diff options
author | tnn <tnn@pkgsrc.org> | 2015-04-12 15:54:02 +0000 |
---|---|---|
committer | tnn <tnn@pkgsrc.org> | 2015-04-12 15:54:02 +0000 |
commit | d22c1df1ce5f27ff971bd941f0538f4f8449ef58 (patch) | |
tree | 254d2e93c7ca5a78822fb29c7586a7771807178e | |
parent | 9a1b7d97c6f11d293b7f2bf0f78e9e76bb0a9565 (diff) | |
download | pkgsrc-d22c1df1ce5f27ff971bd941f0538f4f8449ef58.tar.gz |
Merge Debian patches for:
CVE-2015-0556: symlink traversal
CVE-2015-0557: directory traversal
CVE-2015-2782: buffer overflow
-rw-r--r-- | archivers/arj/distinfo | 7 | ||||
-rw-r--r-- | archivers/arj/patches/patch-decode.c | 28 | ||||
-rw-r--r-- | archivers/arj/patches/patch-environ.c | 30 | ||||
-rw-r--r-- | archivers/arj/patches/patch-uxspec.c | 75 |
4 files changed, 122 insertions, 18 deletions
diff --git a/archivers/arj/distinfo b/archivers/arj/distinfo index cf144483d55..84064221e23 100644 --- a/archivers/arj/distinfo +++ b/archivers/arj/distinfo @@ -1,14 +1,15 @@ -$NetBSD: distinfo,v 1.17 2015/04/12 15:45:00 tnn Exp $ +$NetBSD: distinfo,v 1.18 2015/04/12 15:54:02 tnn Exp $ SHA1 (arj-3.10.22.tar.gz) = e8470f480e9eee14906e5485a8898e5c24738c8b RMD160 (arj-3.10.22.tar.gz) = 80f8a1a8cd203f73def8e957d96563a4dba80153 Size (arj-3.10.22.tar.gz) = 431467 bytes SHA1 (patch-arjdata.c) = 4e4c142b97feee0673b14ea6f454f3d9de45f584 -SHA1 (patch-environ.c) = 02a45f1365121b63020f3714cea142f9571d8f72 +SHA1 (patch-decode.c) = 15c31c3bf1303370691b701a98bad88ae1b0967b +SHA1 (patch-environ.c) = e306005a88825b2bfd5b3bb35b18710d26a4c885 SHA1 (patch-exe__sear.c) = 6d8db5a2cdb8f2452b96cf4d09687ae9d45d3e17 SHA1 (patch-fardata.c) = 341a8d10ec1927b9cb980c90400e323cd53f979d SHA1 (patch-gnu_config.h.in) = 2cf609a6c7cb4e32441a433db3dc9cc04c23ae2a SHA1 (patch-gnu_configure.in) = 062f3dc1eee6f009dfdfa432bb3c138a9c28a829 SHA1 (patch-gnu_makefile.in) = db8a0afa61f49242e9fd601d5fc3167cf75f748b SHA1 (patch-integr.c) = fade32219b21ac3382028bf23ee4171d8d095b5f -SHA1 (patch-uxspec.c) = c54bd6223c39a73fed95286ce0a5f834770c86d3 +SHA1 (patch-uxspec.c) = b1756afe8a39cc5cdce30b031bb3c96ee40a6b89 diff --git a/archivers/arj/patches/patch-decode.c b/archivers/arj/patches/patch-decode.c new file mode 100644 index 00000000000..f2232a9921a --- /dev/null +++ b/archivers/arj/patches/patch-decode.c @@ -0,0 +1,28 @@ +$NetBSD: patch-decode.c,v 1.1 2015/04/12 15:54:02 tnn Exp $ + +Fix CVE-2015-2782. Via Debian security-afl.patch. + +--- decode.c.orig 2003-04-12 16:15:58.000000000 +0000 ++++ decode.c +@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i + if(i==i_special) + { + c=getbits(2); +- while(--c>=0) ++ while(--c>=0&&i<nn) + pt_len[i++]=0; + } + } +@@ -314,10 +314,10 @@ void read_c_len() + c=getbits(CBIT); + c+=20; + } +- while(--c>=0) ++ while(--c>=0&&i<NC) + c_len[i++]=0; + } +- else ++ else if (i<NC) + c_len[i++]=(unsigned char)(c-2); + } + while(i<NC) diff --git a/archivers/arj/patches/patch-environ.c b/archivers/arj/patches/patch-environ.c index 8888e8e302d..57f773497f3 100644 --- a/archivers/arj/patches/patch-environ.c +++ b/archivers/arj/patches/patch-environ.c @@ -1,8 +1,9 @@ -$NetBSD: patch-environ.c,v 1.1 2015/04/12 15:45:00 tnn Exp $ +$NetBSD: patch-environ.c,v 1.2 2015/04/12 15:54:02 tnn Exp $ Add support for various OSes. +Fix CVE-2015-0557. Via Debian security-traversal-dir.patch. ---- environ.c.orig 2004-06-18 16:19:36.000000000 +0000 +--- environ.c.orig 2015-04-12 15:49:08.000000000 +0000 +++ environ.c @@ -58,10 +58,10 @@ #include <sys/ioctl.h> @@ -17,7 +18,24 @@ Add support for various OSes. #include <sys/statvfs.h> #else #include <sys/statfs.h> -@@ -2286,7 +2286,7 @@ unsigned long file_getfree(char *name) +@@ -1087,6 +1087,8 @@ static char *validate_path(char *name) + if(action!