[gentoo-commits] gentoo-x86 commit in app-arch/fastjar/files: 0.98-traversal.patch - gentoo-commits

From:	"Vlastimil Babka (caster)" <caster@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-arch/fastjar/files: 0.98-traversal.patch
Date:	Wed, 30 Jun 2010 21:48:14
Message-Id:	`20100630214811.EC6042C3ED@corvid.gentoo.org`

1

caster      10/06/30 21:48:11

2

3

  Added:                0.98-traversal.patch

4

  Log:

5

  Revbump to fix security bug #325557, patch from ubuntu.

6

  (Portage version: 2.2_rc67/cvs/Linux x86_64)

7

8

Revision  Changes    Path

9

1.1                  app-arch/fastjar/files/0.98-traversal.patch

10

11

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-arch/fastjar/files/0.98-traversal.patch?rev=1.1&view=markup

12

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-arch/fastjar/files/0.98-traversal.patch?rev=1.1&content-type=text/plain

13

14

Index: 0.98-traversal.patch

15

===================================================================

16

--- fastjar-0.98.orig/jartool.c

17

+++ fastjar-0.98/jartool.c

18

@@ -790,6 +790,7 @@

19

 		   progname, jarfile);

20

 	  return 1;

21

}

22

+      ze->filename[len] = '\0';

23

       len = UNPACK_UB4(header, CEN_EFLEN);

24

       len += UNPACK_UB4(header, CEN_COMLEN);

25

       if (lseek (fd, len, SEEK_CUR) == -1)

26

@@ -1257,7 +1258,7 @@

27

       exit_on_error("write");

28

29

   /* write the file name to the zip file */

30

-  if (1 == write(jfd, fname, file_name_length))

31

+  if (-1 == write(jfd, fname, file_name_length))

32

     exit_on_error("write");

33

34

   if(verbose){

35

@@ -1730,7 +1731,17 @@

36

       struct stat sbuf;

37

       int depth = 0;

38

39

-      tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));

40

+      if(*filename == '/'){

41

+	fprintf(stderr, "Absolute path names are not allowed.\n");

42

+	exit(EXIT_FAILURE);

43

+      }

44

+

45

+      tmp_buff = malloc(strlen((const char *)filename));

46

+

47

+      if(tmp_buff == NULL) {

48

+	fprintf(stderr, "Out of memory.\n");

49

+	exit(EXIT_FAILURE);

50

+      }

51

52

       for(;;){

53

         const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');

54

@@ -1738,25 +1749,28 @@

55

         if(idx == NULL)

56

           break;

57

         else if(idx == start){

58

+	  tmp_buff[idx - filename] = '/';

59

           start++;

60

           continue;

61

}

62

-        start = idx + 1;

63

64

-        strncpy(tmp_buff, (const char *)filename, (idx - filename));

65

-        tmp_buff[(idx - filename)] = '\0';

66

+	memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));

67

+	tmp_buff[idx - filename] = '\0';

68

69

 #ifdef DEBUG    

70

         printf("checking the existance of %s\n", tmp_buff);

71

 #endif

72

-	if(strcmp(tmp_buff, "..") == 0){

73

+	if(idx - start == 2 && memcmp(start, "..", 2) == 0){

74

 	  --depth;

75

 	  if (depth < 0){

76

 	    fprintf(stderr, "Traversal to parent directories during unpacking!\n");

77

 	    exit(EXIT_FAILURE);

78

}

79

-	} else if (strcmp(tmp_buff, ".") != 0)

80

+	} else if (idx - start != 1 || *start != '.')

81

 	  ++depth;

82

+

83

+        start = idx + 1;

84

+

85

         if(stat(tmp_buff, &sbuf) < 0){

86

           if(errno != ENOENT)

87

             exit_on_error("stat");

88

@@ -1765,6 +1779,7 @@

89

 #ifdef DEBUG    

90

           printf("Directory exists\n");

91

 #endif

92

+	  tmp_buff[idx - filename] = '/';

93

           continue;

94

         }else {

95

           fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",

96

@@ -1781,10 +1796,11 @@

97

         if(verbose && handle)

98

           printf("%10s: %s/\n", "created", tmp_buff);

99

100

+	tmp_buff[idx - filename] = '/';

101

}

102

103

       /* only a directory */

104

-      if(strlen((const char *)start) == 0)

105

+      if(*start == '\0')

106

         dir = TRUE;

107

108

 #ifdef DEBUG    

109

@@ -1792,7 +1808,7 @@

110

 #endif

111

112

       /* If the entry was just a directory, don't write to file, etc */

113

-      if(strlen((const char *)start) == 0)

114

+      if(*start == '\0')

115

         f_fd = -1;

116

117

       free(tmp_buff);

118

@@ -1876,7 +1892,8 @@

119

       exit(EXIT_FAILURE);

