* [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35"
2023-11-12 19:43 [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
@ 2023-11-12 19:43 ` Peter Korsgaard
2023-11-13 21:51 ` Peter Korsgaard
2023-11-14 7:57 ` Peter Korsgaard
2023-11-12 19:43 ` [Buildroot] [PATCH 3/4] package/tar: add upstream patch for CVE-2022-48303 Peter Korsgaard
` (2 subsequent siblings)
3 siblings, 2 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-12 19:43 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
This reverts commit d4d483451f0a305781b94b96c15a6cf4b489cd84.
Tar 1.35 unfortunately changes the behaviour for the devmajor/devminor
fields, breaking the download hash validation. From the release notes:
* Leave the devmajor and devminor fields empty (rather than zero) for
non-special files, as this is more compatible with traditional tar.
https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
So revert the bump for now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/tar/tar.hash | 6 +++---
package/tar/tar.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/tar/tar.hash b/package/tar/tar.hash
index 108a95ee62..1914a9f3b4 100644
--- a/package/tar/tar.hash
+++ b/package/tar/tar.hash
@@ -1,4 +1,4 @@
# Locally calculated after checking signature
-sha256 4d62ff37342ec7aed748535323930c7cf94acf71c3591882b26a7ea50f3edc16 tar-1.35.tar.xz
-sha256 c77a38fcf25b21fd8209d20d35638744344ded239cfc7df80138bf46d3c6b16d tar-1.35.cpio.gz
-sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING
+sha256 63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28 tar-1.34.tar.xz
+sha256 51337b19c71df92cd4f51c50efe4dc6ddc267d31fd54679be9e9bc2e6ce8132b tar-1.34.cpio.gz
+sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index eea112ebc7..690a5952ba 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -4,7 +4,7 @@
#
################################################################################
-TAR_VERSION = 1.35
+TAR_VERSION = 1.34
TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
TAR_SITE = $(BR2_GNU_MIRROR)/tar
# busybox installs in /bin, so we need tar to install as well in /bin
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35"
2023-11-12 19:43 ` [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35" Peter Korsgaard
@ 2023-11-13 21:51 ` Peter Korsgaard
2023-11-14 7:57 ` Peter Korsgaard
1 sibling, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-13 21:51 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> This reverts commit d4d483451f0a305781b94b96c15a6cf4b489cd84.
> Tar 1.35 unfortunately changes the behaviour for the devmajor/devminor
> fields, breaking the download hash validation. From the release notes:
> * Leave the devmajor and devminor fields empty (rather than zero) for
> non-special files, as this is more compatible with traditional tar.
> https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
> So revert the bump for now.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35"
2023-11-12 19:43 ` [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35" Peter Korsgaard
2023-11-13 21:51 ` Peter Korsgaard
@ 2023-11-14 7:57 ` Peter Korsgaard
1 sibling, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-14 7:57 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> This reverts commit d4d483451f0a305781b94b96c15a6cf4b489cd84.
> Tar 1.35 unfortunately changes the behaviour for the devmajor/devminor
> fields, breaking the download hash validation. From the release notes:
> * Leave the devmajor and devminor fields empty (rather than zero) for
> non-special files, as this is more compatible with traditional tar.
> https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
> So revert the bump for now.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 3/4] package/tar: add upstream patch for CVE-2022-48303
2023-11-12 19:43 [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
2023-11-12 19:43 ` [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35" Peter Korsgaard
@ 2023-11-12 19:43 ` Peter Korsgaard
2023-11-13 21:52 ` Peter Korsgaard
2023-11-14 7:57 ` Peter Korsgaard
2023-11-12 19:43 ` [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+ Peter Korsgaard
2023-11-13 21:51 ` [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
3 siblings, 2 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-12 19:43 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
Fixes CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds read
that results in use of uninitialized memory for a conditional jump.
