--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package cpio/2.13+dfsg-7.1~deb11u1
- From: Adrian Bunk <bunk@debian.org>
- Date: Sat, 30 Sep 2023 15:48:55 +0300
- Message-id: <169607813515.14390.8817407108638266173.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
This updates the cpio package in bullseye to the package
in bookworm/trixie/sid (same upstream version).
The first 3 post-bullseye uploads are CVE-2021-38185 plus
regression fixes for this change.
The 2.13+dfsg-7.1 changes are one documentation change and two
changes that look desirable (even though they alone might not have
warranted a stable update):
* Suggest libarchive-dev (Closes: #662718).
* d/copyright: Convert to machine-readable format.
* Fix CRC with new ASCII format when file > 2GB (Closes: #962188).
There are no bugs in the BTS that any regressions have been caused
by any of these changes during the 1 year since they were uploaded
to bookworm/sid.
diffstat for cpio-2.13+dfsg cpio-2.13+dfsg
changelog | 39
control | 2
copyright | 51 -
patches/992045-CVE-2021-38185-rewrite-dynamic-string-support | 454 +++++++++++
patches/992098-regression-of-orig-fix-for-CVE-2021-38185 | 36
patches/992192-Fix-dynamic-string-reallocations.patch | 80 +
patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch | 34
patches/series | 4
8 files changed, 685 insertions(+), 15 deletions(-)
diff -Nru cpio-2.13+dfsg/debian/changelog cpio-2.13+dfsg/debian/changelog
--- cpio-2.13+dfsg/debian/changelog 2020-09-17 14:16:18.000000000 +0300
+++ cpio-2.13+dfsg/debian/changelog 2023-09-30 15:18:55.000000000 +0300
@@ -1,3 +1,42 @@
+cpio (2.13+dfsg-7.1~deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bullseye.
+
+ -- Adrian Bunk <bunk@debian.org> Sat, 30 Sep 2023 15:18:55 +0300
+
+cpio (2.13+dfsg-7.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Suggest libarchive-dev (Closes: #662718).
+ * d/copyright: Convert to machine-readable format.
+ * Fix CRC with new ASCII format when file > 2GB (Closes: #962188).
+
+ -- Bastian Germann <bage@debian.org> Wed, 14 Sep 2022 21:45:55 +0200
+
+cpio (2.13+dfsg-7) unstable; urgency=medium
+
+ [ Salvatore Bonaccorso ]
+ * Fix dynamic string reallocations (Closes: #992192)
+
+ -- Anibal Monsalve Salazar <anibal@debian.org> Sun, 22 Aug 2021 15:21:53 +1000
+
+cpio (2.13+dfsg-6) unstable; urgency=high
+
+ * Fix regression of original fix for CVE-2021-38185
+ Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185
+ Closes: #992098
+
+ -- Anibal Monsalve Salazar <anibal@debian.org> Fri, 13 Aug 2021 13:06:27 +1000
+
+cpio (2.13+dfsg-5) unstable; urgency=medium
+
+ * Fix CVE-2021-38185
+ Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support
+ Closes: #992045
+
+ -- Anibal Monsalve Salazar <anibal@debian.org> Wed, 11 Aug 2021 01:18:33 +1000
+
cpio (2.13+dfsg-4) unstable; urgency=medium
* Source only upload to enable migration.
diff -Nru cpio-2.13+dfsg/debian/control cpio-2.13+dfsg/debian/control
--- cpio-2.13+dfsg/debian/control 2020-02-01 15:11:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/control 2022-09-14 22:45:55.000000000 +0300
@@ -17,7 +17,7 @@
Replaces: cpio-mt
Conflicts: mt-st (<< 0.6), cpio-mt
Multi-Arch: foreign
-Suggests: libarchive1
+Suggests: libarchive-dev
Description: GNU cpio -- a program to manage archives of files
GNU cpio is a tool for creating and extracting archives, or copying
files from one place to another. It handles a number of cpio formats
diff -Nru cpio-2.13+dfsg/debian/copyright cpio-2.13+dfsg/debian/copyright
--- cpio-2.13+dfsg/debian/copyright 2020-02-01 15:11:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/copyright 2022-09-14 22:45:55.000000000 +0300
@@ -1,16 +1,39 @@
-This is the Debian GNU/Linux prepackaged version of GNU cpio
-(including mt).
