Hello community, here is the log from the commit of package cpio for openSUSE:Factory checked in at 2016-02-24 18:28:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cpio (Old) and /work/SRC/openSUSE:Factory/.cpio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cpio" Changes: -------- --- /work/SRC/openSUSE:Factory/cpio/cpio.changes 2015-10-14 16:34:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cpio.new/cpio.changes 2016-02-24 18:28:56.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Feb 19 15:47:00 UTC 2016 - [email protected] + +- add cpio-2.12-out_of_bounds_write.patch to fix an out of bounds + write in a way cpio parses certain cpio files [bsc#963448], + [CVE-2016-2037] + +------------------------------------------------------------------- New: ---- cpio-2.12-out_of_bounds_write.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cpio.spec ++++++ --- /var/tmp/diff_new_pack.PfcCw2/_old 2016-02-24 18:28:57.000000000 +0100 +++ /var/tmp/diff_new_pack.PfcCw2/_new 2016-02-24 18:28:57.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package cpio # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,6 +43,7 @@ Patch24: cpio-check_for_symlinks.patch Patch25: cpio-fix_truncation_check.patch Patch26: cpio-2.12-util.c_no_return_in_nonvoid_fnc.patch +Patch27: cpio-2.12-out_of_bounds_write.patch BuildRequires: autoconf BuildRequires: automake Requires(post): %{install_info_prereq} @@ -79,6 +80,7 @@ %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 #chmod 755 . #chmod u+w * #chmod a+r * ++++++ cpio-2.12-out_of_bounds_write.patch ++++++ * src/copyin.c (process_copy_in): Make sure that file_hdr.c_name has at least two bytes allocated. * src/util.c (cpio_safer_name_suffix): Document that use of this function requires to be careful. --- src/copyin.c | 2 ++ src/util.c | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) Index: cpio-2.12/src/copyin.c =================================================================== --- cpio-2.12.orig/src/copyin.c +++ cpio-2.12/src/copyin.c @@ -1434,6 +1434,8 @@ process_copy_in () break; } + if (file_hdr.c_namesize <= 1) + file_hdr.c_name = xrealloc(file_hdr.c_name, 2); cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, false); Index: cpio-2.12/src/util.c =================================================================== --- cpio-2.12.orig/src/util.c +++ cpio-2.12/src/util.c @@ -1460,7 +1460,10 @@ set_file_times (int fd, } /* Do we have to ignore absolute paths, and if so, does the filename - have an absolute path? */ + have an absolute path? + Before calling this function make sure that the allocated NAME buffer has + capacity at least 2 bytes to allow us to store the "." string inside. */ + void cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, bool strip_leading_dots)
