main/tar: fix CVE-2022-48303

2 files changed, 44 insertions, 4 deletions

diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD
index 49784a234b0..d362233560f 100644
--- a/main/tar/APKBUILD
+++ b/main/tar/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
 pkgname=tar
 pkgver=1.34
-pkgrel=0
+pkgrel=1
 pkgdesc="Utility used to store, backup, and transport files"
 url="https://www.gnu.org/software/tar/"
 arch="all"
@@ -9,9 +9,13 @@ license="GPL-3.0-or-later"
 makedepends="acl-dev"
 subpackages="$pkgname-doc"
 source="https://ftp.gnu.org/gnu/tar/tar-$pkgver.tar.xz
-	ignore-apk-tools-checksums.patch"
+	ignore-apk-tools-checksums.patch
+	CVE-2022-48303.patch
+	"
 
 # secfixes:
+#   1.34-r1:
+#     - CVE-2022-48303
 #   1.34-r0:
 #     - CVE-2021-20193
 #   1.29-r1:
@@ -47,5 +51,8 @@ package() {
 	ln -s /bin/tar "$pkgdir"/usr/bin/tar
 }
 
-sha512sums="5e77c4a7b49983ad7d15238c2bce28be7a8aa437b4b1815fc00abd13096da308b6bba196cc6e3ed79d85e62823d520ae0d8fcda2d93873842cf84dc3369fc902  tar-1.34.tar.xz
-9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739  ignore-apk-tools-checksums.patch"
+sha512sums="
+5e77c4a7b49983ad7d15238c2bce28be7a8aa437b4b1815fc00abd13096da308b6bba196cc6e3ed79d85e62823d520ae0d8fcda2d93873842cf84dc3369fc902  tar-1.34.tar.xz
+9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739  ignore-apk-tools-checksums.patch
+b35768ace1dc2f95ab75063c32a0207013c360ad5e8e6875c17184255602288a126579b65d71cc9a655b0687fe81264c3f427004c27ba0ba3a872a8893953fc3  CVE-2022-48303.patch
+"
diff --git a/main/tar/CVE-2022-48303.patch b/main/tar/CVE-2022-48303.patch
new file mode 100644
index 00000000000..95a7d6e6dc2
--- /dev/null
+++ b/main/tar/CVE-2022-48303.patch
@@ -0,0 +1,33 @@
+Patch-Source: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+see: https://savannah.gnu.org/bugs/?62387
+--
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc42..86bcfdd 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+cgit v1.1
+