Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>

Make errors more observable. Unfortunately full rollback is
non-trivial to implement. This is something to be fixed with
the v3 database format.

Samanta Navarro authored 3 years ago and Timo Teräs committed 3 years ago

Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.

The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.

fixes #10751

[TT: minor edit to commit and abbreviating the commit message]

If a signature is longer than max allowed adb signature length
then adb_walk_block writes out of boundary of stack variable tmp.

The len += snprintf is not safe per standard snprintf implementation
(kernel does it differently). Introduce and use apk_blob_push_fmt
which does the checking better.

Fixes #10752

Reported-by: Samanta Navarro <ferivoz@riseup.net>

kpcyrd authored 3 years ago and Timo Teräs committed 3 years ago

[TT: minor stylistic changes]

fixes #10748

Add uvol_name to struct apk_file_info so it can be passed down
the extract callbacks in future work. Modify uvol name to not
include the path, but just the filename portion.

In struct adb, do not keep the whole header, just the schema
in host byte order.

Harden the error checking of expected block types and their order.
Add ADB_BLOCK_DATAX as reserved for >1GB blocks.

- apk_istream_splice usage is converted to apk_stream_copy which
  is the newer variant. With caching enabled by default, this
  makes more sense mmapping or using separate buffers.

- apk_istream_tee is reworked to write to apk_ostream, which simplifies
  quite a bit of various things

The interface was slightly cumbersome, so replace these functions
to return explicit error, and make the return blob a pointer arg.

It is no longer needed, and can be later reintroduced if needed.

Removes code duplication, and puts important checks in one place.
Support seamless decompression in adbdump.

Add compression header of adb files. Support uncompressed and
deflate compression at this time.

removes some code duplication

Fix the script to not contain \x00 escape which was the only new
feature used.

Fix the meson build script to use given lua interpreter for running
the genhelp.lua.

Based on patch from Daniel Golle <daniel@makrotopia.org>

Based on patch from Daniel Golle <daniel@makrotopia.org>

Macros used have been taken from Loongson's work-in-progress GCC 12
port.

This caused some -Wall errors on certain gcc versions due
to BIO_reset() being a macro with explicit cast.

EVP_MD_CTX_set_pkey_ctx() is fairly new openssl function, and not
existing in many alternative. Use EVP_MD_CTX_reset() which is slightly
more heavy but more portable. Add also signature buffer lengths to
work with RSA.

- remove unneeded assert.h
- add needed limits.h

Rodrigo Lourenço authored 3 years ago and Timo Teräs committed 3 years ago

Fixes #10746.