Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org, Janos Lenart <o...@debian.org>,
car...@debian.org
Control: affects -1 + src:tar
Dear Stable release managers,
[ Reason ]
tar in bullseye is affected by two issues with assigned CVEs,
CVE-2022-48303 and CVE-2023-39804 both which do not warrant a DSA and
have minor impact.
[ Impact ]
Remain vulnerable to the two CVEs, with DoS potential.
[ Tests ]
Verified the fixes against the PoCs available for both CVEs.
[ Risks ]
Should be minor, the fixes are targeted to address the respective
issues and taken from upstream git repository. Both fixes are
available in unstable and testing with no regression reporting to the
best of my knowledge.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream changes fix the boundary checking in base-256 decoder for
CVE-2022-48303 and the handling of extended header prefixes for
CVE-2023-39804.
[ Other info ]
Nothing else.
Regards,
Salvatore
diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog
--- tar-1.34+dfsg/debian/changelog 2021-02-17 10:55:26.000000000 +0100
+++ tar-1.34+dfsg/debian/changelog 2024-01-20 10:59:10.000000000 +0100
@@ -1,3 +1,12 @@
+tar (1.34+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix boundary checking in base-256 decoder (CVE-2022-48303)
+ * Fix handling of extended header prefixes (CVE-2023-39804)
+ (Closes: #1058079)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 20 Jan 2024 10:59:10 +0100
+
tar (1.34+dfsg-1) unstable; urgency=medium
* New upstream version
diff -Nru
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
---
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
1970-01-01 01:00:00.000000000 +0100
+++
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
2024-01-20 10:59:10.000000000 +0100
@@ -0,0 +1,31 @@
+From: Sergey Poznyakoff <g...@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+Origin:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48303
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425a824..86bcfdd1cc30 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const
*type,
+ where++;
+ }
+ }
+- else if (*where == '\200' /* positive base-256 */
+- || *where == '\377' /* negative base-256 */)
++ else if (where <= lim - 2
++ && (*where == '\200' /* positive base-256 */
++ || *where == '\377' /* negative base-256 */))
+ {
+ /* Parse base-256 output. A nonnegative number N is
+ represented as (256**DIGS)/2 + N; a negative number -N is
+--
+2.43.0
+
diff -Nru
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
--- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
1970-01-01 01:00:00.000000000 +0100
+++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
2024-01-20 10:59:10.000000000 +0100
@@ -0,0 +1,62 @@
+From: Sergey Poznyakoff <g...@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+Origin:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
+Bug-Debian: https://bugs.debian.org/1058079
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b27cc62..3cd694d1b12a 100644
+--- a/src/xheader.c
++++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+ struct xhdr_tab const *p;
+-
+ for (p = xhdr_tab; p->keyword; p++)
+ if (p->prefix)
+ {
+- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++ size_t kwlen = strlen (p->keyword);
++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) ==
0)
+ return p;
+ }
+ else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+ char const *keyword, char const *arg, size_t size)
+ {
+ char *xstr, *xkey;
+-
++
+ /* copy keyword */
+- size_t klen_raw = strlen (keyword);
+- xkey = alloca (klen_raw + 1);
+- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++ xkey = xstrdup (keyword);
+
+ /* copy value */
+- xstr = alloca (size + 1);
++ xstr = xmalloc (size + 1);
+ memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+
+ xattr_decode_keyword (xkey);
+
+- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++ free (xkey);
++ free (xstr);
+ }
+
+ static void
+--
+2.43.0
+
diff -Nru tar-1.34+dfsg/debian/patches/series
tar-1.34+dfsg/debian/patches/series
--- tar-1.34+dfsg/debian/patches/series 2021-02-17 10:53:49.000000000 +0100
+++ tar-1.34+dfsg/debian/patches/series 2024-01-20 10:59:10.000000000 +0100
@@ -3,3 +3,5 @@
listed03-linux-only
oldgnu-unknown-mode-bits.patch
proper_it_translation.patch
+Fix-boundary-checking-in-base-256-decoder.patch
+Fix-handling-of-extended-header-prefixes.patch
