app-arch/xz-utils: patch xzgrep vulnerability (ZDI-CAN-16587)

Bug: https://bugs.gentoo.org/837155
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 206 insertions, 0 deletions

diff --git a/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch
new file mode 100644
index 000000000000..7293a982c269
--- /dev/null
+++ b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch
@@ -0,0 +1,88 @@
+https://bugs.gentoo.org/837155
+https://git.tukaani.org/?p=xz.git;a=commitdiff;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6;hp=bd93b776c1bd15e90661033c918cdeb354dbcc38
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH 1/1] xzgrep: Fix escaping of malicious filenames
+ (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -180,22 +180,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
diff --git a/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild
new file mode 100644
index 000000000000..7edf1c42498f
--- /dev/null
+++ b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild
@@ -0,0 +1,118 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# Remember: we cannot leverage autotools in this ebuild in order
+#           to avoid circular deps with autotools
+
+EAPI=7
+
+inherit libtool multilib multilib-minimal preserve-libs usr-ldscript
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://git.tukaani.org/xz.git"
+	inherit git-r3 autotools
+
+	# bug #272880 and bug #286068
+	BDEPEND="sys-devel/gettext >=sys-devel/libtool-2"
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc
+	inherit verify-sig
+
+	MY_P="${PN/-utils}-${PV/_}"
+	SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )"
+
+	if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+	fi
+	S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="Utils for managing LZMA compressed files"
+HOMEPAGE="https://tukaani.org/xz/"
+
+# See top-level COPYING file as it outlines the various pieces and their licenses.
+LICENSE="public-domain LGPL-2.1+ GPL-2+"
+SLOT="0"
+IUSE="+extra-filters nls static-libs"
+
+RDEPEND="!<app-arch/lzma-4.63
+	!<app-arch/p7zip-4.57
+	!<app-i18n/man-pages-de-2.16"
+DEPEND="${RDEPEND}"
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )"
+
+# Tests currently do not account for smaller feature set
+RESTRICT="!extra-filters? ( test )"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-xzgrep-ZDI-CAN-16587.patch
+)
+
+src_prepare() {
+	default
+
+	if [[ ${PV} == 9999 ]] ; then
+		eautopoint
+		eautoreconf
+	else
+		# Allow building shared libs on Solaris/x64
+		elibtoolize
+	fi
+}
+
+multilib_src_configure() {
+	local myconf=(
+		--enable-threads
+		$(use_enable nls)
+		$(use_enable static-libs static)
+	)
+
+	if ! multilib_is_native_abi ; then
+		myconf+=(
+			--disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts}
+		)
+	fi
+
+	if ! use extra-filters ; then
+		myconf+=(
+			# LZMA1 + LZMA2 for standard .lzma & .xz files
+			--enable-encoders=lzma1,lzma2
+			--enable-decoders=lzma1,lzma2
+
+			# those are used by default, depending on preset
+			--enable-match-finders=hc3,hc4,bt4
+
+			# CRC64 is used by default, though some (old?) files use CRC32
+			--enable-checks=crc32,crc64
+		)
+	fi
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		export gl_cv_posix_shell="${EPREFIX}"/bin/sh
+
+		# Undo Solaris-based defaults pointing to /usr/xpg5/bin
+		myconf+=( --disable-path-for-script )
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+multilib_src_install() {
+	default
+
+	gen_usr_ldscript -a lzma
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm "${ED}"/usr/share/doc/${PF}/COPYING* || die
+}
+
+pkg_preinst() {
+	preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0)
+}
+
+pkg_postinst() {
+	preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0)
+}