diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:21:42 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2021-04-12 15:30:14 +0300 |
| commit | f7143c1766ae59489ac922e890ffe6d4a61c3b2d (patch) | |
| tree | bbeed012d9bc90374b10a79f26acfbb56c33a750 /src/io.c | |
| parent | 4bcd792194c23fd73912a567101af5fda6e860da (diff) | |
| download | apk-tools-f7143c1766ae59489ac922e890ffe6d4a61c3b2d.tar.gz apk-tools-f7143c1766ae59489ac922e890ffe6d4a61c3b2d.tar.bz2 apk-tools-f7143c1766ae59489ac922e890ffe6d4a61c3b2d.tar.xz apk-tools-f7143c1766ae59489ac922e890ffe6d4a61c3b2d.zip | |
io_archive: add bounds limit for uname and gname tar header fields
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
Diffstat (limited to 'src/io.c')
| -rw-r--r-- | src/io.c | 12 |
1 files changed, 6 insertions, 6 deletions
@@ -1114,7 +1114,7 @@ static FILE *fopenat(int dirfd, const char *pathname) return f; } -uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t default_uid) +uid_t apk_resolve_uid(struct apk_id_cache *idc, apk_blob_t username, uid_t default_uid) { #ifdef HAVE_FGETPWENT_R char buf[1024]; @@ -1124,7 +1124,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa struct passwd *pwd; FILE *in; - ci = resolve_cache_item(&idc->uid_cache, APK_BLOB_STR(username)); + ci = resolve_cache_item(&idc->uid_cache, username); if (ci == NULL) return default_uid; if (ci->genid != idc->genid) { @@ -1141,7 +1141,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa #endif if (pwd == NULL) break; - if (strcmp(pwd->pw_name, username) == 0) { + if (apk_blob_compare(APK_BLOB_STR(pwd->pw_name), username) == 0) { ci->uid = pwd->pw_uid; break; } @@ -1156,7 +1156,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa return default_uid; } -uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t default_gid) +uid_t apk_resolve_gid(struct apk_id_cache *idc, apk_blob_t groupname, uid_t default_gid) { #ifdef HAVE_FGETGRENT_R char buf[1024]; @@ -1166,7 +1166,7 @@ uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t def struct group *grp; FILE *in; - ci = resolve_cache_item(&idc->gid_cache, APK_BLOB_STR(groupname)); + ci = resolve_cache_item(&idc->gid_cache, groupname); if (ci == NULL) return default_gid; if (ci->genid != idc->genid) { @@ -1183,7 +1183,7 @@ uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t def #endif if (grp == NULL) break; - if (strcmp(grp->gr_name, groupname) == 0) { + if (apk_blob_compare(APK_BLOB_STR(grp->gr_name), groupname) == 0) { ci->gid = grp->gr_gid; break; } |