Exploitation to change the flow of control has not been demonstrated. The
issue occurs in from_header in list.c via a V7 archive in which mtime has
approximately 11 whitespace characters.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...oundary-checking-in-base-256-decoder.patch | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch
diff --git a/package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch b/package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch
new file mode 100644
index 0000000000..7bad339fe0
--- /dev/null
+++ b/package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch
@@ -0,0 +1,33 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: [PATCH] Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Upstream: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..86bcfdd1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ where++;
+ }
+ }
+- else if (*where == '\200' /* positive base-256 */
+- || *where == '\377' /* negative base-256 */)
++ else if (where <= lim - 2
++ && (*where == '\200' /* positive base-256 */
++ || *where == '\377' /* negative base-256 */))
+ {
+ /* Parse base-256 output. A nonnegative number N is
+ represented as (256**DIGS)/2 + N; a negative number -N is
+--
+2.39.2
+
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+
2023-11-12 19:43 [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
2023-11-12 19:43 ` [Buildroot] [PATCH 2/4] Revert "package/tar: security bump to version 1.35" Peter Korsgaard
2023-11-12 19:43 ` [Buildroot] [PATCH 3/4] package/tar: add upstream patch for CVE-2022-48303 Peter Korsgaard
@ 2023-11-12 19:43 ` Peter Korsgaard
2023-11-13 21:52 ` Peter Korsgaard
2023-11-14 7:57 ` Peter Korsgaard
2023-11-13 21:51 ` [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
3 siblings, 2 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-12 19:43 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
GNU tar 1.35 changed the behaviour for the devmajor/devminor fields,
breaking the download hash validation. For details, see:
https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
https://patchwork.ozlabs.org/project/buildroot/patch/20231018141155.533944-1-vfazio@gmail.com/
To work around this issue, blacklist tar 1.35+ similar to how we do it for
pre-1.27 versions so Buildroot falls back to building host-tar (which is
currently 1.34).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
support/dependencies/check-host-tar.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/support/dependencies/check-host-tar.sh b/support/dependencies/check-host-tar.sh
index b7d607a47a..7d6b3bf688 100755
--- a/support/dependencies/check-host-tar.sh
+++ b/support/dependencies/check-host-tar.sh
@@ -33,7 +33,12 @@ fi
major_min=1
minor_min=27
-if [ $major -lt $major_min ]; then
+# Maximal version = 1.34 (1.35 changed devmajor/devminor for files)
+# https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
+major_max=1
+minor_max=34
+
+if [ $major -lt $major_min -o $major -gt $major_max ]; then
# echo nothing: no suitable tar found
exit 1
fi
@@ -43,5 +48,10 @@ if [ $major -eq $major_min -a $minor -lt $minor_min ]; then
exit 1
fi
+if [ $major -eq $major_max -a $minor -gt $minor_max ]; then
+ # echo nothing: no suitable tar found
+ exit 1
+fi
+
# valid
echo $tar
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+
2023-11-12 19:43 ` [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+ Peter Korsgaard
@ 2023-11-13 21:52 ` Peter Korsgaard
2023-11-14 7:57 ` Peter Korsgaard
1 sibling, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-13 21:52 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> GNU tar 1.35 changed the behaviour for the devmajor/devminor fields,
> breaking the download hash validation. For details, see:
> https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
> https://patchwork.ozlabs.org/project/buildroot/patch/20231018141155.533944-1-vfazio@gmail.com/
> To work around this issue, blacklist tar 1.35+ similar to how we do it for
> pre-1.27 versions so Buildroot falls back to building host-tar (which is
> currently 1.34).
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+
2023-11-12 19:43 ` [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+ Peter Korsgaard
2023-11-13 21:52 ` Peter Korsgaard
@ 2023-11-14 7:57 ` Peter Korsgaard
1 sibling, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-14 7:57 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> GNU tar 1.35 changed the behaviour for the devmajor/devminor fields,
> breaking the download hash validation. For details, see:
> https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
> https://patchwork.ozlabs.org/project/buildroot/patch/20231018141155.533944-1-vfazio@gmail.com/
> To work around this issue, blacklist tar 1.35+ similar to how we do it for
> pre-1.27 versions so Buildroot falls back to building host-tar (which is
> currently 1.34).
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems"
2023-11-12 19:43 [Buildroot] [PATCH 1/4] Revert "package/tar: allowing building even on non-Y2038 compliant systems" Peter Korsgaard
` (2 preceding siblings ...)
2023-11-12 19:43 ` [Buildroot] [PATCH 4/4] support/dependencies/check-host-tar.sh: blacklist tar 1.35+ Peter Korsgaard
@ 2023-11-13 21:51 ` Peter Korsgaard
3 siblings, 0 replies; 11+ messages in thread
From: Peter Korsgaard @ 2023-11-13 21:51 UTC (permalink / raw)
To: buildroot; +Cc: Yann E . MORIN, Vincent Fazio
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> This reverts commit 7f1088f9cae9f191740423a0084bb31f94af2e75.
> We're going back to tar 1.34, so this needs to be reverted as well.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 11+ messages in thread