diff options
author | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:21:42 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:29:44 +0300 |
commit | ca598e2a51fd80ed789e5fb4aa48816ccd84e374 (patch) | |
tree | fddb8b64cc54a059e22b9ee6e5fd5b74450ac6d2 /src/apk_io.h | |
parent | 3c339a74d1b9dba23d60d6c769d99227d75cc6dc (diff) | |
download | apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.gz apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.bz2 apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.tar.xz apk-tools-ca598e2a51fd80ed789e5fb4aa48816ccd84e374.zip |
io_archive: add bounds limit for uname and gname tar header fields
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
Diffstat (limited to 'src/apk_io.h')
-rw-r--r-- | src/apk_io.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/apk_io.h b/src/apk_io.h index 309a508..09e537d 100644 --- a/src/apk_io.h +++ b/src/apk_io.h @@ -180,7 +180,7 @@ const char *apk_url_local_file(const char *url); void apk_id_cache_init(struct apk_id_cache *idc, int root_fd); void apk_id_cache_free(struct apk_id_cache *idc); void apk_id_cache_reset(struct apk_id_cache *idc); -uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t default_uid); -uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t default_gid); +uid_t apk_resolve_uid(struct apk_id_cache *idc, apk_blob_t username, uid_t default_uid); +uid_t apk_resolve_gid(struct apk_id_cache *idc, apk_blob_t groupname, uid_t default_gid); #endif |