[Bug-tar] closed stderr can make tar corrupt its output archive

[Jim Meyering]

If tar is run in the following manner:
  - in --create mode, with a named target (i.e., not stdout),
  - with stderr closed, and
  - in a way that provokes tar to write a diagnostic,
then tar corrupts the named output archive by writing the diagnostic it.

Here's a demo:

  $ rm -rf a; mkdir -p a/b; chmod 0 a/b; tar cf x.tar a 2>&-; \
      head -c39 x.tar|grep tar: ; chmod -R 700 a; rm -rf a
  tar: a: Cannot open: Permission denied

That shows that the first line of the created archive, x.tar,
is tar's own diagnostic.

Here's one way to fix it, but it's probably not complete, since the
part that pulls in the gnulib fcntl-safer module is in tar proper,
while the change to rmt.h (where fcntl--.h is actually used) is
in a separate module: paxutils.  The dependency on the fcntl-safer
module needs to be associated with the file (e.g. rmt.h), not with
some random module.

Also, while this patch does seem to fix the problem I'm reporting,
I have not done a full audit.  There are other uses of functions
like open, dup, pipe, etc., that require additional protection.
For example, there is a use of pipe(2) (you can guard it with
`#include "unistd--.h"' and use the unistd-safer module).

tar/ChangeLog:
2005-08-27  Jim Meyering  <address@hidden>

        * gnulib.modules: Add fcntl-safer.

paxutils/ChangeLog:
2005-08-27  Jim Meyering  <address@hidden>

        * lib/rmt.h: Include gnulib's "fcntl--.h" to protect uses of
        open and creat against initially-closed file descriptors.

Index: gnulib.modules
===================================================================
RCS file: /cvsroot/tar/tar/gnulib.modules,v
retrieving revision 1.3
diff -u -p -r1.3 gnulib.modules
--- gnulib.modules      22 Jun 2005 06:24:39 -0000      1.3
+++ gnulib.modules      27 Aug 2005 19:28:19 -0000
@@ -8,6 +8,7 @@ backupfile
 dirname
 error
 exclude
+fcntl-safer
 fileblocks
 fnmatch-gnu
 ftruncate

Index: rmt.h
===================================================================
RCS file: /cvsroot/paxutils/paxutils/lib/rmt.h,v
retrieving revision 1.2
diff -u -p -r1.2 rmt.h
--- rmt.h       15 May 2005 06:34:49 -0000      1.2
+++ rmt.h       27 Aug 2005 19:25:19 -0000
@@ -1,6 +1,6 @@
 /* Definitions for communicating with a remote tape drive.
 
-   Copyright (C) 1988, 1992, 1996, 1997, 2001, 2003, 2004 Free
+   Copyright (C) 1988, 1992, 1996, 1997, 2001, 2003, 2004, 2005 Free
    Software Foundation, Inc.
 
    This program is free software; you can redistribute it and/or modify
@@ -19,6 +19,8 @@
 
 extern char *rmt_command;
 extern char *rmt_dev_name__;
+
+#include "fcntl--.h"
 
 int rmt_open__ (const char *, int, int, const char *);
 int rmt_close__ (int);