diff --git a/SPECS/tar/CVE-2022-48303.patch b/SPECS/tar/CVE-2022-48303.patch new file mode 100644 index 00000000000..ace509e6a69 --- /dev/null +++ b/SPECS/tar/CVE-2022-48303.patch @@ -0,0 +1,29 @@ +From aaba852a19b5ed717a48e62baa277966cdbdcb05 Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Tue, 19 Nov 2024 10:23:25 +0530 +Subject: [PATCH] Fix CVE-2022-48303 + +--- + src/list.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/list.c b/src/list.c +index d7ef441..20ae4ee 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -888,6 +888,12 @@ from_header (char const *where0, size_t digs, char const *type, + << (CHAR_BIT * sizeof (uintmax_t) + - LG_256 - (LG_256 - 2))); + value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit; ++ if (where == lim) ++ { ++ if (type && !silent) ++ ERROR ((0, 0, _("Archive base-256 value is invalid"))); ++ return -1; ++ } + for (;;) + { + value = (value << LG_256) + (unsigned char) *where++; +-- +2.34.1 + diff --git a/SPECS/tar/CVE-2023-39804.patch b/SPECS/tar/CVE-2023-39804.patch new file mode 100644 index 00000000000..f5c50cb9b1e --- /dev/null +++ b/SPECS/tar/CVE-2023-39804.patch @@ -0,0 +1,57 @@ +From eb012d7c582f2fd1921d7ddd94ae5b5b09a625d7 Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Tue, 19 Nov 2024 13:00:38 +0530 +Subject: [PATCH] Fix CVE-2023-39804 + +--- + src/xheader.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 229137e..078a12d 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -638,11 +638,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1717,19 +1717,20 @@ xattr_decoder (struct tar_stat_info *st, + char const *keyword, char const *arg, size_t size) + { + char *xstr, *xkey; +- ++ + /* copy keyword */ +- size_t klen_raw = strlen (keyword); +- xkey = alloca (klen_raw + 1); +- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; ++ xkey = xstrdup (keyword); + + /* copy value */ +- xstr = alloca (size + 1); ++ xstr = xmalloc (size + 1); + memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; + + xattr_decode_keyword (xkey); + +- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); ++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); ++ ++ free (xkey); ++ free (xstr); + } + + static void +-- +2.34.1 + diff --git a/SPECS/tar/tar.spec b/SPECS/tar/tar.spec index 826f548fc31..322e4e56ed9 100644 --- a/SPECS/tar/tar.spec +++ b/SPECS/tar/tar.spec @@ -1,19 +1,21 @@ Summary: Archiving program Name: tar Version: 1.34 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv3+ URL: https://www.gnu.org/software/tar Group: Applications/System Vendor: Microsoft Corporation Distribution: Mariner Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz +Patch0: CVE-2022-48303.patch +Patch1: CVE-2023-39804.patch %description Contains GNU archiving program %prep -%setup -q +%autosetup -p1 %build FORCE_UNSAFE_CONFIGURE=1 ./configure \ --prefix=%{_prefix} \ @@ -43,6 +45,10 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog +* Tue Nov 19 2024 Kavya Sree Kaitepalli - 1.34-3 +- Fix CVE-2022-48303 by patching +- Fix CVE-2023-39804 + * Wed Sep 20 2023 Jon Slobodzian - 1.34-2 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index bda18e44316..16a8f465a24 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -69,7 +69,7 @@ libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm util-linux-2.37.4-9.cm2.aarch64.rpm util-linux-devel-2.37.4-9.cm2.aarch64.rpm util-linux-libs-2.37.4-9.cm2.aarch64.rpm -tar-1.34-2.cm2.aarch64.rpm +tar-1.34-3.cm2.aarch64.rpm xz-5.2.5-1.cm2.aarch64.rpm xz-devel-5.2.5-1.cm2.aarch64.rpm xz-lang-5.2.5-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index fe7241918ab..c6bbc288e85 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -69,7 +69,7 @@ libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm util-linux-2.37.4-9.cm2.x86_64.rpm util-linux-devel-2.37.4-9.cm2.x86_64.rpm util-linux-libs-2.37.4-9.cm2.x86_64.rpm -tar-1.34-2.cm2.x86_64.rpm +tar-1.34-3.cm2.x86_64.rpm xz-5.2.5-1.cm2.x86_64.rpm xz-devel-5.2.5-1.cm2.x86_64.rpm xz-lang-5.2.5-1.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index f2d5830175d..80f7dec789c 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -558,8 +558,8 @@ systemd-bootstrap-250.3-12.cm2.aarch64.rpm systemd-bootstrap-debuginfo-250.3-12.cm2.aarch64.rpm systemd-bootstrap-devel-250.3-12.cm2.aarch64.rpm systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm -tar-1.34-2.cm2.aarch64.rpm -tar-debuginfo-1.34-2.cm2.aarch64.rpm +tar-1.34-3.cm2.aarch64.rpm +tar-debuginfo-1.34-3.cm2.aarch64.rpm tdnf-3.5.2-4.cm2.aarch64.rpm tdnf-autoupdate-3.5.2-4.cm2.aarch64.rpm tdnf-cli-libs-3.5.2-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b3dba21b41b..e3bc779091b 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -564,8 +564,8 @@ systemd-bootstrap-250.3-12.cm2.x86_64.rpm systemd-bootstrap-debuginfo-250.3-12.cm2.x86_64.rpm systemd-bootstrap-devel-250.3-12.cm2.x86_64.rpm systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm -tar-1.34-2.cm2.x86_64.rpm -tar-debuginfo-1.34-2.cm2.x86_64.rpm +tar-1.34-3.cm2.x86_64.rpm +tar-debuginfo-1.34-3.cm2.x86_64.rpm tdnf-3.5.2-4.cm2.x86_64.rpm tdnf-autoupdate-3.5.2-4.cm2.x86_64.rpm tdnf-cli-libs-3.5.2-4.cm2.x86_64.rpm