On Tuesday 02 of December 2014 11:39:30 Sergey Poznyakoff wrote: > Pavel Raiskup <prais...@redhat.com> ha escrit: > > > Thanks for fixing! Just a nit: > > Yes, of course.
There is still one new NULL pointer dereference. Also, the get_link_name does not guarantee the two possibilities only: "successful read of symlink name and seek the archive properly OR exit_failure" so cpio is unable to recovery, potentially. See the bt: (gdb) run -idv < lesspipe-cpio-bad-write.cpio Starting program: /home/praiskup/cpio/src/cpio -idv < lesspipe-cpio-bad-write.cpio Missing separate debuginfos, use: debuginfo-install glibc-2.20-5.fc21.i686 /home/praiskup/cpio/src/cpio: hello: stored filename length is out of range Program received signal SIGSEGV, Segmentation fault. 0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "", buffersize=256, arg=0x0, argsize=4294967295, quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378, left_quote=0x0, right_quote=0x0) at quotearg.c:345 345 for (i = 0; ! (argsize == SIZE_MAX ? arg[i] == '\0' : i == argsize); i++) (gdb) bt #0 0x0805db58 in quotearg_buffer_restyled (buffer=0x806d040 <slot0> "", buffersize=256, arg=0x0, argsize=4294967295, quoting_style=literal_quoting_style, flags=1, quote_these_too=0xbffff378, left_quote=0x0, right_quote=0x0) at quotearg.c:345 #1 0x0805df66 in quotearg_n_options (n=0, arg=0x0, argsize=4294967295, options=0xbffff370) at quotearg.c:804 #2 0x0805e1ad in quotearg_char_mem (arg=0x0, argsize=4294967295, ch=58 ':') at quotearg.c:884 #3 0x0805e1d0 in quotearg_char (arg=0x0, ch=58 ':') at quotearg.c:890 #4 0x0805e1e8 in quotearg_colon (arg=0x0) at quotearg.c:896 #5 0x0804b548 in copyin_link (file_hdr=0xbffff488, in_file_des=0) at copyin.c:680 #6 0x0804b6da in copyin_file (file_hdr=0xbffff488, in_file_des=0) at copyin.c:729 #7 0x0804ceeb in process_copy_in () at copyin.c:1480 #8 0x08051527 in main (argc=2, argv=0xbffff624) at main.c:788 Note also, that I had to install the attached fix for the testsuite - as the actual CVE fix causes different errors among different architectures. The tested scenario is too non-deterministic also. Pavel
>From e022b387c573715869621480091262ef09a5a474 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup <prais...@redhat.com> Date: Thu, 11 Dec 2014 08:26:32 +0100 Subject: [PATCH] testsuite: cover architecture differences * tests/symlink-bad-length.at: Handle timezone hard-wired in archive. Cover all possible error outputs depending on architecture, memory, etc. --- tests/symlink-bad-length.at | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at index cbf4aa7..d8d250b 100644 --- a/tests/symlink-bad-length.at +++ b/tests/symlink-bad-length.at @@ -37,13 +37,20 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AT_CHECK([ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST -cpio -ntv < ARCHIVE -test $? -eq 2 +TZ=UTC cpio -ntv < ARCHIVE 2>stderr +rc=$? +cat stderr | grep -v \ + -e 'stored filename length is out of range' \ + -e 'premature end of file' \ + -e 'archive header has reverse byte-order' \ + -e 'memory exhausted' \ + >&2 +echo >&2 STDERR +test "$rc" -ne 0 ], [0], -[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE -],[cpio: LINK: stored filename length is out of range -cpio: premature end of file +[-rw-rw-r-- 1 10029 10031 13 Nov 25 11:52 FILE +],[STDERR ]) AT_CLEANUP -- 1.9.3