summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortnn <tnn@pkgsrc.org>2015-04-12 15:54:02 +0000
committertnn <tnn@pkgsrc.org>2015-04-12 15:54:02 +0000
commitd22c1df1ce5f27ff971bd941f0538f4f8449ef58 (patch)
tree254d2e93c7ca5a78822fb29c7586a7771807178e
parent9a1b7d97c6f11d293b7f2bf0f78e9e76bb0a9565 (diff)
downloadpkgsrc-d22c1df1ce5f27ff971bd941f0538f4f8449ef58.tar.gz
Merge Debian patches for:
CVE-2015-0556: symlink traversal CVE-2015-0557: directory traversal CVE-2015-2782: buffer overflow
-rw-r--r--archivers/arj/distinfo7
-rw-r--r--archivers/arj/patches/patch-decode.c28
-rw-r--r--archivers/arj/patches/patch-environ.c30
-rw-r--r--archivers/arj/patches/patch-uxspec.c75
4 files changed, 122 insertions, 18 deletions
diff --git a/archivers/arj/distinfo b/archivers/arj/distinfo
index cf144483d55..84064221e23 100644
--- a/archivers/arj/distinfo
+++ b/archivers/arj/distinfo
@@ -1,14 +1,15 @@
-$NetBSD: distinfo,v 1.17 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: distinfo,v 1.18 2015/04/12 15:54:02 tnn Exp $
SHA1 (arj-3.10.22.tar.gz) = e8470f480e9eee14906e5485a8898e5c24738c8b
RMD160 (arj-3.10.22.tar.gz) = 80f8a1a8cd203f73def8e957d96563a4dba80153
Size (arj-3.10.22.tar.gz) = 431467 bytes
SHA1 (patch-arjdata.c) = 4e4c142b97feee0673b14ea6f454f3d9de45f584
-SHA1 (patch-environ.c) = 02a45f1365121b63020f3714cea142f9571d8f72
+SHA1 (patch-decode.c) = 15c31c3bf1303370691b701a98bad88ae1b0967b
+SHA1 (patch-environ.c) = e306005a88825b2bfd5b3bb35b18710d26a4c885
SHA1 (patch-exe__sear.c) = 6d8db5a2cdb8f2452b96cf4d09687ae9d45d3e17
SHA1 (patch-fardata.c) = 341a8d10ec1927b9cb980c90400e323cd53f979d
SHA1 (patch-gnu_config.h.in) = 2cf609a6c7cb4e32441a433db3dc9cc04c23ae2a
SHA1 (patch-gnu_configure.in) = 062f3dc1eee6f009dfdfa432bb3c138a9c28a829
SHA1 (patch-gnu_makefile.in) = db8a0afa61f49242e9fd601d5fc3167cf75f748b
SHA1 (patch-integr.c) = fade32219b21ac3382028bf23ee4171d8d095b5f
-SHA1 (patch-uxspec.c) = c54bd6223c39a73fed95286ce0a5f834770c86d3
+SHA1 (patch-uxspec.c) = b1756afe8a39cc5cdce30b031bb3c96ee40a6b89
diff --git a/archivers/arj/patches/patch-decode.c b/archivers/arj/patches/patch-decode.c
new file mode 100644
index 00000000000..f2232a9921a
--- /dev/null
+++ b/archivers/arj/patches/patch-decode.c
@@ -0,0 +1,28 @@
+$NetBSD: patch-decode.c,v 1.1 2015/04/12 15:54:02 tnn Exp $
+
+Fix CVE-2015-2782. Via Debian security-afl.patch.
+
+--- decode.c.orig 2003-04-12 16:15:58.000000000 +0000
++++ decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+ if(i==i_special)
+ {
+ c=getbits(2);
+- while(--c>=0)
++ while(--c>=0&&i<nn)
+ pt_len[i++]=0;
+ }
+ }
+@@ -314,10 +314,10 @@ void read_c_len()
+ c=getbits(CBIT);
+ c+=20;
+ }
+- while(--c>=0)
++ while(--c>=0&&i<NC)
+ c_len[i++]=0;
+ }
+- else
++ else if (i<NC)
+ c_len[i++]=(unsigned char)(c-2);
+ }
+ while(i<NC)
diff --git a/archivers/arj/patches/patch-environ.c b/archivers/arj/patches/patch-environ.c
index 8888e8e302d..57f773497f3 100644
--- a/archivers/arj/patches/patch-environ.c
+++ b/archivers/arj/patches/patch-environ.c
@@ -1,8 +1,9 @@
-$NetBSD: patch-environ.c,v 1.1 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: patch-environ.c,v 1.2 2015/04/12 15:54:02 tnn Exp $
Add support for various OSes.
+Fix CVE-2015-0557. Via Debian security-traversal-dir.patch.