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian GNU/Linux prepackaged version of GNU cpio
+ (including mt).
+ .
+ This package was put together by Clint Adams <schizo@debian.org>.
+Source: ftp://ftp.gnu.org/gnu/cpio
-This package was put together by Clint Adams <schizo@debian.org>,
-from sources obtained from ftp://ftp.gnu.org:/gnu/cpio
+Files: *
+Copyright: (C) 1984-2019 Free Software Foundation, Inc.
+License: GPL-3+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3, or (at your option)
+ any later version.
+Comment:
+ The text of the GPL version 3 can be found on Debian systems in
+ /usr/share/common-licenses/GPL-3.
-GNU cpio is Copyright (C) 1990, 1991, 1992, 2001, 2003, 2004, 2005,
-2006, 2007 Free Software Foundation, Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 3, or (at your option)
-any later version.
-
-The text of the GPL can be found on Debian systems in
-/usr/share/common-licenses/GPL-3 .
+Files: tests/argcv.*
+ src/tar.h
+Copyright: (C) 1992-2017 Free Software Foundation, Inc.
+License: LGPL-3+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+ .
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+Comment:
+ The text of the LGPL version 3 can be found on Debian systems in
+ /usr/share/common-licenses/LGPL-3.
diff -Nru cpio-2.13+dfsg/debian/patches/992045-CVE-2021-38185-rewrite-dynamic-string-support cpio-2.13+dfsg/debian/patches/992045-CVE-2021-38185-rewrite-dynamic-string-support
--- cpio-2.13+dfsg/debian/patches/992045-CVE-2021-38185-rewrite-dynamic-string-support 1970-01-01 02:00:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/patches/992045-CVE-2021-38185-rewrite-dynamic-string-support 2021-08-10 18:15:00.000000000 +0300
@@ -0,0 +1,454 @@
+From dd96882877721703e19272fe25034560b794061b Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 7 Aug 2021 12:52:21 +0300
+Subject: Rewrite dynamic string support.
+
+* src/dstring.c (ds_init): Take a single argument.
+(ds_free): New function.
+(ds_resize): Take a single argument. Use x2nrealloc to expand
+the storage.
+(ds_reset,ds_append,ds_concat,ds_endswith): New function.
+(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.
+* src/dstring.h (dynamic_string): Keep both the allocated length
+(ds_size) and index of the next free byte in the string (ds_idx).
+(ds_init,ds_resize): Change signature.
+(ds_len): New macro.
+(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.
+* src/copyin.c: Use new ds_ functions.
+* src/copyout.c: Likewise.
+* src/copypass.c: Likewise.
+* src/util.c: Likewise.