=VALIDATE_DRIVESPEC) + { + #endif ++ while (name[0]!='\0'&& ++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) { + if(name[0]=='.') + { + if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX)) +@@ -1096,6 +1098,7 @@ static char *validate_path(char *name) + } + if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX) + name++; /* "\\" - revert to root */ ++ } + #if SFX_LEVEL>=ARJSFXV + } + } +@@ -2286,7 +2289,7 @@ unsigned long file_getfree(char *name) else return((LONG_MAX/(spclu*bps)<fclu)?LONG_MAX:spclu*bps*fclu); #elif TARGET==UNIX @@ -26,7 +44,7 @@ Add support for various OSes. struct statvfs vfs; if(statvfs(name, &vfs)==-1) -@@ -3005,7 +3005,7 @@ void get_exe_name(char *dest, char *arg) +@@ -3005,7 +3008,7 @@ void get_exe_name(char *dest, char *arg) they are missing altogether, the corresponding code will gracefully terminate. */ #if SFX_LEVEL==ARJ @@ -35,7 +53,7 @@ Add support for various OSes. #elif SFX_LEVEL==ARJSFXV strcpy(dest, "./arjsfxv"); #elif SFX_LEVEL==ARJSFX -@@ -3013,7 +3013,7 @@ void get_exe_name(char *dest, char *arg) +@@ -3013,7 +3016,7 @@ void get_exe_name(char *dest, char *arg) #elif SFX_LEVEL==ARJSFXJR strcpy(dest, "./arjsfxjr"); #elif defined(REARJ) @@ -44,7 +62,7 @@ Add support for various OSes. #else dest[0]='\0'; #endif -@@ -3802,7 +3802,9 @@ int reset_drive(char *name) +@@ -3802,7 +3805,9 @@ int reset_drive(char *name) #elif TARGET==WIN32 return(0); #elif TARGET==UNIX diff --git a/archivers/arj/patches/patch-uxspec.c b/archivers/arj/patches/patch-uxspec.c index 8a3d0502ac6..8de52b1555a 100644 --- a/archivers/arj/patches/patch-uxspec.c +++ b/archivers/arj/patches/patch-uxspec.c @@ -1,18 +1,75 @@ -$NetBSD: patch-uxspec.c,v 1.1 2015/04/12 15:45:00 tnn Exp $ +$NetBSD: patch-uxspec.c,v 1.2 2015/04/12 15:54:02 tnn Exp $ Fix build on systems without lchown. +Fix CVE-2015-0556. Via Debian security-traversal-symlink.patch. ---- uxspec.c.orig 2004-04-17 11:39:42.000000000 +0000 +--- uxspec.c.orig 2015-04-12 15:46:11.000000000 +0000 +++ uxspec.c -@@ -13,6 +13,11 @@ - #include <unistd.h> +@@ -125,6 +125,58 @@ int query_uxspecial(char FAR **dest, cha + } #endif -+#include "c_defs.h" -+#ifndef HAVE_LCHOWN -+#define lchown chown ++#if TARGET==UNIX ++static int is_link_traversal(const char *name) ++{ ++ enum { ++ STATE_NONE, ++ STATE_DOTS, ++ STATE_NAME, ++ } state = STATE_NONE; ++ int ndir = 0; ++ int dots = 0; ++ ++ while(*name) { ++ int c = *name++; ++ ++ if (c == '/') ++ { ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if (ndir < 0) ++ return 1; ++ if ((state == STATE_DOTS && dots == 1) && ndir == 0) ++ return 1; ++ if (state == STATE_NONE && ndir == 0) ++ return 1; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ state = STATE_NONE; ++ dots = 0; ++ } ++ else if (c == '.') ++ { ++ if (state == STATE_NONE) ++ state = STATE_DOTS; ++ dots++; ++ } ++ else ++ { ++ if (state == STATE_NONE) ++ ndir++; ++ state = STATE_NAME; ++ } ++ } ++ ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ ++ return ndir < 0; ++} +#endif + - DEBUGHDR(__FILE__) /* Debug information block */ + /* Restores the UNIX special file data */ - /* UXSPECIAL block types */ + int set_uxspecial(char FAR *storage, char *name) +@@ -161,6 +213,8 @@ int set_uxspecial(char FAR *storage, cha + l=sizeof(tmp_name)-1; + far_memmove((char FAR *)tmp_name, dptr, l); + tmp_name[l]='\0'; ++ if (is_link_traversal(tmp_name)) ++ return(UXSPEC_RC_ERROR); + rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name); + if(!rc) + return(0); |