Control: tags 1058079 + patch Control: tags 1058079 + pending
Dear maintainer, I've prepared an NMU for tar (versioned as 1.34+dfsg-1.3) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. MR as well in https://salsa.debian.org/debian/tar/-/merge_requests/5 Regards, Salvatore
diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog --- tar-1.34+dfsg/debian/changelog 2023-04-06 16:25:47.000000000 +0200 +++ tar-1.34+dfsg/debian/changelog 2023-12-13 16:22:08.000000000 +0100 @@ -1,3 +1,11 @@ +tar (1.34+dfsg-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * Fix handling of extended header prefixes (CVE-2023-39804) + (Closes: #1058079) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 13 Dec 2023 16:22:08 +0100 + tar (1.34+dfsg-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch --- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 1970-01-01 01:00:00.000000000 +0100 +++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 2023-12-13 16:22:08.000000000 +0100 @@ -0,0 +1,62 @@ +From: Sergey Poznyakoff <g...@gnu.org> +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes +Origin: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 +Bug-Debian: https://bugs.debian.org/1058079 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804 + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc +--- + src/xheader.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b27cc62..3cd694d1b12a 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, + char const *keyword, char const *arg, size_t size) + { + char *xstr, *xkey; +- ++ + /* copy keyword */ +- size_t klen_raw = strlen (keyword); +- xkey = alloca (klen_raw + 1); +- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; ++ xkey = xstrdup (keyword); + + /* copy value */ +- xstr = alloca (size + 1); ++ xstr = xmalloc (size + 1); + memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; + + xattr_decode_keyword (xkey); + +- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); ++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); ++ ++ free (xkey); ++ free (xstr); + } + + static void +-- +2.43.0 + diff -Nru tar-1.34+dfsg/debian/patches/series tar-1.34+dfsg/debian/patches/series --- tar-1.34+dfsg/debian/patches/series 2023-04-06 16:25:47.000000000 +0200 +++ tar-1.34+dfsg/debian/patches/series 2023-12-13 16:22:08.000000000 +0100 @@ -3,3 +3,4 @@ listed03-linux-only oldgnu-unknown-mode-bits.patch proper_it_translation.patch +Fix-handling-of-extended-header-prefixes.patch