120

}

121

122

-    close(f_fd);

123

+    if (f_fd != -1)

124

+      close(f_fd);

125

126

     if(verbose && dir == FALSE && handle)

127

       printf("%10s: %s\n",

1	caster 10/06/30 21:48:11
2
3	Added: 0.98-traversal.patch
4	Log:
5	Revbump to fix security bug #325557, patch from ubuntu.
6	(Portage version: 2.2_rc67/cvs/Linux x86_64)
7
8	Revision Changes Path
9	1.1 app-arch/fastjar/files/0.98-traversal.patch
10
11	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-arch/fastjar/files/0.98-traversal.patch?rev=1.1&view=markup
12	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-arch/fastjar/files/0.98-traversal.patch?rev=1.1&content-type=text/plain
13
14	Index: 0.98-traversal.patch
15	===================================================================
16	--- fastjar-0.98.orig/jartool.c
17	+++ fastjar-0.98/jartool.c
18	@@ -790,6 +790,7 @@
19	progname, jarfile);
20	return 1;
21	}
22	+ ze->filename[len] = '\0';
23	len = UNPACK_UB4(header, CEN_EFLEN);
24	len += UNPACK_UB4(header, CEN_COMLEN);
25	if (lseek (fd, len, SEEK_CUR) == -1)
26	@@ -1257,7 +1258,7 @@
27	exit_on_error("write");
28
29	/* write the file name to the zip file */
30	- if (1 == write(jfd, fname, file_name_length))
31	+ if (-1 == write(jfd, fname, file_name_length))
32	exit_on_error("write");
33
34	if(verbose){
35	@@ -1730,7 +1731,17 @@
36	struct stat sbuf;
37	int depth = 0;
38
39	- tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
40	+ if(*filename == '/'){
41	+ fprintf(stderr, "Absolute path names are not allowed.\n");
42	+ exit(EXIT_FAILURE);
43	+ }
44	+
45	+ tmp_buff = malloc(strlen((const char *)filename));
46	+
47	+ if(tmp_buff == NULL) {
48	+ fprintf(stderr, "Out of memory.\n");
49	+ exit(EXIT_FAILURE);
50	+ }
51
52	for(;;){
53	const ub1 idx = (const unsigned char )strchr((const char *)start, '/');
54	@@ -1738,25 +1749,28 @@
55	if(idx == NULL)
56	break;
57	else if(idx == start){
58	+ tmp_buff[idx - filename] = '/';
59	start++;
60	continue;
61	}
62	- start = idx + 1;
63
64	- strncpy(tmp_buff, (const char *)filename, (idx - filename));
65	- tmp_buff[(idx - filename)] = '\0';
66	+ memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));
67	+ tmp_buff[idx - filename] = '\0';
68
69	#ifdef DEBUG
70	printf("checking the existance of %s\n", tmp_buff);
71	#endif
72	- if(strcmp(tmp_buff, "..") == 0){
73	+ if(idx - start == 2 && memcmp(start, "..", 2) == 0){
74	--depth;
75	if (depth < 0){
76	fprintf(stderr, "Traversal to parent directories during unpacking!\n");
77	exit(EXIT_FAILURE);
78	}
79	- } else if (strcmp(tmp_buff, ".") != 0)
80	+ } else if (idx - start != 1 \|\| *start != '.')
81	++depth;
82	+
83	+ start = idx + 1;
84	+
85	if(stat(tmp_buff, &sbuf) < 0){
86	if(errno != ENOENT)
87	exit_on_error("stat");
88	@@ -1765,6 +1779,7 @@
89	#ifdef DEBUG
90	printf("Directory exists\n");
91	#endif
92	+ tmp_buff[idx - filename] = '/';
93	continue;
94	}else {
95	fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
96	@@ -1781,10 +1796,11 @@
97	if(verbose && handle)
98	printf("%10s: %s/\n", "created", tmp_buff);
99
100	+ tmp_buff[idx - filename] = '/';
101	}
102
103	/* only a directory */
104	- if(strlen((const char *)start) == 0)
105	+ if(*start == '\0')
106	dir = TRUE;
107
108	#ifdef DEBUG
109	@@ -1792,7 +1808,7 @@
110	#endif
111
112	/* If the entry was just a directory, don't write to file, etc */
113	- if(strlen((const char *)start) == 0)
114	+ if(*start == '\0')
115	f_fd = -1;
116
117	free(tmp_buff);
118	@@ -1876,7 +1892,8 @@
119	exit(EXIT_FAILURE);
120	}
121
122	- close(f_fd);
123	+ if (f_fd != -1)
124	+ close(f_fd);
125
126	if(verbose && dir == FALSE && handle)
127	printf("%10s: %s\n",

Gentoo Archives: gentoo-commits