From: Austin Ziegler Date: 2019-07-30T16:12:20-04:00 Subject: [ruby-core:94060] Re: [Ruby master Bug#9529] TarHeader (Gem::Package) doesn't parse size correctly for +8GB entries --===============0045923610== Content-Type: multipart/alternative; boundary="0000000000003546ec058eeba14d" --0000000000003546ec058eeba14d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable This could also be addressed in [minitar]( https://github.com/halostatue/minitar) where I would happily consider a PR for this. Using RubyGems for tar handling is an anti-pattern, as RubyGems use of the tar format is an implementation detail, not an expected feature. -a On Tue, Jul 30, 2019 at 5:43 AM wrote: > Issue #9529 has been updated by hsbt (Hiroshi SHIBATA). > > Backport deleted (1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN) > Assignee changed from drbrain (Eric Hodel) to hsbt (Hiroshi SHIBATA) > Status changed from Assigned to Third Party's Issue > > I'm not sure what usecase of this issue. > > Can you file the details into the upstream repository? > https://github.com/rubygems/rubygems > > Thanks. > > ---------------------------------------- > Bug #9529: TarHeader (Gem::Package) doesn't parse size correctly for +8GB > entries > https://bugs.ruby-lang.org/issues/9529#change-80275 > > * Author: eranhirsch (Eran Hirsch) > * Status: Third Party's Issue > * Priority: Normal > * Assignee: hsbt (Hiroshi SHIBATA) > * Target version: > * ruby -v: ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-darwin13.0.= 0] > * Backport: > ---------------------------------------- > * The current TAR header parsing code assumes the size is represented as > an octal string > * Because this is a 12-byte, null-terminated field, effectively this can > represent up to 8GB (8^11). > * For bigger files the standard allows to define the field as a 12-byte > INTEGER instead. > * When using this form, the first bit of the field should be turned on to > signal that it is used. > > Currently, TAR files containing files larger then 8GB in this format woul= d > fail parsing because size would be computed as 0. > > (Wiki with some description of the logic, couldn't find a more "formal" > document: http://en.wikipedia.org/wiki/Tar_(computing)#File_header) > > The problem is with this code: > > http://yard.ruby-doc.org/stdlib-2.1.0/Gem/Package/TarHeader.html#from-cla= ss_method > > The line that assigns the value to size should be conditioned on the valu= e > of the first bit, and should treat the two cases differently > > > > -- > https://bugs.ruby-lang.org/ > > Unsubscribe: > > --=20 Austin Ziegler =E2=80=A2 halostatue@gmail.com =E2=80=A2 austin@halostatue.c= a http://www.halostatue.ca/ =E2=80=A2 http://twitter.com/halostatue --0000000000003546ec058eeba14d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

This could also be addressed in [minitar]= (https://github.com/halos= tatue/minitar) where I would happily consider a PR for this. Using Ruby= Gems for tar handling is an anti-pattern, as RubyGems use of the tar format= is an implementation detail, not an expected feature.

-a

On Tue, Jul 30, 2019 at 5:43 AM <hsbt@ruby-lang.org> wrote:

Issue #9529 has been updated by hsbt (Hiroshi SHIBATA).

Backport deleted (1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN)
Assignee changed from drbrain (Eric Hodel) to hsbt (Hiroshi SHIBATA)
Status changed from Assigned to Third Party's Issue

I'm not sure what usecase of this issue.

Can you file the details into the upstream repository? https://g= ithub.com/rubygems/rubygems

Thanks.

----------------------------------------
Bug #9529: TarHeader (Gem::Package) doesn't parse size correctly for +8= GB entries
https://bugs.ruby-lang.org/issues/9529#change-802= 75

* Author: eranhirsch (Eran Hirsch)
* Status: Third Party's Issue
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version:
* ruby -v: ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-darwin13.0.0]=
* Backport:
----------------------------------------
* The current TAR header parsing code assumes the size is represented as an= octal string
* Because this is a 12-byte, null-terminated field, effectively this can re= present up to 8GB (8^11).
* For bigger files the standard allows to define the field as a 12-byte INT= EGER instead.
* When using this form, the first bit of the field should be turned on to s= ignal that it is used.

Currently, TAR files containing files larger then 8GB in this format would = fail parsing because size would be computed as 0.

(Wiki with some description of the logic, couldn't find a more "fo= rmal" document: http://en.wikipedia.org= /wiki/Tar_(computing)#File_header)

The problem is with this code:
http://yard.ruby-d= oc.org/stdlib-2.1.0/Gem/Package/TarHeader.html#from-class_method

The line that assigns the value to size should be conditioned on the value = of the first bit, and should treat the two cases differently

--
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=3Dunsubscribe= >
<http://lists.ruby-lang.org/cgi-bin/m= ailman/options/ruby-core>

--

Austin Ziegler =E2=80=A2 halostatue@gmail.com =E2=80=A2 austin@halostatue.ca
http://www.ha= lostatue.ca/ =E2=80=A2 http://twitter.com/halostatue

--0000000000003546ec058eeba14d-- --===============0045923610== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Unsubscribe: --===============0045923610==--