!29 backport lib/node.c: Fix minor typo in error message

From: @liyy9 
Reviewed-by: @Charlie_li 
Signed-off-by: @Charlie_li

0001-lib-node.c-Fix-minor-typo-in-error-message.patch

@@ -0,0 +1,25 @@
+From bb92eed6b57ed29d8230ca688ff73771b8b7e845 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Fri, 16 Jul 2021 09:49:04 +0100
+Subject: [PATCH] lib/node.c: Fix minor typo in error message
+
+---
+ lib/node.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/node.c b/lib/node.c
+index 21cd127..7b002a4 100644
+--- a/lib/node.c
++++ b/lib/node.c
+@@ -346,7 +346,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+     if (!h->unsafe) {
+       SET_ERRNO (ENOTSUP,
+                  "nr_subkeys_in_nk = %zu "
+-                 "is not equal to number of childred read %zu",
++                 "is not equal to number of children read %zu",
+                  nr_subkeys_in_nk, nr_children);
+       goto error;
+     } else {
+-- 
+2.33.0
+

CVE-2021-3504.patch

@@ -0,0 +1,72 @@
+From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+  +-------------------+-------------------+-------------------+--
+  | header            |[ blk ][blk][ blk ]|[blk][blk][blk]    |
+  +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary.  However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+  +-------------------+-------------------+
+  | header            |[ blk ][blk][ blk ..... ]
+  +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry.  Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file.  Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash.  (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563..2e4231a 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+         if (is_root || !h->unsafe) {
+           SET_ERRNO (ENOTSUP,
+-                     "%s, the block at 0x%zx has invalid size %" PRIu32
+-                     ", bad registry",
++                     "%s, the block at 0x%zx size %" PRIu32
++                     " <= 4 or not a multiple of 4, bad registry",
+                      filename, blkoff, le32toh (block->seg_len));
+           goto error;
+         } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+         }
+       }
+ 
++      if (blkoff + seg_len > off + page_size) {
++        SET_ERRNO (ENOTSUP,
++                   "%s, the block at 0x%zx size %" PRIu32
++                   " extends beyond the current page, bad registry",
++                   filename, blkoff, le32toh (block->seg_len));
++        goto error;
++      }
++
+       if (h->msglvl >= 2) {
+         unsigned char *id = (unsigned char *) block->id;
+         int id0 = id[0], id1 = id[1];

CVE-2021-3622.patch

@@ -0,0 +1,92 @@
+From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 8 Jul 2021 19:00:45 +0100
+Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
+
+Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
+structures:
+
+  +-------------+
+  | ri          |
+  |-------------|
+  | nr_offsets  |
+  |   offset[0] ------>  points to another lf/lh/li/ri block
+  |   offset[1] ------>
+  |   offset[2] ------>
+  +-------------+
+
+It is possible to construct a hive with a very deeply nested tree of
+ri-records, causing the internal _get_children function to recurse to
+any depth which can cause programs linked to hivex to crash with a
+stack overflow.
+
+Since it is not thought that deeply nested ri-records occur in real
+hives, limit recursion depth.  If you hit this limit you will see the
+following error and the operation will return an error instead of
+crashing:
+
+  \> ls
+  hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
+  ls: Invalid argument
+
+Thanks to Jeremy Galindo for finding and reporting this bug.
+
+Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3622
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
+(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
+---
+ lib/node.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/lib/node.c b/lib/node.c
+index 7b002a4..eb7fe93 100644
+--- a/lib/node.c
++++ b/lib/node.c
+@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
+ 
+ static int _get_children (hive_h *h, hive_node_h blkoff,
+                           offset_list *children, offset_list *blocks,
+-                          int flags);
++                          int flags, unsigned depth);
+ static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
+ 
+ /* Iterate over children (ie. subkeys of a node), returning child
+@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+     goto error;
+   }
+ 
+-  if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
++  if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
+     goto error;
+ 
+   /* Check the number of children we ended up reading matches
+@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+ static int
+ _get_children (hive_h *h, hive_node_h blkoff,
+                offset_list *children, offset_list *blocks,
+-               int flags)
++               int flags, unsigned depth)
+ {
+   /* Add this intermediate block. */
+   if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
+@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
+         }
+       }
+ 
+-      if (_get_children (h, offset, children, blocks, flags) == -1)
++      /* Although in theory hive ri records might be nested to any
++       * depth, in practice this is unlikely.  Recursing here caused
++       * CVE-2021-3622.  Thus limit the depth we will recurse to
++       * something small.
++       */
++      if (depth >= 32) {
++        SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
++        return -1;
++      }
++
++      if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
+         return -1;
+     }
+   }

hivex.spec

@@ -1,4 +1,4 @@
-%ifarch %{ocaml_native_compiler}
+%ifarch %{ocaml_native_compiler} loongarch64 sw_64
 %bcond_without ocaml
 %else
 %bcond_with ocaml
@@ -6,14 +6,16 @@
 
