdir, char *savedir) + dent->d_name); + + if (lstat(realpath, &s) != 0) +- return -1; ++ goto fail; + + if (S_ISDIR(s.st_mode)) + { + if (tar_append_tree(t, realpath, + (savedir ? savepath : NULL)) != 0) +- return -1; ++ goto fail; + continue; + } + + if (tar_append_file(t, realpath, + (savedir ? savepath : NULL)) != 0) +- return -1; ++ goto fail; + } + ++ ret = 0; ++fail: + closedir(dp); + +- return 0; ++ return ret; + } + + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 23f8741..ac339e7 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -92,6 +92,7 @@ gzopen_frontend(char *pathname, int oflags, int mode) + if (!gzf) + { + errno = ENOMEM; ++ close(fd); + return -1; + } + +-- +2.17.2 + diff --git a/SPECS/libtar.spec b/SPECS/libtar.spec new file mode 100644 index 0000000..1c13366 --- /dev/null +++ b/SPECS/libtar.spec @@ -0,0 +1,220 @@ +Summary: Tar file manipulation API +Name: libtar +Version: 1.2.20 +Release: 17%{?dist} +License: MIT +URL: http://repo.or.cz/libtar.git +Source: http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz +Patch1: libtar-1.2.11-missing-protos.patch +Patch4: libtar-1.2.11-mem-deref.patch +Patch5: libtar-1.2.20-fix-resource-leaks.patch +Patch6: libtar-1.2.11-bz729009.patch +Patch7: libtar-1.2.20-no-static-buffer.patch + +# fix programming mistakes detected by static analysis (#1602596) +Patch8: libtar-1.2.20-static-analysis.patch + +# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) +Patch9: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch + +# fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646) +Patch10: libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch + +BuildRequires: libtool +BuildRequires: zlib-devel + +%description +libtar is a C library for manipulating tar archives. It supports both +the strict POSIX tar format and many of the commonly-used GNU +extensions. + + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%autosetup -n libtar-v%{version} -p1 + +# set correct version for .so build +%global ltversion %(echo %{version} | tr '.' ':') +sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \ + lib/Makefile.in + +autoreconf -iv + + +%build +%configure --disable-static +make %{?_smp_mflags} + + +%install +make install DESTDIR=$RPM_BUILD_ROOT +# Without this we get no debuginfo and stripping +chmod +x $RPM_BUILD_ROOT%{_libdir}/libtar.so.%{version} +rm $RPM_BUILD_ROOT%{_libdir}/*.la + + +%ldconfig_scriptlets + + +%files +%doc COPYRIGHT TODO README ChangeLog* +%{_bindir}/%{name} +%{_libdir}/lib*.so.* + +%files devel +%{_includedir}/libtar.h +%{_includedir}/libtar_listhash.h +%{_libdir}/lib*.so +%{_mandir}/man3/*.3* + + +%changelog +* Mon Dec 19 2022 Kamil Dudka - 1.2.20-17 +- fix use-after-free bugs introduced by incorrect memleak fixes (CVE-2021-33640) + +* Fri Aug 26 2022 Kamil Dudka - 1.2.20-16 +- fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646) +- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644) + +* Wed Nov 07 2018 Kamil Dudka - 1.2.20-15 +- fix programming mistakes detected by static analysis (#1602596) + +* Thu Jul 12 2018 Kamil Dudka - 1.2.20-14 +- fix source URL and re-download the upstream tarball + +* Wed May 30 2018 Kamil Dudka - 1.2.20-13 +- drop obsolete Group tags +- replace dead project URL + +* Thu Feb 08 2018 Igor Gnatenko - 1.2.20-12 +- Switch to %%ldconfig_scriptlets + +* Wed Feb 07 2018 Fedora Release Engineering - 1.2.20-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1.2.20-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.2.20-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1.2.20-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.2.20-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1.2.20-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 1.2.20-6 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Sun Aug 17 2014 Fedora Release Engineering - 1.2.20-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.2.20-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Oct 25 2013 Kamil Dudka - 1.2.20-3 +- avoid using a static buffer in th_get_pathname() + +* Wed Oct 16 2013 Kamil Dudka - 1.2.20-2 +- use the upstream version of resource leak patches + +* Thu Oct 10 2013 Kamil Dudka - 1.2.20-1 +- update to 1.2.20 (latest upstream release) + +* Thu Oct 10 2013 Kamil Dudka - 1.2.11-28 +- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive + +* Fri Oct 04 2013 Kamil Dudka - 1.2.11-27 +- fix file descriptor leaks reported by cppcheck (#785760) + +* Sat Aug 03 2013 Fedora Release Engineering - 1.2.11-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 1.2.11-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Aug 28 2012 Kamil Dudka - 1.2.11-24 +- fix specfile issues reported by the fedora-review script + +* Thu Jul 19 2012 Fedora Release Engineering - 1.2.11-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.2.11-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Aug 09 2011 Kamil Dudka - 1.2.11-21 +- Allow to extract debug-info from /usr/bin/libtar (#729009) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.2.11-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu May 27 2010 Kamil Dudka - 1.2.11-19 +- Completed review of memory leaks related patches (#589056) + +* Mon May 3 2010 Huzaifa Sidhpurwala - 1.2.11-18 +- Fix more memory leaks + +* Mon May 3 2010 Huzaifa Sidhpurwala - 1.2.11-17 +- Fix lot of memory leaks + +* Thu Dec 31 2009 Huzaifa Sidhpurwala - 1.2.11-16 +- Fix invalid memory de-reference issue in BZ #551415 + +* Fri Nov 20 2009 Huzaifa Sidhpurwala - 1.2.11-15 +- Fix buffer overflow in BZ #538770 + +* Tue Sep 22 2009 Stepan Kasal - 1.2.11-14 +- fix up so that it builds again (#511566) + +* Sat Jul 25 2009 Fedora Release Engineering - 1.2.11-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Apr 3 2008 Hans de Goede 1.2.11-11 +- Fix missing prototype compiler warnings + +* Tue Feb 19 2008 Fedora Release Engineering - 1.2.11-10 +- Autorebuild for GCC 4.3 + +* Mon Aug 13 2007 Hans de Goede 1.2.11-9 +- Update License tag for new Licensing Guidelines compliance + +* Mon Aug 28 2006 Hans de Goede 1.2.11-8 +- FE6 Rebuild + +* Sun Jul 23 2006 Hans de Goede 1.2.11-7 +- Taking over as maintainer since Anvil has other priorities +- Add a bunch of patches from Debian, which build a .so instead of a .a + and fix a bunch of memory leaks. +- Reinstate a proper devel package as we now build a .so + +* Thu Mar 16 2006 Dams - 1.2.11-6.fc5 +- Modified URL and added one in Source0 + +* Sun May 22 2005 Jeremy Katz - 1.2.11-5 +- rebuild on all arches + +* Fri Apr 8 2005 Michael Schwendt +- rebuilt + +* Sat Aug 16 2003 Dams 0:1.2.11-0.fdr.3 +- Merged devel and main packages +- Package provide now libtar-devel + +* Tue Jul 8 2003 Dams +- Initial build.