1 |
maekke 08/11/28 18:27:07 |
2 |
|
3 |
Added: jhead-2.84-bug243238.patch |
4 |
Log: |
5 |
bump for security bug #243238 |
6 |
(Portage version: 2.1.6_rc2/cvs/Linux 2.6.28-rc6 i686) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 media-gfx/jhead/files/jhead-2.84-bug243238.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/jhead/files/jhead-2.84-bug243238.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/jhead/files/jhead-2.84-bug243238.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: jhead-2.84-bug243238.patch |
15 |
=================================================================== |
16 |
this patch fixes gentoo bug #243238 (CVE-2008-{4640,4641}) |
17 |
|
18 |
diff -ru jhead-2.84.orig/jhead.c jhead-2.84/jhead.c |
19 |
--- jhead-2.84.orig/jhead.c 2008-10-04 18:10:35.000000000 +0200 |
20 |
+++ jhead-2.84/jhead.c 2008-11-28 18:51:52.000000000 +0100 |
21 |
@@ -295,44 +295,88 @@ |
22 |
|
23 |
|
24 |
//-------------------------------------------------------------------------- |
25 |
+// Escape an argument such that it is interpreted literally by the shell |
26 |
+// (returns the number of written characters) |
27 |
+//-------------------------------------------------------------------------- |
28 |
+static int shellescape(char* to, const char* from) |
29 |
+{ |
30 |
+ int i, j; |
31 |
+ i = j = 0; |
32 |
+ |
33 |
+ // Enclosing characters in double quotes preserves the literal value of |
34 |
+ // all characters within the quotes, with the exception of $, `, and \. |
35 |
+ to[j++] = '"'; |
36 |
+ while(from[i]) |
37 |
+ { |
38 |
+#ifdef _WIN32 |
39 |
+ // Under WIN32, there isn't really anything dangerous you can do with |
40 |
+ // escape characters, plus windows users aren't as sercurity paranoid. |
41 |
+ // Hence, no need to do fancy escaping. |
42 |
+ to[j++] = from[i++]; |
43 |
+#else |
44 |
+ switch(from[i]) { |
45 |
+ case '"': |
46 |
+ case '$': |
47 |
+ case '`': |
48 |
+ case '\\': |
49 |
+ to[j++] = '\\'; |
50 |
+ default: |
51 |
+ to[j++] = from[i++]; |
52 |
+ } |
53 |
+#endif |
54 |
+ if (j >= PATH_MAX) ErrFatal("max path exceeded"); |
55 |
+ } |
56 |
+ to[j++] = '"'; |
57 |
+ return j; |
58 |
+} |
59 |
+ |
60 |
+ |
61 |
+//-------------------------------------------------------------------------- |
62 |
// Apply the specified command to the JPEG file. |
63 |
//-------------------------------------------------------------------------- |
64 |
static void DoCommand(const char * FileName, int ShowIt) |
65 |
{ |
66 |
int a,e; |
67 |
- char ExecString[PATH_MAX*2]; |
68 |
- char TempName[PATH_MAX+1]; |
69 |
+ char ExecString[PATH_MAX*3]; |
70 |
+ char TempName[PATH_MAX+10]; |
71 |
int TempUsed = FALSE; |
72 |
|
73 |
e = 0; |
74 |
|
75 |
- // Make a temporary file in the destination directory by changing last char. |
76 |
- strcpy(TempName, FileName); |
77 |
- a = strlen(TempName)-1; |
78 |
- TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't'); |
79 |
+ // Generate an unused temporary file name in the destination directory |
80 |
+ // (a is the number of characters to copy from FileName) |
81 |
+ a = strlen(FileName)-1; |
82 |
+ while(a > 0 && FileName[a-1] != '/') a--; |
83 |
+ memcpy(TempName, FileName, a); |
84 |
+ strcpy(TempName+a, "XXXXXX"); |
85 |
+ mkstemp(TempName); |
86 |
+ if(!TempName[0]) { |
87 |
+ ErrFatal("Cannot find available temporary file name"); |
88 |
+ } |
89 |
+ |
90 |
+ |
91 |
|
92 |
// Build the exec string. &i and &o in the exec string get replaced by input and output files. |
93 |
for (a=0;;a++){ |
94 |
if (ApplyCommand[a] == '&'){ |
95 |
if (ApplyCommand[a+1] == 'i'){ |
96 |
// Input file. |
97 |
- e += sprintf(ExecString+e, "\"%s\"",FileName); |
98 |
+ e += shellescape(ExecString+e, FileName); |
99 |
a += 1; |
100 |
continue; |
101 |
} |
102 |
if (ApplyCommand[a+1] == 'o'){ |
103 |
// Needs an output file distinct from the input file. |
104 |
- e += sprintf(ExecString+e, "\"%s\"",TempName); |
105 |
+ e += shellescape(ExecString+e, TempName); |
106 |
a += 1; |
107 |
TempUsed = TRUE; |
108 |
- unlink(TempName);// Remove any pre-existing temp file |
109 |
continue; |
110 |
} |
111 |
} |
112 |
ExecString[e++] = ApplyCommand[a]; |
113 |
if (ApplyCommand[a] == 0) break; |
114 |
} |
115 |
- |
116 |
+ShowIt = 1; |
117 |
if (ShowIt) printf("Cmd:%s\n",ExecString); |
118 |
|
119 |
errno = 0; |
120 |
@@ -638,7 +682,7 @@ |
121 |
ErrFatal("Orientation screwup"); |
122 |
} |
123 |
|
124 |
- sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument); |
125 |
+ sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument); |
126 |
ApplyCommand = RotateCommand; |
127 |
DoCommand(FileName, FALSE); |
128 |
ApplyCommand = NULL; |
129 |
@@ -657,7 +701,7 @@ |
130 |
strcpy(ThumbTempName_out, FileName); |
131 |
strcat(ThumbTempName_out, ".tho"); |
132 |
SaveThumbnail(ThumbTempName_in); |
133 |
- sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"", |
134 |
+ sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", |
135 |
Argument, ThumbTempName_out, ThumbTempName_in); |
136 |
|
137 |
if (system(RotateCommand) == 0){ |