package/tar: security bump to version 1.35

Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. With the bump to 1.35, the build will fail on systems that are not Y2038, such as some uClibc configurations. In order to preserve the previous behavior, pass --disable-year2038. See the gnulib documentation for details [1]. Contrary to what the option name might suggest, it doesn't really disable Y2038 support, but only the check that the system is Y2038 compliant. So even with --disable-year2038, if the system is Y2038 compliant (uses a 64-bit arch, uses the musl C library, or uses the glibc C library with BR2_TIME_BITS_64=y), tar will be Y2038 compliant. Update hash of COPYING (http replaced by https) [0] https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html [1] https://www.gnu.org/software/gnulib/manual/html_node/Avoiding-the-year-2038-problem.html For the version bump: Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d4d483451f) Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> For the Y2038 fix: Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 7f1088f9ca) Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2024-05-04 23:40:17 +02:00 · 2024-05-04 23:40:17 +02:00 · c68d67bfad
commit c68d67bfad
parent c316a83a8e
3 changed files with 13 additions and 42 deletions
--- a/package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch
+++ b/package/tar/0002-Fix-boundary-checking-in-base-256-decoder.patch
@ -1,33 +0,0 @@
-From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
-From: Sergey Poznyakoff <gray@gnu.org>
-Date: Sat, 11 Feb 2023 11:57:39 +0200
-Subject: [PATCH] Fix boundary checking in base-256 decoder
-
-* src/list.c (from_header): Base-256 encoding is at least 2 bytes
-long.
-
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-Upstream: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
---
- src/list.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/list.c b/src/list.c
-index 9fafc425..86bcfdd1 100644
--- a/src/list.c
-+++ b/src/list.c
-@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
- 	  where++;
- 	}
-     }
-  else if (*where == '\200' /* positive base-256 */
-	   || *where == '\377' /* negative base-256 */)
-+  else if (where <= lim - 2
-+	   && (*where == '\200' /* positive base-256 */
-+	       || *where == '\377' /* negative base-256 */))
-     {
-       /* Parse base-256 output.  A nonnegative number N is
- 	 represented as (256**DIGS)/2 + N; a negative number -N is
-- 
-2.39.2
-
--- a/package/tar/tar.hash
+++ b/package/tar/tar.hash
@ -1,4 +1,4 @@
 # Locally calculated after checking signature
-sha256  63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28  tar-1.34.tar.xz
-sha256  51337b19c71df92cd4f51c50efe4dc6ddc267d31fd54679be9e9bc2e6ce8132b  tar-1.34.cpio.gz
-sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
+sha256  4d62ff37342ec7aed748535323930c7cf94acf71c3591882b26a7ea50f3edc16  tar-1.35.tar.xz
+sha256  c77a38fcf25b21fd8209d20d35638744344ded239cfc7df80138bf46d3c6b16d  tar-1.35.cpio.gz
+sha256  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986  COPYING
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@ -4,20 +4,24 @@
 #
 ################################################################################

-TAR_VERSION = 1.34
+TAR_VERSION = 1.35
 TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
 TAR_SITE = $(BR2_GNU_MIRROR)/tar
-# busybox installs in /bin, so we need tar to install as well in /bin
-# so that we don't end up with two different tar
-TAR_CONF_OPTS = --exec-prefix=/
 TAR_LICENSE = GPL-3.0+
 TAR_LICENSE_FILES = COPYING
 TAR_CPE_ID_VENDOR = gnu
 TAR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
 TAR_CONF_ENV = LIBS=$(TARGET_NLS_LIBS)

-# 0002-Fix-boundary-checking-in-base-256-decoder.patch
-TAR_IGNORE_CVES += CVE-2022-48303
+# busybox installs in /bin, so we need tar to install as well in /bin
+# so that we don't end up with two different tar
+#
+# --disable-year2038: tells the configure script to not abort if the
+# system is not Y2038 compliant. tar will support year2038 if the
+# system is compliant even with this option passed
+TAR_CONF_OPTS = \
+	--exec-prefix=/ \
+	--disable-year2038

 ifeq ($(BR2_PACKAGE_ACL),y)
 TAR_DEPENDENCIES += acl