+---
+ src/copyin.c | 40 +++++++++++++-------------
+ src/copyout.c | 16 ++++-------
+ src/copypass.c | 34 +++++++++++------------
+ src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++++++++----------------
+ src/dstring.h | 31 ++++++++++-----------
+ src/util.c | 6 ++--
+ 6 files changed, 123 insertions(+), 92 deletions(-)
+
+Index: cpio-2.13+dfsg/src/copyin.c
+===================================================================
+--- cpio-2.13+dfsg.orig/src/copyin.c
++++ cpio-2.13+dfsg/src/copyin.c
+@@ -56,11 +56,12 @@ query_rename(struct cpio_file_stat* file
+ char *str_res; /* Result for string function. */
+ static dynamic_string new_name; /* New file name for rename option. */
+ static int initialized_new_name = false;
++
+ if (!initialized_new_name)
+- {
+- ds_init (&new_name, 128);
+- initialized_new_name = true;
+- }
++ {
++ ds_init (&new_name);
++ initialized_new_name = true;
++ }
+
+ if (rename_flag)
+ {
+@@ -778,37 +779,36 @@ long_format (struct cpio_file_stat *file
+ already in `save_patterns' (from the command line) are preserved. */
+
+ static void
+-read_pattern_file ()
++read_pattern_file (void)
+ {
+- int max_new_patterns;
+- char **new_save_patterns;
+- int new_num_patterns;
++ char **new_save_patterns = NULL;
++ size_t max_new_patterns;
++ size_t new_num_patterns;
+ int i;
+- dynamic_string pattern_name;
++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER;
+ FILE *pattern_fp;
+
+ if (num_patterns < 0)
+ num_patterns = 0;
+- max_new_patterns = 1 + num_patterns;
+- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *));
+ new_num_patterns = num_patterns;
+- ds_init (&pattern_name, 128);
++ max_new_patterns = num_patterns;
++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0]));
+
+ pattern_fp = fopen (pattern_file_name, "r");
+ if (pattern_fp == NULL)
+ open_fatal (pattern_file_name);
+ while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL)
+ {
+- if (new_num_patterns >= max_new_patterns)
+- {
+- max_new_patterns += 1;
+- new_save_patterns = (char **)
+- xrealloc ((char *) new_save_patterns,
+- max_new_patterns * sizeof (char *));
+- }
++ if (new_num_patterns == max_new_patterns)
++ new_save_patterns = x2nrealloc (new_save_patterns,
++ &max_new_patterns,
++ sizeof (new_save_patterns[0]));
+ new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string);
+ ++new_num_patterns;
+ }
++
++ ds_free (&pattern_name);
++
+ if (ferror (pattern_fp) || fclose (pattern_fp) == EOF)
+ close_error (pattern_file_name);
+
+@@ -1195,7 +1195,7 @@ swab_array (char *ptr, int count)
+ in the file system. */
+
+ void
+-process_copy_in ()
++process_copy_in (void)
+ {
+ char done = false; /* True if trailer reached. */
+ FILE *tty_in = NULL; /* Interactive file for rename option. */
+Index: cpio-2.13+dfsg/src/copyout.c
+===================================================================
+--- cpio-2.13+dfsg.orig/src/copyout.c
++++ cpio-2.13+dfsg/src/copyout.c
+@@ -595,9 +595,10 @@ assign_string (char **pvar, char *value)
+ The format of the header depends on the compatibility (-c) flag. */
+
+ void
+-process_copy_out ()
++process_copy_out (void)
+ {
+- dynamic_string input_name; /* Name of file read from stdin. */
++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of file read from stdin. */
+ struct stat file_stat; /* Stat record for file. */
+ struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
+ /* Output header information. */
+@@ -606,7 +607,6 @@ process_copy_out ()
+ char *orig_file_name = NULL;
+
+ /* Initialize the copy out. */
+- ds_init (&input_name, 128);
+ file_hdr.c_magic = 070707;
+
+ /* Check whether the output file might be a tape. */
