!26 修复CVE-2021-33640和list()函数中存在内存泄露问题

From: @tong_1001 
Reviewed-by: @znzjugod, @lvying6 
Signed-off-by: @lvying6

CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch

@@ -0,0 +1,99 @@
+From 056f9dbfe9e9c27452629ec48ef70686328e5a3c Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong1@huawei.com>
+Date: Thu, 24 Nov 2022 21:28:49 +0800
+Subject: [PATCH] fix memory leak and use-after-free bugs of struct TAR
+ *t
+
+[1] fix CVE-2021-33640
+The error information is as fllows:
+Error: USE_AFTER_FREE (CWE-416):
+libtar-v1.2.20/libtar/libtar.c:220:freeed_arg: "tar_close" frees "t".
+libtar-v1.2.20/libtar/libtar.c:222:deref_after_free: Dereferencing freed
+pointer "t".
+#  220|   if (tar_close(t) != 0)
+#  221|   {
+#  222|->     free_longlink_longname(t->th_buf);
+#  223|       fprintf(stderr, "tar_close: %s\n", strerror(errno));
+#  224|       return -1;
+
+Error: USE_AFTER_FREE(CWE-416):
+libtar-v1.2.20/libtar/libtar.c:220:freeed_arg:"tar_close" frees "t".
+libtar-v1.2.20/libtar/libtar.c:227:deref_after_free: Dereferencing freed
+pointer"t".
+#  225|    }
+#  226|
+#  227|->  free_longlink_longname(t->th_buf);
+#  228|    return 0;
+#  229|}
+
+The pointer "t" is freed in tar_close() function, but the pointer "t" is
+still used after tar_close() is called in the list() function. Now, we put
+ the free_longlink_longname() function in tar_close() function.
+
+[2]fix one memory leak bug:
+Release the memory of variable "TAR *t" in lib/extract.c:list()
+---
+ lib/handle.c    | 1 +
+ lib/util.c      | 6 ++++++
+ libtar/libtar.c | 4 +---
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 28a7dc2..ae829a9 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -124,6 +124,7 @@ tar_close(TAR *t)
+ 					: (libtar_freefunc_t)tar_dev_free));
+ 	if (t->th_pathname != NULL)
+ 		free(t->th_pathname);
++	free_longlink_longname(t->th_buf);
+ 	free(t);
+ 
+ 	return i;
+diff --git a/lib/util.c b/lib/util.c
+index 8a42e62..108ce23 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -164,7 +164,13 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
+ void free_longlink_longname(struct tar_header th_buf)
+ {
+ 	if (th_buf.gnu_longname != NULL)
++	{
+ 		free(th_buf.gnu_longname);
++		th_buf.gnu_longname = NULL;
++	}
+ 	if (th_buf.gnu_longlink !=NULL)
++	{
+ 		free(th_buf.gnu_longlink);
++		th_buf.gnu_longlink = NULL;
++	}
+ }
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index 7e7354f..8c89211 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -196,7 +196,7 @@ list(char *tarfile)
+ 		{
+ 			fprintf(stderr, "tar_skip_regfile(): %s\n",
+ 				strerror(errno));
+-			free_longlink_longname(t->th_buf);
++			tar_close(t);
+ 			return -1;
+ 		}
+ 	}
+@@ -218,12 +218,10 @@ list(char *tarfile)
+ 
+ 	if (tar_close(t) != 0)
+ 	{
+-		free_longlink_longname(t->th_buf);
+ 		fprintf(stderr, "tar_close(): %s\n", strerror(errno));
+ 		return -1;
+ 	}
+ 
+-	free_longlink_longname(t->th_buf);
+ 	return 0;
+ }
+ 
+-- 
+2.27.0
+

libtar.spec

@@ -1,6 +1,6 @@
 Name:           libtar
 Version:        1.2.20
-Release:        21
+Release:        25
 Summary:        Library for manipulating tar files from within C programs.
 License:        BSD
 URL:            http://repo.or.cz/libtar.git
@@ -12,7 +12,10 @@ Patch2:         libtar-1.2.20-fix-resource-leaks.patch
 Patch3:         libtar-1.2.11-bz729009.patch
 Patch4:         libtar-1.2.20-no-static-buffer.patch
 Patch5:         CVE-2013-4420.patch
-Patch9000:      openEuler-Ensure-that-sz-is-greater-than-0.patch 
+
+Patch9000:      openEuler-CVE-2021-33643-CVE-2021-33644.patch 
+Patch9001:      openEuler-CVE-2021-33645-CVE-2021-33646.patch
+Patch9002:      CVE-2021-33640-fix-memory-leak-and-use-after-free-bugs.patch
 
 BuildRequires:  libtool 
 
@@ -71,13 +74,25 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_mandir}/man3/*.3*
 
 %changelog
+* Thu Nov 24 2022 shixuantong <shixuantong1@huawei.com> - 1.2.20-25
+- fix memory leak and use-after-free bugs of struct TAR *t
+
+* Fri Jul 29 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-24
+- fix CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646
+
+* Sat May 07 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-23
+- fix memory leak
+
+* Sat May 07 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-22
+- fix sz < 0
+
 * Wed Apr 06 2022 shixuantong <shixuantong@h-partners.com> - 1.2.20-21
 - Ensure that sz is greater than 0.
 
