cpio: patch CVE-2016-2037, out of bounds write (close #13489)

2 files changed, 33 insertions, 0 deletions

diff --git a/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch b/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch
new file mode 100644
index 000000000000..90ddeff9790e
--- /dev/null
+++ b/pkgs/tools/archivers/cpio/CVE-2016-2037-out-of-bounds-write.patch
@@ -0,0 +1,29 @@
+diff --git a/src/copyin.c b/src/copyin.c
+index cde911e..032d35f 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -1385,6 +1385,8 @@ process_copy_in ()
+          break;
+        }
+
++      if (file_hdr.c_namesize <= 1)
++        file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
+       cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
+                              false);
+
+diff --git a/src/util.c b/src/util.c
+index 6ff6032..2763ac1 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1411,7 +1411,10 @@ set_file_times (int fd,
+ }
+
+ /* Do we have to ignore absolute paths, and if so, does the filename
+-   have an absolute path?  */
++   have an absolute path?
++   Before calling this function make sure that the allocated NAME buffer has
++   capacity at least 2 bytes to allow us to store the "." string inside.  */
++
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+                        bool strip_leading_dots)
diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix
index 570f1904ee21..2313f27f2e54 100644
--- a/pkgs/tools/archivers/cpio/default.nix
+++ b/pkgs/tools/archivers/cpio/default.nix
@@ -19,6 +19,10 @@ in stdenv.mkDerivation {
         + "CVE-2015-1197-cpio-2.12.patch";
       sha256 = "0ph43m4lavwkc4gnl5h9p3da4kb1pnhwk5l2qsky70dqri8pcr8v";
     })
+
+    # Report: http://www.openwall.com/lists/oss-security/2016/01/19/4
+    # Patch from https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
+    ./CVE-2016-2037-out-of-bounds-write.patch
   ];
 
   preConfigure = if stdenv.isCygwin then ''