+@@ -658,14 +658,9 @@ process_copy_out ()
+ {
+ if ((file_hdr.c_mode & CP_IFMT) == CP_IFDIR)
+ {
+- int len = strlen (input_name.ds_string);
+ /* Make sure the name ends with a slash */
+- if (input_name.ds_string[len-1] != '/')
+- {
+- ds_resize (&input_name, len + 2);
+- input_name.ds_string[len] = '/';
+- input_name.ds_string[len+1] = 0;
+- }
++ if (!ds_endswith (&input_name, '/'))
++ ds_append (&input_name, '/');
+ }
+ }
+
+@@ -878,6 +873,7 @@ process_copy_out ()
+ (unsigned long) blocks), (unsigned long) blocks);
+ }
+ cpio_file_stat_free (&file_hdr);
++ ds_free (&input_name);
+ }
+
+
+Index: cpio-2.13+dfsg/src/copypass.c
+===================================================================
+--- cpio-2.13+dfsg.orig/src/copypass.c
++++ cpio-2.13+dfsg/src/copypass.c
+@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *
+ If `link_flag', link instead of copying. */
+
+ void
+-process_copy_pass ()
++process_copy_pass (void)
+ {
+- dynamic_string input_name; /* Name of file from stdin. */
+- dynamic_string output_name; /* Name of new file. */
++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of file from stdin. */
++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of new file. */
+ size_t dirname_len; /* Length of `directory_name'. */
+ int res; /* Result of functions. */
+ char *slash; /* For moving past slashes in input name. */
+@@ -65,25 +67,18 @@ process_copy_pass ()
+ created files */
+
+ /* Initialize the copy pass. */
+- ds_init (&input_name, 128);
+
+ dirname_len = strlen (directory_name);
+ if (change_directory_option && !ISSLASH (directory_name[0]))
+ {
+ char *pwd = xgetcwd ();
+-
+- dirname_len += strlen (pwd) + 1;
+- ds_init (&output_name, dirname_len + 2);
+- strcpy (output_name.ds_string, pwd);
+- strcat (output_name.ds_string, "/");
+- strcat (output_name.ds_string, directory_name);
+- }
+- else
+- {
+- ds_init (&output_name, dirname_len + 2);
+- strcpy (output_name.ds_string, directory_name);
++
++ ds_concat (&output_name, pwd);
++ ds_append (&output_name, '/');
+ }
+- output_name.ds_string[dirname_len] = '/';
++ ds_concat (&output_name, directory_name);
++ ds_append (&output_name, '/');
++ dirname_len = ds_len (&output_name);
+ output_is_seekable = true;
+
+ change_dir ();
+@@ -116,8 +111,8 @@ process_copy_pass ()
+ /* Make the name of the new file. */
+ for (slash = input_name.ds_string; *slash == '/'; ++slash)
+ ;
+- ds_resize (&output_name, dirname_len + strlen (slash) + 2);
+- strcpy (output_name.ds_string + dirname_len + 1, slash);
++ ds_reset (&output_name, dirname_len);
++ ds_concat (&output_name, slash);
+
+ existing_dir = false;
+ if (lstat (output_name.ds_string, &out_file_stat) == 0)
+@@ -333,6 +328,9 @@ process_copy_pass ()
+ (unsigned long) blocks),
+ (unsigned long) blocks);
+ }
++
++ ds_free (&input_name);
++ ds_free (&output_name);
+ }
+ �
+ /* Try and create a hard link from FILE_NAME to another file
+Index: cpio-2.13+dfsg/src/dstring.c
+===================================================================
+--- cpio-2.13+dfsg.orig/src/dstring.c
++++ cpio-2.13+dfsg/src/dstring.c
+@@ -20,8 +20,8 @@
+ #if defined(HAVE_CONFIG_H)
+ # include <config.h>
+ #endif
+-
+ #include <stdio.h>
++#include <stdlib.h>
+ #if defined(HAVE_STRING_H) || defined(STDC_HEADERS)
+ #include <string.h>
+ #else
+@@ -33,24 +33,41 @@
+ /* Initialiaze dynamic string STRING with space for SIZE characters. */
+
+ void
+-ds_init (dynamic_string *string, int size)
++ds_init (dynamic_string *string)
++{
++ memset (string, 0, sizeof *string);
++}
++
++/* Free the dynamic string storage. */
++
++void
++ds_free (dynamic_string *string)
+ {
+- string->ds_length = size;
