Package: libtar / 1.2.16-1+deb7u2

Metadata

Package Version Patches format
libtar 1.2.16-1+deb7u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
size_t overflow_cve 2013 4397.patch | (download)

lib/block.c | 38 24 + 14 - 0 !
1 file changed, 24 insertions(+), 14 deletions(-)

 [patch] fixed size_t overflow bug, as reported by timo warns


CVE 2013 4420.patch | (download)

lib/decode.c | 36 33 + 3 - 0 !
lib/extract.c | 8 4 + 4 - 0 !
lib/internal.h | 1 1 + 0 - 0 !
lib/output.c | 4 2 + 2 - 0 !
4 files changed, 40 insertions(+), 9 deletions(-)

 avoid directory traversal when extracting archives 
 by skipping over leading slashes and any prefix containing ".." components.
th_get_size unsigned int.patch | (download)

lib/libtar.h | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] change th_get_size() macro to return unsigned int

On systems where size_t is larger than an int (and larger than
unsigned int), then in various places in the library, where
stuff like this happens:

	size_t sz = th_get_size(t);

then the int value returned from th_get_size() is sign extended to
some unwieldy amount.

On 64bit systems, this can yield extremely large values.

By fixing this problem in the header, and only for th_get_size(),
we avoid breaking the API of the function call oct_to_int()
(which arguably should return an unsigned int, since the sscanf()
it uses expects to yield an unsigned int).  We also fix the library,
which uses th_get_size() internally to assign sizes to size_t.

The drawback is that not all client code that uses th_get_size()
will be fixed, until they recompile, but they will automatically
take advantage of the bugs fixed *inside* the library.

The remaining th_get_*() functions operate on modes and CRC values
and the like, and should be fine, remaining as ints.

Thanks very much to Magnus Holmgren for catching this behaviour.
https://lists.feep.net:8080/pipermail/libtar/2013-October/000365.html