summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortron <tron@pkgsrc.org>2008-06-08 12:46:49 +0000
committertron <tron@pkgsrc.org>2008-06-08 12:46:49 +0000
commit8f44451698d0c0b7a24775b6653a1195775dd35a (patch)
tree00e19fad17aa7b380cc2b57c34fb490e45fb2cbb
parent185b233d694e6882bb70971a6936020ce4ac95c2 (diff)
downloadpkgsrc-8f44451698d0c0b7a24775b6653a1195775dd35a.tar.gz
Pullup ticket #2420 - requested by tonnerre
Security patch for star Revisions pulled up: - archivers/star/Makefile 1.22 - archivers/star/distinfo 1.9 - archivers/star/patches/patch-ad 1.1 --- Module Name: pkgsrc Committed By: tonnerre Date: Sun Jun 8 02:40:38 UTC 2008 Modified Files: pkgsrc/archivers/star: Makefile distinfo Added Files: pkgsrc/archivers/star/patches: patch-ad Log Message: Fix directory traversal vulnerability (CVE-2007-4134) in star.
Diffstat
-rw-r--r--archivers/star/Makefile4
-rw-r--r--archivers/star/distinfo3
-rw-r--r--archivers/star/patches/patch-ad64
3 files changed, 68 insertions, 3 deletions
diff --git a/archivers/star/Makefile b/archivers/star/Makefile
index c10e26fe04d..1552d7e56bf 100644
--- a/archivers/star/Makefile
+++ b/archivers/star/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2007/12/30 17:25:41 cjep Exp $
+# $NetBSD: Makefile,v 1.21.4.1 2008/06/08 12:46:49 tron Exp $
#
DISTNAME= star-1.4.3
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= archivers
MASTER_SITES= ftp://ftp.berlios.de/pub/star/
diff --git a/archivers/star/distinfo b/archivers/star/distinfo
index a277abb6d0b..4b51a5937d1 100644
--- a/archivers/star/distinfo
+++ b/archivers/star/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2007/12/30 17:25:42 cjep Exp $
+$NetBSD: distinfo,v 1.8.4.1 2008/06/08 12:46:49 tron Exp $
SHA1 (star-1.4.3.tar.gz) = c59b68d97edba77a9ac6000be04d457ded1eefe9
RMD160 (star-1.4.3.tar.gz) = f7ec71bfab1723c994e5eed7e6818394a41d44d9
@@ -6,3 +6,4 @@ Size (star-1.4.3.tar.gz) = 520388 bytes
SHA1 (patch-aa) = 4fe4af396adf23eb7ac071b02a7bf726ab1e4318
SHA1 (patch-ab) = aea3af88d3bedf2ce7a7744c90062ba4e57bb79f
SHA1 (patch-ac) = 81e6361db3903e5b04fae4e70ad3a37f9a2f4fa7
+SHA1 (patch-ad) = 8e9fff0b8345a1997ae08a5c5e57260b4c5f8090
diff --git a/archivers/star/patches/patch-ad b/archivers/star/patches/patch-ad
new file mode 100644
index 00000000000..11577c61eb9
--- /dev/null
+++ b/archivers/star/patches/patch-ad
@@ -0,0 +1,64 @@
+$NetBSD: patch-ad,v 1.1.2.2 2008/06/08 12:46:49 tron Exp $
+
+--- star/extract.c.orig 2002-05-02 22:02:41.000000000 +0200
++++ star/extract.c
+@@ -92,6 +92,7 @@ EXPORT int xt_file __PR((FINFO * info,
+ int (*)(void *, char *, int),
+ void *arg, int amt, char* text));
+ EXPORT void skip_slash __PR((FINFO * info));
++LOCAL BOOL has_dotdot __PR((char *name));
+
+ EXPORT void
+ extract(vhname)
+@@ -152,6 +153,12 @@ extract(vhname)
+ if (is_symlink(&finfo) && same_symlink(&finfo)) {
+ continue;
+ }
++ if (!interactive && has_dotdot(finfo.f_name)) {
++ errmsgno(EX_BAD, "'%s' contains '..', skipping ...\n",
++ finfo.f_name);
++ void_file(&finfo);
++ return (FALSE);
++ }
+ if (interactive && !ia_change(ptb, &finfo)) {
+ if (!nflag)
+ fprintf(vpr, "Skipping ...\n");
+@@ -169,6 +176,12 @@ extract(vhname)
+ if (!make_dir(&finfo))
+ continue;
+ } else if (is_link(&finfo)) {
++ if (!interactive && has_dotdot(finfo.f_lname)) {
++ errmsgno(EX_BAD, "'%s' contains '..', "
++ "skipping ...\n", finfo.f_lname);
++ void_file(&finfo);
++ return (FALSE);
++ }
+ if (!make_link(&finfo))
+ continue;
+ } else if (is_symlink(&finfo)) {
+@@ -830,3 +843,25 @@ skip_slash(info)
+ while (info->f_lname[0] == '/')
+ info->f_lname++;
+ }
++
++LOCAL BOOL
++has_dotdot(name)
++ char *name;
++{
++ register char *p = name;
++
++ while (*p) {
++ if ((p[0] == '.' && p[1] == '.') &&
++ (p[2] == '/' || p[2] == '\0')) {
++ return (TRUE);
++ }
++ do {
++ if (*p++ == '\0')
++ return (FALSE);
++ } while (*p != '/');
++ p++;
++ while (*p && *p == '/') /* Skip multiple slashes */
++ p++;
++ }
++ return (FALSE);
++}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-02 01:37:52 +0000