+- string->ds_string = (char *) xmalloc (size);
++ free (string->ds_string);
+ }
+
+-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */
++/* Expand dynamic string STRING, if necessary. */
+
+ void
+-ds_resize (dynamic_string *string, int size)
++ds_resize (dynamic_string *string)
+ {
+- if (size > string->ds_length)
++ if (string->ds_idx == string->ds_size)
+ {
+- string->ds_length = size;
+- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size);
++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
++ 1);
+ }
+ }
+
++/* Reset the index of the dynamic string S to LEN. */
++
++void
++ds_reset (dynamic_string *s, size_t len)
++{
++ while (len > s->ds_size)
++ ds_resize (s);
++ s->ds_idx = len;
++}
++
+ /* Dynamic string S gets a string terminated by the EOS character
+ (which is removed) from file F. S will increase
+ in size during the function if the string from F is longer than
+@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int s
+ char *
+ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ {
+- int insize; /* Amount needed for line. */
+- int strsize; /* Amount allocated for S. */
+ int next_ch;
+
+ /* Initialize. */
+- insize = 0;
+- strsize = s->ds_length;
++ s->ds_idx = 0;
+
+ /* Read the input string. */
+- next_ch = getc (f);
+- while (next_ch != eos && next_ch != EOF)
++ while ((next_ch = getc (f)) != eos && next_ch != EOF)
+ {
+- if (insize >= strsize - 1)
+- {
+- ds_resize (s, strsize * 2 + 2);
+- strsize = s->ds_length;
+- }
+- s->ds_string[insize++] = next_ch;
+- next_ch = getc (f);
++ ds_resize (s);
++ s->ds_string[s->ds_idx++] = next_ch;
+ }
+- s->ds_string[insize++] = '\0';
++ ds_resize (s);
++ s->ds_string[s->ds_idx] = '\0';
+
+- if (insize == 1 && next_ch == EOF)
++ if (s->ds_idx == 0 && next_ch == EOF)
+ return NULL;
+ else
+ return s->ds_string;
+ }
+
++void
++ds_append (dynamic_string *s, int c)
++{
++ ds_resize (s);
++ s->ds_string[s->ds_idx] = c;
++ if (c)
++ {
++ s->ds_idx++;
++ ds_resize (s);
++ s->ds_string[s->ds_idx] = 0;
++ }
++}
++
++void
++ds_concat (dynamic_string *s, char const *str)
++{
++ size_t len = strlen (str);
++ while (len + 1 > s->ds_size)
++ ds_resize (s);
++ memcpy (s->ds_string + s->ds_idx, str, len);
++ s->ds_idx += len;
++ s->ds_string[s->ds_idx] = 0;
++}
++
+ char *
+ ds_fgets (FILE *f, dynamic_string *s)
+ {
+@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s)
+ {
+ return ds_fgetstr (f, s, '\0');
+ }
++
++/* Return true if the dynamic string S ends with character C. */
++int
++ds_endswith (dynamic_string *s, int c)
++{
++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c);
++}
+Index: cpio-2.13+dfsg/src/dstring.h
+===================================================================
+--- cpio-2.13+dfsg.orig/src/dstring.h
++++ cpio-2.13+dfsg/src/dstring.h
+@@ -17,10 +17,6 @@
+ Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301 USA. */
+
+-#ifndef NULL
+-#define NULL 0
+-#endif
+-
+ /* A dynamic string consists of record that records the size of an
+ allocated string and the pointer to that string. The actual string
+ is a normal zero byte terminated string that can be used with the
+@@ -30,22 +26,25 @@
+
+ typedef struct
+ {
+- int ds_length; /* Actual amount of storage allocated. */
+- char *ds_string; /* String. */
++ size_t ds_size; /* Actual amount of storage allocated. */
++ size_t ds_idx; /* Index of the next free byte in the string. */
++ char *ds_string; /* String storage. */
+ } dynamic_string;
+
++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL }
+
+-/* Macros that look similar to the original string functions.
+- WARNING: These macros work only on pointers to dynamic string records.
