diff options
-rw-r--r-- | patches/02_bzip2recover-race-open-output.patch | 46 | ||||
-rw-r--r-- | patches/03_bzip2recover-CVE-2016-3189.patch | 15 |
2 files changed, 61 insertions, 0 deletions
diff --git a/patches/02_bzip2recover-race-open-output.patch b/patches/02_bzip2recover-race-open-output.patch new file mode 100644 index 0000000..3a91e97 --- /dev/null +++ b/patches/02_bzip2recover-race-open-output.patch @@ -0,0 +1,46 @@ +Description: fix unsafe race condition in opening output files. +Author: Colin Phipps <crp22@cam.ac.uk> +Origin: Debian: + https://salsa.debian.org/debian/bzip2/blob/6baf99d2eb446f50f7986868b7d57e6f4fd9b459/debian/patches/bzip2recover-race-open-output.diff + https://sources.debian.org/src/bzip2/1.0.6-9/debian/patches/bzip2recover-race-open-output.diff/ + +--- a/bzip2recover.c ++++ b/bzip2recover.c +@@ -24,6 +24,8 @@ + #include <errno.h> + #include <stdlib.h> + #include <string.h> ++#include <fcntl.h> ++#include <unistd.h> + + + /* This program records bit locations in the file to be recovered. +@@ -269,6 +271,19 @@ + name[n-1] == '2'); + } + ++/*---------------------------------------------*/ ++/* Open an output file safely with O_EXCL and good permissions */ ++FILE* fopen_output( Char* name, const char* mode ) ++{ ++ FILE *fp; ++ int fh; ++ ++ fh = open(name, O_WRONLY|O_CREAT|O_EXCL, 0600); ++ if (fh == -1) return NULL; ++ fp = fdopen(fh, mode); ++ if (fp == NULL) close(fh); ++ return fp; ++} + + /*---------------------------------------------------*/ + /*--- ---*/ +@@ -486,7 +501,7 @@ + fprintf ( stderr, " writing block %d to `%s' ...\n", + wrBlock+1, outFileName ); + +- outFile = fopen ( outFileName, "wb" ); ++ outFile = fopen_output ( outFileName, "wb" ); + if (outFile == NULL) { + fprintf ( stderr, "%s: can't write `%s'\n", + progName, outFileName ); diff --git a/patches/03_bzip2recover-CVE-2016-3189.patch b/patches/03_bzip2recover-CVE-2016-3189.patch new file mode 100644 index 0000000..d4d413c --- /dev/null +++ b/patches/03_bzip2recover-CVE-2016-3189.patch @@ -0,0 +1,15 @@ +Author: Jakub Martisko <jamartis@redhat.com> +Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1319648 +Description: CVE-2016-3189 bzip2: heap use after free in bzip2recover + +diff -up ./bzip2recover.c.old ./bzip2recover.c +--- ./bzip2recover.c.old 2016-03-22 08:49:38.855620000 +0100 ++++ ./bzip2recover.c 2016-03-30 10:22:27.341430099 +0200 +@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) + bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); + bsPutUInt32 ( bsWr, blockCRC ); + bsClose ( bsWr ); ++ outFile = NULL; + } + if (wrBlock >= rbCtr) break; + wrBlock++; |