app-arch/tar-1.34: Adding a patch to fix CVE-2022-48303

This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. This fix is needed to resolve CVE-2022-48303. Bug: https://bugs.gentoo.org/898176 Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
gentoo · Feb 27, 2023 · 53ba246 · 53ba246
1 parent 8f3fb45
commit 53ba246
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch b/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch
@@ -0,0 +1,30 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: [PATCH] Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..86bcfdd1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+2.39.2.637.g21b0678d19-goog
+
diff --git a/app-arch/tar/tar-1.34-r2.ebuild → app-arch/tar/tar-1.34-r3.ebuild b/app-arch/tar/tar-1.34-r2.ebuild → app-arch/tar/tar-1.34-r3.ebuild
@@ -37,6 +37,10 @@ PDEPEND="
 	app-alternatives/tar
 "
 
+PATCHES=(
+	"${FILESDIR}"/${P}-fix-cve-2022-48303.patch
+)
+
 src_configure() {
 	local myeconfargs=(
 		--bindir="${EPREFIX}"/bin