+- If used with a real record, an "&" must be used to get the pointer. */
+-#define ds_strlen(s) strlen ((s)->ds_string)
+-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string)
+-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n)
+-#define ds_index(s, c) index ((s)->ds_string, c)
+-#define ds_rindex(s, c) rindex ((s)->ds_string, c)
++void ds_init (dynamic_string *string);
++void ds_free (dynamic_string *string);
++void ds_reset (dynamic_string *s, size_t len);
+
+-void ds_init (dynamic_string *string, int size);
+-void ds_resize (dynamic_string *string, int size);
++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */
+ char *ds_fgetname (FILE *f, dynamic_string *s);
+ char *ds_fgets (FILE *f, dynamic_string *s);
+ char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
++void ds_append (dynamic_string *s, int c);
++void ds_concat (dynamic_string *s, char const *str);
++
++#define ds_len(s) ((s)->ds_idx)
++
++int ds_endswith (dynamic_string *s, int c);
++
+Index: cpio-2.13+dfsg/src/util.c
+===================================================================
+--- cpio-2.13+dfsg.orig/src/util.c
++++ cpio-2.13+dfsg/src/util.c
+@@ -846,11 +846,9 @@ get_next_reel (int tape_des)
+ FILE *tty_out; /* File for interacting with user. */
+ int old_tape_des;
+ char *next_archive_name;
+- dynamic_string new_name;
++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER;
+ char *str_res;
+
+- ds_init (&new_name, 128);
+-
+ /* Open files for interactive communication. */
+ tty_in = fopen (TTY_NAME, "r");
+ if (tty_in == NULL)
+@@ -925,7 +923,7 @@ get_next_reel (int tape_des)
+ error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"),
+ old_tape_des, tape_des);
+
+- free (new_name.ds_string);
++ ds_free (&new_name);
+ fclose (tty_in);
+ fclose (tty_out);
+ }
diff -Nru cpio-2.13+dfsg/debian/patches/992098-regression-of-orig-fix-for-CVE-2021-38185 cpio-2.13+dfsg/debian/patches/992098-regression-of-orig-fix-for-CVE-2021-38185
--- cpio-2.13+dfsg/debian/patches/992098-regression-of-orig-fix-for-CVE-2021-38185 1970-01-01 02:00:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/patches/992098-regression-of-orig-fix-for-CVE-2021-38185 2021-08-13 05:53:54.000000000 +0300
@@ -0,0 +1,36 @@
+From dfc801c44a93bed7b3951905b188823d6a0432c8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 11 Aug 2021 18:10:38 +0300
+Subject: Fix previous commit
+
+* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a
+loop.
+---
+ src/dstring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dstring.c b/src/dstring.c
+index 692d3e7..b7e0bb5 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -64,7 +64,7 @@ void
+ ds_reset (dynamic_string *s, size_t len)
+ {
+ while (len > s->ds_size)
+- ds_resize (s);
++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+ s->ds_idx = len;
+ }
+
+@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str)
+ {
+ size_t len = strlen (str);
+ while (len + 1 > s->ds_size)
+- ds_resize (s);
++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+ memcpy (s->ds_string + s->ds_idx, str, len);
+ s->ds_idx += len;
+ s->ds_string[s->ds_idx] = 0;
+--
+cgit v1.2.1
+
diff -Nru cpio-2.13+dfsg/debian/patches/992192-Fix-dynamic-string-reallocations.patch cpio-2.13+dfsg/debian/patches/992192-Fix-dynamic-string-reallocations.patch
--- cpio-2.13+dfsg/debian/patches/992192-Fix-dynamic-string-reallocations.patch 1970-01-01 02:00:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/patches/992192-Fix-dynamic-string-reallocations.patch 2021-08-22 08:21:27.000000000 +0300
@@ -0,0 +1,80 @@
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 18 Aug 2021 09:41:39 +0300
+Subject: Fix dynamic string reallocations
+Origin: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1
+Bug: https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00005.html
+Bug-Debian: https://bugs.debian.org/992192
+
+* src/dstring.c (ds_resize): Take additional argument: number of
+bytes to leave available after ds_idx. All uses changed.
+---
+ src/dstring.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/dstring.c b/src/dstring.c
+index b7e0bb5b5ec1..fd4e03067c25 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -49,9 +49,9 @@ ds_free (dynamic_string *string)
+ /* Expand dynamic string STRING, if necessary. */
+
+ void
+-ds_resize (dynamic_string *string)
++ds_resize (dynamic_string *string, size_t len)
+ {
+- if (string->ds_idx == string->ds_size)
++ while (len + string->ds_idx >= string->ds_size)
+ {
+ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
+ 1);
+@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string)
+ void
+ ds_reset (dynamic_string *s, size_t len)
+ {
+- while (len > s->ds_size)
+- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
++ ds_resize (s, len);
+ s->ds_idx = len;
+ }
+
+@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ /* Read the input string. */
+ while ((next_ch = getc (f)) != eos && next_ch != EOF)
+ {
+- ds_resize (s);
++ ds_resize (s, 0);
+ s->ds_string[s->ds_idx++] = next_ch;
+ }
+- ds_resize (s);
++ ds_resize (s, 0);
+ s->ds_string[s->ds_idx] = '\0';
+
+ if (s->ds_idx == 0 && next_ch == EOF)
+@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ void
+ ds_append (dynamic_string *s, int c)
+ {
+- ds_resize (s);
++ ds_resize (s, 0);
+ s->ds_string[s->ds_idx] = c;
+ if (c)
+ {
+ s->ds_idx++;
+- ds_resize (s);
++ ds_resize (s, 0);
+ s->ds_string[s->ds_idx] = 0;
+ }
+ }
+@@ -115,8 +114,7 @@ void
+ ds_concat (dynamic_string *s, char const *str)
+ {
+ size_t len = strlen (str);
+- while (len + 1 > s->ds_size)
+- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
++ ds_resize (s, len);
+ memcpy (s->ds_string + s->ds_idx, str, len);
+ s->ds_idx += len;
+ s->ds_string[s->ds_idx] = 0;
+--
+2.33.0
+
diff -Nru cpio-2.13+dfsg/debian/patches/series cpio-2.13+dfsg/debian/patches/series
--- cpio-2.13+dfsg/debian/patches/series 2020-07-08 06:40:09.000000000 +0300
+++ cpio-2.13+dfsg/debian/patches/series 2022-09-14 22:45:55.000000000 +0300
@@ -1,6 +1,7 @@
695717-no-cpio.info-2.patch
fix.win32-compat.patch
autoreconf.patch
+Wrong-CRC-with-ASCII-CRC-for-large-files.patch
fix.better.handle.device.nodes.cramfs.565474.patch
fix.fatal.exits.mt.576637.patch
fix.other.bugs.patch
@@ -12,3 +13,6 @@
fix.mt-erase.manpage.patch
revert-CVE-2015-1197-handling.patch
963304-remove-superfluous-declaration-of-program_name
+992045-CVE-2021-38185-rewrite-dynamic-string-support
+992098-regression-of-orig-fix-for-CVE-2021-38185
+992192-Fix-dynamic-string-reallocations.patch
diff -Nru cpio-2.13+dfsg/debian/patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch cpio-2.13+dfsg/debian/patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch
--- cpio-2.13+dfsg/debian/patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch 1970-01-01 02:00:00.000000000 +0200
+++ cpio-2.13+dfsg/debian/patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch 2022-09-14 22:45:55.000000000 +0300
@@ -0,0 +1,34 @@
+From: Stefano Babic <sbabic@denx.de>
+Date: Fri, 28 Jul 2017 13:20:52 +0200
+Subject: Wrong CRC with ASCII CRC for large files
+
+Due to signedness, the checksum is not computed when filesize is bigger
+a 2GB.
+
+Signed-off-by: Stefano Babic <sbabic@denx.de>
+---
+ src/copyout.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 1f0987a..727aeca 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -34,13 +34,13 @@
+ compute and return a checksum for them. */
+
+ static uint32_t
+-read_for_checksum (int in_file_des, int file_size, char *file_name)
++read_for_checksum (int in_file_des, unsigned int file_size, char *file_name)
+ {
+ uint32_t crc;
+ char buf[BUFSIZ];
+- int bytes_left;
+- int bytes_read;
+- int i;
++ unsigned int bytes_left;
++ unsigned int bytes_read;
++ unsigned int i;
+
+ crc = 0;
+
--- End Message ---