[AUTO-CHERRYPICK] [2.0] tar: Fix CVE-2022-48303 and CVE-2023-39804 - branch main (#11163)

CBL-Mariner-Bot · KavyaSree2610 · web-flow · commit abf0a63dda4e · 2024-11-23T09:46:27.000-05:00
Co-authored-by: KavyaSree2610 &lt;92566732+KavyaSree2610@users.noreply.github.com&gt;
diff --git a/SPECS/tar/CVE-2022-48303.patch b/SPECS/tar/CVE-2022-48303.patch
@@ -0,0 +1,29 @@
+From aaba852a19b5ed717a48e62baa277966cdbdcb05 Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Tue, 19 Nov 2024 10:23:25 +0530
+Subject: [PATCH] Fix CVE-2022-48303
+
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index d7ef441..20ae4ee 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -888,6 +888,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++      if (where == lim)
++        {
++          if (type && !silent)
++            ERROR ((0, 0, _("Archive base-256 value is invalid")));
++          return -1;
++        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.34.1
+
diff --git a/SPECS/tar/CVE-2023-39804.patch b/SPECS/tar/CVE-2023-39804.patch
@@ -0,0 +1,57 @@
+From eb012d7c582f2fd1921d7ddd94ae5b5b09a625d7 Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Tue, 19 Nov 2024 13:00:38 +0530
+Subject: [PATCH] Fix CVE-2023-39804
+
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 229137e..078a12d 100644
+--- a/src/xheader.c
++++ b/src/xheader.c
+@@ -638,11 +638,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+     if (p->prefix)
+       {
+-        if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++	size_t kwlen = strlen (p->keyword);
++        if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+           return p;
+       }
+     else
+@@ -1717,19 +1717,20 @@ xattr_decoder (struct tar_stat_info *st,
+                char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
++  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
++  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++  free (xkey);
++  free (xstr);
+ }
+ 
+ static void
+-- 
+2.34.1
+
diff --git a/SPECS/tar/tar.spec b/SPECS/tar/tar.spec
@@ -1,19 +1,21 @@
 Summary:        Archiving program
 Name:           tar
 Version:        1.34
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3+
 URL:            https://www.gnu.org/software/tar
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
+Patch0:		CVE-2022-48303.patch
+Patch1:		CVE-2023-39804.patch
 
 %description
 Contains GNU archiving program
 
 %prep
-%setup -q
+%autosetup -p1
 %build
 FORCE_UNSAFE_CONFIGURE=1  ./configure \
     --prefix=%{_prefix} \
@@ -43,6 +45,10 @@ make  %{?_smp_mflags} check
 %{_mandir}/*/*
 
 %changelog
+* Tue Nov 19 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 1.34-3
+- Fix CVE-2022-48303 by patching
+- Fix CVE-2023-39804
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 1.34-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -69,7 +69,7 @@ libcap-ng-devel-0.8.2-2.cm2.aarch64.rpm
 util-linux-2.37.4-9.cm2.aarch64.rpm
 util-linux-devel-2.37.4-9.cm2.aarch64.rpm
 util-linux-libs-2.37.4-9.cm2.aarch64.rpm
-tar-1.34-2.cm2.aarch64.rpm
+tar-1.34-3.cm2.aarch64.rpm
 xz-5.2.5-1.cm2.aarch64.rpm
 xz-devel-5.2.5-1.cm2.aarch64.rpm
 xz-lang-5.2.5-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -69,7 +69,7 @@ libcap-ng-devel-0.8.2-2.cm2.x86_64.rpm
 util-linux-2.37.4-9.cm2.x86_64.rpm
 util-linux-devel-2.37.4-9.cm2.x86_64.rpm
 util-linux-libs-2.37.4-9.cm2.x86_64.rpm
-tar-1.34-2.cm2.x86_64.rpm
+tar-1.34-3.cm2.x86_64.rpm
 xz-5.2.5-1.cm2.x86_64.rpm
 xz-devel-5.2.5-1.cm2.x86_64.rpm
 xz-lang-5.2.5-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -558,8 +558,8 @@ systemd-bootstrap-250.3-12.cm2.aarch64.rpm
 systemd-bootstrap-debuginfo-250.3-12.cm2.aarch64.rpm
 systemd-bootstrap-devel-250.3-12.cm2.aarch64.rpm
 systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm
-tar-1.34-2.cm2.aarch64.rpm
-tar-debuginfo-1.34-2.cm2.aarch64.rpm
+tar-1.34-3.cm2.aarch64.rpm
+tar-debuginfo-1.34-3.cm2.aarch64.rpm
 tdnf-3.5.2-4.cm2.aarch64.rpm
 tdnf-autoupdate-3.5.2-4.cm2.aarch64.rpm
 tdnf-cli-libs-3.5.2-4.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -564,8 +564,8 @@ systemd-bootstrap-250.3-12.cm2.x86_64.rpm
 systemd-bootstrap-debuginfo-250.3-12.cm2.x86_64.rpm
 systemd-bootstrap-devel-250.3-12.cm2.x86_64.rpm
 systemd-bootstrap-rpm-macros-250.3-12.cm2.noarch.rpm
-tar-1.34-2.cm2.x86_64.rpm
-tar-debuginfo-1.34-2.cm2.x86_64.rpm
+tar-1.34-3.cm2.x86_64.rpm
+tar-debuginfo-1.34-3.cm2.x86_64.rpm
 tdnf-3.5.2-4.cm2.x86_64.rpm
 tdnf-autoupdate-3.5.2-4.cm2.x86_64.rpm
 tdnf-cli-libs-3.5.2-4.cm2.x86_64.rpm
