Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
app-arch/tar-1.34: Adding a patch to fix CVE-2022-48303
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. This fix is needed to resolve CVE-2022-48303. Bug: https://bugs.gentoo.org/898176 Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
- Loading branch information
1 parent
8f3fb45
commit 53ba246
Showing
2 changed files
with
34 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 | ||
From: Sergey Poznyakoff <gray@gnu.org> | ||
Date: Sat, 11 Feb 2023 11:57:39 +0200 | ||
Subject: [PATCH] Fix boundary checking in base-256 decoder | ||
|
||
* src/list.c (from_header): Base-256 encoding is at least 2 bytes | ||
long. | ||
--- | ||
src/list.c | 5 +++-- | ||
1 file changed, 3 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/list.c b/src/list.c | ||
index 9fafc425..86bcfdd1 100644 | ||
--- a/src/list.c | ||
+++ b/src/list.c | ||
@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, | ||
where++; | ||
} | ||
} | ||
- else if (*where == '\200' /* positive base-256 */ | ||
- || *where == '\377' /* negative base-256 */) | ||
+ else if (where <= lim - 2 | ||
+ && (*where == '\200' /* positive base-256 */ | ||
+ || *where == '\377' /* negative base-256 */)) | ||
{ | ||
/* Parse base-256 output. A nonnegative number N is | ||
represented as (256**DIGS)/2 + N; a negative number -N is | ||
-- | ||
2.39.2.637.g21b0678d19-goog | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters