From f7143c1766ae59489ac922e890ffe6d4a61c3b2d Mon Sep 17 00:00:00 2001 From: Timo Teräs Date: Sun, 11 Apr 2021 15:21:42 +0300 Subject: io_archive: add bounds limit for uname and gname tar header fields MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modify apk_resolve_[ug]id to take the user/groupname as a blob, so proper length checking is done and honored. ==31584== Conditional jump or move depends on uninitialised value(s) ==31584== at 0x5C8CA5: strlen (strlen.c:17) ==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79) ==31584== by 0x4350EB: apk_resolve_uid (io.c:1112) ==31584== by 0x43696C: apk_tar_parse (io_archive.c:152) ==31584== by 0x4271BC: apk_pkg_read (package.c:929) ==31584== by 0x402D75: add_main (app_add.c:163) ==31584== by 0x40D5FF: main (apk-static.c:516) Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139. Reported-by: Sören Tempel Reviewed-by: Ariadne Conill --- src/apk_io.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/apk_io.h') diff --git a/src/apk_io.h b/src/apk_io.h index fcdbebc..eafb12f 100644 --- a/src/apk_io.h +++ b/src/apk_io.h @@ -180,7 +180,7 @@ const char *apk_url_local_file(const char *url); void apk_id_cache_init(struct apk_id_cache *idc, int root_fd); void apk_id_cache_free(struct apk_id_cache *idc); void apk_id_cache_reset(struct apk_id_cache *idc); -uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t default_uid); -uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t default_gid); +uid_t apk_resolve_uid(struct apk_id_cache *idc, apk_blob_t username, uid_t default_uid); +uid_t apk_resolve_gid(struct apk_id_cache *idc, apk_blob_t groupname, uid_t default_gid); #endif -- cgit v1.2.3-70-g09d2