| 1 |
maekke 08/11/28 18:27:07 |
| 2 |
|
| 3 |
Added: jhead-2.84-bug243238.patch |
| 4 |
Log: |
| 5 |
bump for security bug #243238 |
| 6 |
(Portage version: 2.1.6_rc2/cvs/Linux 2.6.28-rc6 i686) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 media-gfx/jhead/files/jhead-2.84-bug243238.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/jhead/files/jhead-2.84-bug243238.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/jhead/files/jhead-2.84-bug243238.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: jhead-2.84-bug243238.patch |
| 15 |
=================================================================== |
| 16 |
this patch fixes gentoo bug #243238 (CVE-2008-{4640,4641}) |
| 17 |
|
| 18 |
diff -ru jhead-2.84.orig/jhead.c jhead-2.84/jhead.c |
| 19 |
--- jhead-2.84.orig/jhead.c 2008-10-04 18:10:35.000000000 +0200 |
| 20 |
+++ jhead-2.84/jhead.c 2008-11-28 18:51:52.000000000 +0100 |
| 21 |
@@ -295,44 +295,88 @@ |
| 22 |
|
| 23 |
|
| 24 |
//-------------------------------------------------------------------------- |
| 25 |
+// Escape an argument such that it is interpreted literally by the shell |
| 26 |
+// (returns the number of written characters) |
| 27 |
+//-------------------------------------------------------------------------- |
| 28 |
+static int shellescape(char* to, const char* from) |
| 29 |
+{ |
| 30 |
+ int i, j; |
| 31 |
+ i = j = 0; |
| 32 |
+ |
| 33 |
+ // Enclosing characters in double quotes preserves the literal value of |
| 34 |
+ // all characters within the quotes, with the exception of $, `, and \. |
| 35 |
+ to[j++] = '"'; |
| 36 |
+ while(from[i]) |
| 37 |
+ { |
| 38 |
+#ifdef _WIN32 |
| 39 |
+ // Under WIN32, there isn't really anything dangerous you can do with |
| 40 |
+ // escape characters, plus windows users aren't as sercurity paranoid. |
| 41 |
+ // Hence, no need to do fancy escaping. |
| 42 |
+ to[j++] = from[i++]; |
| 43 |
+#else |
| 44 |
+ switch(from[i]) { |
| 45 |
+ case '"': |
| 46 |
+ case '$': |
| 47 |
+ case '`': |
| 48 |
+ case '\\': |
| 49 |
+ to[j++] = '\\'; |
| 50 |
+ default: |
| 51 |
+ to[j++] = from[i++]; |
| 52 |
+ } |
| 53 |
+#endif |
| 54 |
+ if (j >= PATH_MAX) ErrFatal("max path exceeded"); |
| 55 |
+ } |
| 56 |
+ to[j++] = '"'; |
| 57 |
+ return j; |
| 58 |
+} |
| 59 |
+ |
| 60 |
+ |
| 61 |
+//-------------------------------------------------------------------------- |
| 62 |
// Apply the specified command to the JPEG file. |
| 63 |
//-------------------------------------------------------------------------- |
| 64 |
static void DoCommand(const char * FileName, int ShowIt) |
| 65 |
{ |
| 66 |
int a,e; |
| 67 |
- char ExecString[PATH_MAX*2]; |
| 68 |
- char TempName[PATH_MAX+1]; |
| 69 |
+ char ExecString[PATH_MAX*3]; |
| 70 |
+ char TempName[PATH_MAX+10]; |
| 71 |
int TempUsed = FALSE; |
| 72 |
|
| 73 |
e = 0; |
| 74 |
|
| 75 |
- // Make a temporary file in the destination directory by changing last char. |
| 76 |
- strcpy(TempName, FileName); |
| 77 |
- a = strlen(TempName)-1; |
| 78 |
- TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't'); |
| 79 |
+ // Generate an unused temporary file name in the destination directory |
| 80 |
+ // (a is the number of characters to copy from FileName) |
| 81 |
+ a = strlen(FileName)-1; |
| 82 |
+ while(a > 0 && FileName[a-1] != '/') a--; |
| 83 |
+ memcpy(TempName, FileName, a); |
| 84 |
+ strcpy(TempName+a, "XXXXXX"); |
| 85 |
+ mkstemp(TempName); |
| 86 |
+ if(!TempName[0]) { |
| 87 |
+ ErrFatal("Cannot find available temporary file name"); |
| 88 |
+ } |
| 89 |
+ |
| 90 |
+ |
| 91 |
|
| 92 |
// Build the exec string. &i and &o in the exec string get replaced by input and output files. |
| 93 |
for (a=0;;a++){ |
| 94 |
if (ApplyCommand[a] == '&'){ |
| 95 |
if (ApplyCommand[a+1] == 'i'){ |
| 96 |
// Input file. |
| 97 |
- e += sprintf(ExecString+e, "\"%s\"",FileName); |
| 98 |
+ e += shellescape(ExecString+e, FileName); |
| 99 |
a += 1; |
| 100 |
continue; |
| 101 |
} |
| 102 |
if (ApplyCommand[a+1] == 'o'){ |
| 103 |
// Needs an output file distinct from the input file. |
| 104 |
- e += sprintf(ExecString+e, "\"%s\"",TempName); |
| 105 |
+ e += shellescape(ExecString+e, TempName); |
| 106 |
a += 1; |
| 107 |
TempUsed = TRUE; |
| 108 |
- unlink(TempName);// Remove any pre-existing temp file |
| 109 |
continue; |
| 110 |
} |
| 111 |
} |
| 112 |
ExecString[e++] = ApplyCommand[a]; |
| 113 |
if (ApplyCommand[a] == 0) break; |
| 114 |
} |
| 115 |
- |
| 116 |
+ShowIt = 1; |
| 117 |
if (ShowIt) printf("Cmd:%s\n",ExecString); |
| 118 |
|
| 119 |
errno = 0; |
| 120 |
@@ -638,7 +682,7 @@ |
| 121 |
ErrFatal("Orientation screwup"); |
| 122 |
} |
| 123 |
|
| 124 |
- sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument); |
| 125 |
+ sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument); |
| 126 |
ApplyCommand = RotateCommand; |
| 127 |
DoCommand(FileName, FALSE); |
| 128 |
ApplyCommand = NULL; |
| 129 |
@@ -657,7 +701,7 @@ |
| 130 |
strcpy(ThumbTempName_out, FileName); |
| 131 |
strcat(ThumbTempName_out, ".tho"); |
| 132 |
SaveThumbnail(ThumbTempName_in); |
| 133 |
- sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"", |
| 134 |
+ sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", |
| 135 |
Argument, ThumbTempName_out, ThumbTempName_in); |
| 136 |
|
| 137 |
if (system(RotateCommand) == 0){ |
Archives