From c0a3874799224c9ae0d6d7dc4d0a0acf364ccdab Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Thu, 29 Nov 2018 11:42:14 +0000
Subject: cpio: fix crash when appending to archives

The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory
bug when appending to an existing archive, which is an operation we perform when
building an image.

(From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868)

(From OE-Core rev: 2ff6ab2e2944c6a53523b4b1611e1d22f6393500)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../cpio-2.12/0001-Fix-segfault-with-append.patch  | 87 ++++++++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.12.bb            |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch

diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch
new file mode 100644
index 0000000000..2043c890cd
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch
@@ -0,0 +1,87 @@
+Upstream-Status: Submitted [bugs-cpio]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 3f0bd5a40ad0ceaee78c74a52a7166ed7f08db81 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Thu, 29 Nov 2018 07:03:48 +0100
+Subject: [PATCH] Fix segfault with --append
+
+The --append mode combines both process_copy_in() and
+process_copy_out() methods, each of them working with different
+(local) file_hdr->c_name buffers.  So ensure that
+cpio_set_c_name() isn't using the same static variable for
+maintaining length of different buffers.
+
+Complements d36ec5f4e93130efb24fb9.  Thanks to Ross Burton.
+
+* src/copyin.c (process_copy_in): Always initialize file_hdr.
+* src/copyout.c (process_copy_out): Likewise.
+* src/cpiohdr.h (cpio_file_stat): Add c_name_buflen variable.
+* src/util.c (cpio_set_c_name): Use file_hdr->c_name_buflen.
+---
+ src/copyin.c  | 1 +
+ src/copyout.c | 1 +
+ src/cpiohdr.h | 1 +
+ src/util.c    | 3 ++-
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/copyin.c b/src/copyin.c
+index ba887ae..767c2f8 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -1213,6 +1213,7 @@ process_copy_in ()
+ 
+   newdir_umask = umask (0);     /* Reset umask to preserve modes of
+ 				   created files  */
++  memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
+   
+   /* Initialize the copy in.  */
+   if (pattern_file_name)
+diff --git a/src/copyout.c b/src/copyout.c
+index 7532dac..fb890cb 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -594,6 +594,7 @@ process_copy_out ()
+ 
+   /* Initialize the copy out.  */
+   ds_init (&input_name, 128);
++  memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
+   file_hdr.c_magic = 070707;
+ 
+   /* Check whether the output file might be a tape.  */
+diff --git a/src/cpiohdr.h b/src/cpiohdr.h
+index 588135b..cf64f3e 100644
+--- a/src/cpiohdr.h
++++ b/src/cpiohdr.h
+@@ -127,6 +127,7 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
+   uint32_t c_chksum;
+   char *c_name;
+   char *c_tar_linkname;
++  size_t c_name_buflen;
+ };
+ 
+ void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
+diff --git a/src/util.c b/src/util.c
+index 10486dc..1256469 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1413,7 +1413,7 @@ set_file_times (int fd,
+ void
+ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+ {
+-  static size_t buflen = 0;
++  size_t buflen = file_hdr->c_name_buflen;
+   size_t len = strlen (name) + 1;
+ 
+   if (buflen == 0)
+@@ -1430,6 +1430,7 @@ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+     }
+ 
+   file_hdr->c_namesize = len;
++  file_hdr->c_name_buflen = buflen;
+   memmove (file_hdr->c_name, name, len);
+ }
+ 
+-- 
+2.11.0
+
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 69d36983e3..6ba8337e5d 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-Fix-CVE-2015-1197.patch \
            file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
+           file://0001-Fix-segfault-with-append.patch \
            "
 
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"
-- 
cgit 1.2.3-korg