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.2.20-20
 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git
 
-* Fri Jul 27 2021 yuanxin <yuanxin24@huawei.com> - 1.2.20-19
+* Tue Jul 27 2021 yuanxin <yuanxin24@huawei.com> - 1.2.20-19
 - remove BuildRequires gdb
 
 * Mon Sep 14 2020 shixuantong <shixuantong@huawei.com> - 1.2.20-18

openEuler-CVE-2021-33643-CVE-2021-33644.patch

@@ -15,11 +15,11 @@ index 092bc28..80b41ac 100644
  	if (TH_ISLONGLINK(t))
  	{
  		sz = th_get_size(t);
-+                if (sz <= 0)
-+                {
-+                    errno = EINVAL;
-+                    return -1;
-+                }
++		if ((int)sz <= 0)
++		{
++			errno = EINVAL;
++			return -1;
++		}
  		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
  		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
  		{
@@ -27,11 +27,11 @@ index 092bc28..80b41ac 100644
  	if (TH_ISLONGNAME(t))
  	{
  		sz = th_get_size(t);
-+                if (sz <= 0)
-+                {
-+                    errno = EINVAL;
-+                    return -1;
-+                }
++		if ((int)sz <= 0)
++		{
++			errno = EINVAL;
++			return -1;
++		}
  		blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0);
  		if (blocks > ((size_t)-1 / T_BLOCKSIZE))
  		{

openEuler-CVE-2021-33645-CVE-2021-33646.patch

@@ -0,0 +1,119 @@
+From 8ba8e71a2b86d08ddd3478a4797170f95766c2af Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong@h-partners.com>
+Date: Sat, 7 May 2022 17:04:46 +0800
+Subject: [PATCH] fix memory leak
+
+---
+ lib/libtar.h    |  1 +
+ lib/util.c      |  9 ++++++++-
+ lib/wrapper.c   | 11 +++++++++++
+ libtar/libtar.c |  3 +++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/lib/libtar.h b/lib/libtar.h
+index 08a8e0f..8b00e93 100644
+--- a/lib/libtar.h
++++ b/lib/libtar.h
+@@ -285,6 +285,7 @@ int oct_to_int(char *oct);
+ /* integer to string-octal conversion, no NULL */
+ void int_to_oct_nonull(int num, char *oct, size_t octlen);
+ 
++void free_longlink_longname(struct tar_header th_buf);
+ 
+ /***** wrapper.c **********************************************************/
+ 
+diff --git a/lib/util.c b/lib/util.c
+index 11438ef..8a42e62 100644
+--- a/lib/util.c
++++ b/lib/util.c
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <sys/param.h>
+ #include <errno.h>
++#include <stdlib.h>
+ 
+ #ifdef STDC_HEADERS
+ # include <string.h>
+@@ -160,4 +161,10 @@ int_to_oct_nonull(int num, char *oct, size_t octlen)
+ 	oct[octlen - 1] = ' ';
+ }
+ 
+-
++void free_longlink_longname(struct tar_header th_buf)
++{
++	if (th_buf.gnu_longname != NULL)
++		free(th_buf.gnu_longname);
++	if (th_buf.gnu_longlink !=NULL)
++		free(th_buf.gnu_longlink);
++}
+diff --git a/lib/wrapper.c b/lib/wrapper.c
+index 44cc435..df6d617 100644
+--- a/lib/wrapper.c
++++ b/lib/wrapper.c
+@@ -36,7 +36,10 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ 		if (fnmatch(globname, filename, FNM_PATHNAME | FNM_PERIOD))
+ 		{
+ 			if (TH_ISREG(t) && tar_skip_regfile(t))
++			{
++				free_longlink_longname(t->th_buf);
+ 				return -1;
++			}
+ 			continue;
+ 		}
+ 		if (t->options & TAR_VERBOSE)
+@@ -46,9 +49,13 @@ tar_extract_glob(TAR *t, char *globname, char *prefix)
+ 		else
+ 			strlcpy(buf, filename, sizeof(buf));
+ 		if (tar_extract_file(t, buf) != 0)
++		{
++			free_longlink_longname(t->th_buf);
+ 			return -1;
++		}
+ 	}
+ 
++	free_longlink_longname(t->th_buf);
+ 	return (i == 1 ? 0 : -1);
+ }
+ 
+@@ -82,9 +89,13 @@ tar_extract_all(TAR *t, char *prefix)
+ 		       "\"%s\")\n", buf);
+ #endif
+ 		if (tar_extract_file(t, buf) != 0)
++		{
++			free_longlink_longname(t->th_buf);
+ 			return -1;
++		}
+ 	}
+ 
++	free_longlink_longname(t->th_buf);
+ 	return (i == 1 ? 0 : -1);
+ }
+ 
+diff --git a/libtar/libtar.c b/libtar/libtar.c
+index 23f8741..7e7354f 100644
+--- a/libtar/libtar.c
++++ b/libtar/libtar.c
+@@ -196,6 +196,7 @@ list(char *tarfile)
+ 		{
+ 			fprintf(stderr, "tar_skip_regfile(): %s\n",
+ 				strerror(errno));
++			free_longlink_longname(t->th_buf);
+ 			return -1;
+ 		}
+ 	}
+@@ -217,10 +218,12 @@ list(char *tarfile)
+ 
+ 	if (tar_close(t) != 0)
+ 	{
++		free_longlink_longname(t->th_buf);
+ 		fprintf(stderr, "tar_close(): %s\n", strerror(errno));
+ 		return -1;
+ 	}
+ 
++	free_longlink_longname(t->th_buf);
+ 	return 0;
+ }
+ 
+-- 
+1.8.3.1
+