 Name:           hivex
 Version:        1.3.17
-Release:        2
+Release:        7
 Summary:        Windows Registry "hive" extraction library
 License:        LGPLv2
 URL:            http://libguestfs.org/
-
 Source0:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
 Source1:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
 Source2:        libguestfs.keyring
+Patch0:         CVE-2021-3504.patch
+Patch1:         CVE-2021-3622.patch
+Patch2:         0001-lib-node.c-Fix-minor-typo-in-error-message.patch
 
 BuildRequires:  perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
 
@@ -22,7 +24,7 @@ BuildRequires:  ocaml
 BuildRequires:  ocaml-findlib-devel
 %endif
 
-BuildRequires:  python2-devel, python-unversioned-command, python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2
+BuildRequires:  python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2
 
 Provides:      bundled(gnulib)
 
@@ -88,18 +90,6 @@ Requires:      perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $versio
 %description -n perl-%{name}
 Perl bindings for %{name} are included in perl-%{name}.
 
-
-%package -n python2-%{name}
-Summary:       Provide python 2 bindings for %{name}
-Requires:      %{name} = %{version}-%{release}
-
-Obsoletes:     python-%{name} < %{version}-%{release}
-Provides:      python-%{name} = %{version}-%{release}
-
-%description -n python2-%{name}
-Python 2 bindings for %{name} are included in python2-%{name}.
-
-
 %package -n python3-%{name}
 Summary:       Provide python 3 bindings for %{name}
 Requires:      %{name} = %{version}-%{release}
@@ -148,6 +138,10 @@ cd python3
 cd ..
 %make_install INSTALLDIRS=vendor
 
+%ifarch sw_64
+chmod 644 %{buildroot}%{_libdir}/perl5/vendor_perl/auto/Win/Hivex/Hivex.so
+%endif
+
 %find_lang %{name}
 
 
@@ -165,7 +159,6 @@ cd python3 && make check && cd ..
 %{_libdir}/libhivex.so.*
 %exclude %{_libdir}/libhivex.la
 %exclude %{_libdir}/perl5/perllocal.pod
-%exclude %{python2_sitearch}/libhivexmod.la
 %exclude %{python3_sitearch}/libhivexmod.la
 
 
@@ -201,8 +194,10 @@ cd python3 && make check && cd ..
 
 %files -n ocaml-%{name}-devel
 %{_libdir}/ocaml/hivex/*.a
+%ifnarch loongarch64  sw_64
 %{_libdir}/ocaml/hivex/*.cmxa
 %{_libdir}/ocaml/hivex/*.cmx
+%endif
 %{_libdir}/ocaml/hivex/*.mli
 %endif
 
@@ -211,12 +206,6 @@ cd python3 && make check && cd ..
 %{perl_vendorarch}/*
 %{_bindir}/hivexregedit
 
-
-%files -n python2-%{name}
-%{python2_sitearch}/hivex/
-%{python2_sitearch}/*.so
-
-
 %files -n python3-%{name}
 %{python3_sitearch}/hivex/
 %{python3_sitearch}/*.so
@@ -229,5 +218,20 @@ cd python3 && make check && cd ..
 
 
 %changelog
+* Thu Dec 21 2023 liyuanyuan <liyuanyuan@xfusion.com> - 1.3.17-7
+- lib/node.c: Fix minor typo in error message
+
+* Mon May 29 2023 guoqinglan <guoqinglan@kylinsec.com.cn> - 1.3.17-6
+- generate ocaml sub-packages for sw_64 and loongarch64
+
+* Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-5
+- Fix CVE-2021-3622
+
+* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-4
+- Fix CVE-2021-3504
+
+* Wed Oct 21 2020 leiju <leiju4@163.com> - 1.3.17-3
+- remove python2 subpackage
+
 * Sat Nov 30 2019 jiaxiya <jiaxiyajiaxiya@163.com> - 1.3.17-2
 - Package init