---- environ.c.orig 2004-06-18 16:19:36.000000000 +0000
+--- environ.c.orig 2015-04-12 15:49:08.000000000 +0000
+++ environ.c
@@ -58,10 +58,10 @@
#include <sys/ioctl.h>
@@ -17,7 +18,24 @@ Add support for various OSes.
#include <sys/statvfs.h>
#else
#include <sys/statfs.h>
-@@ -2286,7 +2286,7 @@ unsigned long file_getfree(char *name)
+@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
+ if(action!=VALIDATE_DRIVESPEC)
+ {
+ #endif
++ while (name[0]!='\0'&&
++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
+ if(name[0]=='.')
+ {
+ if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
+@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
+ }
+ if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
+ name++; /* "\\" - revert to root */
++ }
+ #if SFX_LEVEL>=ARJSFXV
+ }
+ }
+@@ -2286,7 +2289,7 @@ unsigned long file_getfree(char *name)
else
return((LONG_MAX/(spclu*bps)<fclu)?LONG_MAX:spclu*bps*fclu);
#elif TARGET==UNIX
@@ -26,7 +44,7 @@ Add support for various OSes.
struct statvfs vfs;
if(statvfs(name, &vfs)==-1)
-@@ -3005,7 +3005,7 @@ void get_exe_name(char *dest, char *arg)
+@@ -3005,7 +3008,7 @@ void get_exe_name(char *dest, char *arg)
they are missing altogether, the corresponding code will gracefully
terminate. */
#if SFX_LEVEL==ARJ
@@ -35,7 +53,7 @@ Add support for various OSes.
#elif SFX_LEVEL==ARJSFXV
strcpy(dest, "./arjsfxv");
#elif SFX_LEVEL==ARJSFX
-@@ -3013,7 +3013,7 @@ void get_exe_name(char *dest, char *arg)
+@@ -3013,7 +3016,7 @@ void get_exe_name(char *dest, char *arg)
#elif SFX_LEVEL==ARJSFXJR
strcpy(dest, "./arjsfxjr");
#elif defined(REARJ)
@@ -44,7 +62,7 @@ Add support for various OSes.
#else
dest[0]='\0';
#endif
-@@ -3802,7 +3802,9 @@ int reset_drive(char *name)
+@@ -3802,7 +3805,9 @@ int reset_drive(char *name)
#elif TARGET==WIN32
return(0);
#elif TARGET==UNIX
diff --git a/archivers/arj/patches/patch-uxspec.c b/archivers/arj/patches/patch-uxspec.c
index 8a3d0502ac6..8de52b1555a 100644
--- a/archivers/arj/patches/patch-uxspec.c
+++ b/archivers/arj/patches/patch-uxspec.c
@@ -1,18 +1,75 @@
-$NetBSD: patch-uxspec.c,v 1.1 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: patch-uxspec.c,v 1.2 2015/04/12 15:54:02 tnn Exp $
Fix build on systems without lchown.
+Fix CVE-2015-0556. Via Debian security-traversal-symlink.patch.
---- uxspec.c.orig 2004-04-17 11:39:42.000000000 +0000
+--- uxspec.c.orig 2015-04-12 15:46:11.000000000 +0000
+++ uxspec.c
-@@ -13,6 +13,11 @@
- #include <unistd.h>
+@@ -125,6 +125,58 @@ int query_uxspecial(char FAR **dest, cha
+ }
#endif
-+#include "c_defs.h"
-+#ifndef HAVE_LCHOWN
-+#define lchown chown
++#if TARGET==UNIX
++static int is_link_traversal(const char *name)
++{
++ enum {
++ STATE_NONE,
++ STATE_DOTS,
++ STATE_NAME,
++ } state = STATE_NONE;
++ int ndir = 0;
++ int dots = 0;
++
++ while(*name) {
++ int c = *name++;
++
++ if (c == '/')
++ {
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if (ndir < 0)
++ return 1;
++ if ((state == STATE_DOTS && dots == 1) && ndir == 0)
++ return 1;
++ if (state == STATE_NONE && ndir == 0)
++ return 1;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++ state = STATE_NONE;
++ dots = 0;
++ }
++ else if (c == '.')
++ {
++ if (state == STATE_NONE)
++ state = STATE_DOTS;
++ dots++;
++ }
++ else
++ {
++ if (state == STATE_NONE)
++ ndir++;
++ state = STATE_NAME;
++ }
++ }
++
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++
++ return ndir < 0;
++}
+#endif
+
- DEBUGHDR(__FILE__) /* Debug information block */
+ /* Restores the UNIX special file data */
- /* UXSPECIAL block types */
+ int set_uxspecial(char FAR *storage, char *name)
+@@ -161,6 +213,8 @@ int set_uxspecial(char FAR *storage, cha
+ l=sizeof(tmp_name)-1;
+ far_memmove((char FAR *)tmp_name, dptr, l);
+ tmp_name[l]='\0';
++ if (is_link_traversal(tmp_name))
++ return(UXSPEC_RC_ERROR);
+ rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
+ if(!rc)
+ return(0);