Package: libtar / 1.2.16-1+deb7u2
Metadata
Package | Version | Patches format |
---|---|---|
libtar | 1.2.16-1+deb7u2 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
size_t overflow_cve 2013 4397.patch | (download) |
lib/block.c |
38 24 + 14 - 0 ! |
[patch] fixed size_t overflow bug, as reported by timo warns |
CVE 2013 4420.patch | (download) |
lib/decode.c |
36 33 + 3 - 0 ! |
avoid directory traversal when extracting archives by skipping over leading slashes and any prefix containing ".." components. |
th_get_size unsigned int.patch | (download) |
lib/libtar.h |
6 5 + 1 - 0 ! |
[patch] change th_get_size() macro to return unsigned int On systems where size_t is larger than an int (and larger than unsigned int), then in various places in the library, where stuff like this happens: size_t sz = th_get_size(t); then the int value returned from th_get_size() is sign extended to some unwieldy amount. On 64bit systems, this can yield extremely large values. By fixing this problem in the header, and only for th_get_size(), we avoid breaking the API of the function call oct_to_int() (which arguably should return an unsigned int, since the sscanf() it uses expects to yield an unsigned int). We also fix the library, which uses th_get_size() internally to assign sizes to size_t. The drawback is that not all client code that uses th_get_size() will be fixed, until they recompile, but they will automatically take advantage of the bugs fixed *inside* the library. The remaining th_get_*() functions operate on modes and CRC values and the like, and should be fine, remaining as ints. Thanks very much to Magnus Holmgren for catching this behaviour. https://lists.feep.net:8080/pipermail/libtar/2013-October/000365.html |
1